IMP(6.2.2,6.2.3,6.2.4): add purposely failing tests

bin/hardening/6.2.3_remove_legacy_shadow_entries.sh

@@ -21,7 +21,7 @@ RESULT=''
 audit () {
     info "Checking if accounts have a legacy password entry"
     if $SUDO_CMD grep '^+:' $FILE -q; then
-        RESULT=$(grep '^+:' $FILE)
+        RESULT=$($SUDO_CMD grep '^+:' $FILE)
         crit "Some accounts have a legacy password entry"
         crit $RESULT
     else

tests/hardening/6.2.2_remove_legacy_passwd_entries.sh

@@ -6,5 +6,26 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcpasswduser"
+
+    describe Tests purposely failing 
+    useradd $test_user
+    sed -i "s/$test_user:x/+:$test_user:x/" /etc/passwd
+    register_test retvalshouldbe 1
+    register_test contain "Some accounts have a legacy password entry"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All accounts have a valid password entry format"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # cleanup
+    groupdel $test_user
+    useradd $test_user
+    userdel $test_user
 }

tests/hardening/6.2.3_remove_legacy_shadow_entries.sh

@@ -6,5 +6,25 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcshadowusr"
+
+    describe Tests purposely failing 
+    useradd $test_user
+    sed -i "s/$test_user:/+:$test_user:/" /etc/shadow
+    register_test retvalshouldbe 1
+    register_test contain "Some accounts have a legacy password entry"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All accounts have a valid password entry format"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # cleanup
+    userdel $test_user
+
 }

tests/hardening/6.2.4_remove_legacy_group_entries.sh

@@ -6,5 +6,24 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcgroupuser"
+
+    describe Tests purposely failing 
+    useradd $test_user
+    sed -i "s/$test_user:x/+:$test_user:x/" /etc/group
+    register_test retvalshouldbe 1
+    register_test contain "Some accounts have a legacy group entry"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All accounts have a valid group entry format"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # cleanup
+    userdel $test_user
 }