elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-22 02:33:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Replace CIS_ROOT_DIR by a more flexible system (#204)

Browse Source 
* Replace CIS_ROOT_DIR by a more flexible system

* Try to adapt the logic change to the functional tests
This commit is contained in:
P-EB
2023-09-25 14:24:01 +02:00
committed by GitHub
parent 5370ec2ef6
commit 32886d3a3d
493 changed files with 2060 additions and 2056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tests/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################

2
tests/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################

2
tests/hardening/1.1.1.3_disable_hfs.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################

2
tests/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################

2
tests/hardening/1.1.1.5_disable_squashfs.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################

2
tests/hardening/1.1.1.6_disable_udf.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################

2
tests/hardening/1.1.1.7_restrict_fat.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################

2
tests/hardening/1.1.1.8_disable_cramfs.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################

2
tests/hardening/1.1.10_var_tmp_noexec.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.11.1_var_log_noexec.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.11.2_var_log_nosuid.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.11.3_var_log_nodev.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.11_var_log_partition.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.12.1_var_log_audit_noexec.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.12.2_var_log_audit_nosuid.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.12.3_var_log_audit_nodev.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.12_var_log_audit_partition.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.13_home_partition.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.14.1_home_nosuid.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.14_home_nodev.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

6
tests/hardening/1.1.15_run_shm_nodev.sh
View File

@ -4,19 +4,19 @@ test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
ln -s /dev/shm /run/shm
describe Partition symlink
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
rm /run/shm

6
tests/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -4,19 +4,19 @@ test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
ln -s /dev/shm /run/shm
describe Partition symlink
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
rm /run/shm

6
tests/hardening/1.1.17_run_shm_noexec.sh
View File

@ -4,19 +4,19 @@ test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
ln -s /dev/shm /run/shm
describe Partition symlink
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
echo "dummy entry" >>/etc/fstab
describe Fstab with a real entry to match runtime partitions
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
rm /run/shm

2
tests/hardening/1.1.18_removable_device_nodev.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.19_removable_device_nosuid.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.20_removable_device_noexec.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

18
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -3,9 +3,9 @@
test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
"${CIS_CHECKS_DIR}/${script}.sh" || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
mkdir /home/secaudit/exception
chmod 777 /home/secaudit/exception
@ -13,7 +13,7 @@ test_audit() {
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Tests purposely failing
local targetdir="/home/secaudit/world_writable_folder"
@ -21,21 +21,21 @@ test_audit() {
chmod 777 "$targetdir"
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

2
tests/hardening/1.1.22_disable_automounting.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.23_disable_usb_storage.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.2_tmp_partition.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.3_tmp_nodev.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.4_tmp_nosuid.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.5_tmp_noexec.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.6.1_var_nodev.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.6.2_var_nosuid.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.6_var_partition.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.7_var_tmp_partition.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.8_var_tmp_nodev.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.1.9_var_tmp_nosuid.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

8
tests/hardening/1.3.1_install_sudo.sh
View File

@ -5,14 +5,14 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "sudo is installed"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

8
tests/hardening/1.3.2_pty_sudo.sh
View File

@ -5,14 +5,14 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "Defaults use_pty found in sudoers file"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

8
tests/hardening/1.3.3_logfile_sudo.sh
View File

@ -5,14 +5,14 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "Defaults log file found in sudoers file"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

2
tests/hardening/1.4.1_install_tripwire.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

8
tests/hardening/1.4.2_tripwire_cron.sh
View File

@ -4,12 +4,12 @@ test_audit() {
describe Running on blank host
register_test retvalshouldbe 1
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking auto resolved state
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

2
tests/hardening/1.5.1_bootloader_ownership.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
fi

2
tests/hardening/1.5.2_bootloader_password.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
fi

2
tests/hardening/1.5.3_root_password.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
fi

2
tests/hardening/1.6.1_enable_nx_support.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
fi

2
tests/hardening/1.6.2_enable_randomized_vm_placement.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.6.3.1_disable_apport.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.6.3_disable_prelink.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/1.6.4_restrict_core_dumps.sh
View File

@ -8,7 +8,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
fi

8
tests/hardening/1.7.1.1_install_apparmor.sh
View File

@ -8,15 +8,15 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "is installed"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

8
tests/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -8,15 +8,15 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "are configured"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

8
tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
View File

@ -8,15 +8,15 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No profiles are unconfined"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

8
tests/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -8,15 +8,15 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No profiles are unconfined"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

2
tests/hardening/1.8.1.1_remove_os_info_motd.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

2
tests/hardening/1.8.1.2_remove_os_info_issue.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

2
tests/hardening/1.8.1.3_remove_os_info_issue_net.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

16
tests/hardening/1.8.1.4_motd_perms.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
local test_user="motd-user"
local test_file="/etc/motd"
@ -14,28 +14,28 @@ test_audit() {
chmod 777 "$test_file"
register_test retvalshouldbe 1
register_test contain "permissions were not set to"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Tests purposely failing
useradd "$test_user"
chown "$test_user":"$test_user" "$test_file"
register_test retvalshouldbe 1
register_test contain "ownership was not set to"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "has correct permissions"
register_test contain "has correct ownership"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
userdel "$test_user"

16
tests/hardening/1.8.1.5_etc_issue_perms.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
local test_user="issue-user"
local test_file="/etc/issue"
@ -14,28 +14,28 @@ test_audit() {
chmod 777 "$test_file"
register_test retvalshouldbe 1
register_test contain "permissions were not set to"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Tests purposely failing
useradd "$test_user"
chown "$test_user":"$test_user" "$test_file"
register_test retvalshouldbe 1
register_test contain "ownership was not set to"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "has correct permissions"
register_test contain "has correct ownership"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
userdel "$test_user"

16
tests/hardening/1.8.1.6_etc_issue_net_perms.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
local test_user="issue-net-user"
local test_file="/etc/issue.net"
@ -14,28 +14,28 @@ test_audit() {
chmod 777 "$test_file"
register_test retvalshouldbe 1
register_test contain "permissions were not set to"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Tests purposely failing
useradd "$test_user"
chown "$test_user":"$test_user" "$test_file"
register_test retvalshouldbe 1
register_test contain "ownership was not set to"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "has correct permissions"
register_test contain "has correct ownership"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
userdel "$test_user"

2
tests/hardening/1.8.2_graphical_warning_banners.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

2
tests/hardening/1.9_install_updates.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.1.1_disable_xinetd.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

4
tests/hardening/2.2.1.1_use_time_sync.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 1
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correcting situation
apt-get update
@ -15,5 +15,5 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "Time synchronization is available through"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}

2
tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

2
tests/hardening/2.2.1.3_configure_chrony.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

2
tests/hardening/2.2.1.4_configure_ntp.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

2
tests/hardening/2.2.10_disable_http_server.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.11_disable_imap_pop.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.12_disable_samba.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.13_disable_http_proxy.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.14_disable_snmp_server.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.15_mta_localhost.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

2
tests/hardening/2.2.16_disable_rsync.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

2
tests/hardening/2.2.17_disable_nis.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.2_disable_xwindow_system.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.3_disable_avahi_server.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.4_disable_print_server.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.5_disable_dhcp.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.6_disable_ldap.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.7_disable_nfs_rpc.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.8_disable_dns_server.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.2.9_disable_ftp.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.3.1_disable_nis.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.3.2_disable_rsh_client.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.3.3_disable_talk_client.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.3.4_disable_telnet_client.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

2
tests/hardening/2.3.5_disable_ldap_client.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #

10
tests/hardening/3.1.1_disable_ipv6.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -14,16 +14,16 @@ test_audit() {
sysctl -w net.ipv6.conf.all.disable_ipv6=0 2>/dev/null
register_test retvalshouldbe 1
register_test contain "net.ipv6.conf.all.disable_ipv6 was not set to 1"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 1"
register_test contain "net.ipv6.conf.all.disable_ipv6 correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

2
tests/hardening/3.1.2_disable_wireless.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# TODO fill comprehensive tests
}

10
tests/hardening/3.2.1_disable_send_packet_redirects.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -14,16 +14,16 @@ test_audit() {
sysctl -w net.ipv4.conf.all.send_redirects=1 2>/dev/null
register_test retvalshouldbe 1
register_test contain "net.ipv4.conf.all.send_redirects was not set to 0"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 0"
register_test contain "net.ipv4.conf.all.send_redirects correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

10
tests/hardening/3.2.2_disable_ip_forwarding.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -14,16 +14,16 @@ test_audit() {
sysctl -w net.ipv4.ip_forward=1 2>/dev/null
register_test retvalshouldbe 1
register_test contain "net.ipv4.ip_forward was not set to 0"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 0"
register_test contain "net.ipv4.ip_forward correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

10
tests/hardening/3.3.1_disable_source_routed_packets.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -18,11 +18,11 @@ test_audit() {
register_test contain "net.ipv6.conf.all.accept_source_route was not set to 0"
register_test contain "net.ipv6.conf.default.accept_source was not set to 0"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
@ -31,6 +31,6 @@ test_audit() {
register_test contain "net.ipv4.conf.default.accept_source_route correctly set to 0"
register_test contain "net.ipv6.conf.all.accept_source_route correctly set to 0"
register_test contain "net.ipv6.conf.default.accept_source correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

10
tests/hardening/3.3.2_disable_icmp_redirect.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -18,11 +18,11 @@ test_audit() {
register_test contain "net.ipv6.conf.all.accept_redirects was not set to 0"
register_test contain "net.ipv6.conf.default.accept_redirects was not set to 0"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
@ -31,6 +31,6 @@ test_audit() {
register_test contain "net.ipv4.conf.default.accept_redirects correctly set to 0"
register_test contain "net.ipv6.conf.all.accept_redirects correctly set to 0"
register_test contain "net.ipv6.conf.default.accept_redirects correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

10
tests/hardening/3.3.3_disable_secure_icmp_redirect.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -16,17 +16,17 @@ test_audit() {
register_test contain "net.ipv4.conf.all.secure_redirects was not set to 0"
register_test contain "net.ipv4.conf.default.secure_redirects=0 was not set to 0"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 0"
register_test contain "net.ipv4.conf.all.secure_redirects correctly set to 0"
register_test contain "net.ipv4.conf.default.secure_redirects correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

10
tests/hardening/3.3.4_log_martian_packets.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -16,17 +16,17 @@ test_audit() {
register_test contain "net.ipv4.conf.all.log_martians was not set to 1"
register_test contain "net.ipv4.conf.default.log_martians was not set to 1"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 1"
register_test contain "net.ipv4.conf.all.log_martians correctly set to 1"
register_test contain " net.ipv4.conf.default.log_martians correctly set to 1"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

10
tests/hardening/3.3.5_ignore_broadcast_requests.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -15,16 +15,16 @@ test_audit() {
register_test retvalshouldbe 1
register_test contain "net.ipv4.icmp_echo_ignore_broadcasts was not set to 1"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 1"
register_test contain "net.ipv4.icmp_echo_ignore_broadcasts correctly set to 1"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

10
tests/hardening/3.3.6_enable_bad_error_message_protection.sh
View File

@ -5,7 +5,7 @@ test_audit() {
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -15,16 +15,16 @@ test_audit() {
register_test retvalshouldbe 1
register_test contain "net.ipv4.icmp_ignore_bogus_error_responses was not set to 1"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 0"
register_test contain "net.ipv4.icmp_ignore_bogus_error_responses correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
fi
}

Some files were not shown because too many files have changed in this diff Show More