mirror of
https://github.com/ovh/debian-cis.git
synced 2025-06-24 11:34:35 +02:00
Replace CIS_ROOT_DIR by a more flexible system (#204)
* Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests
This commit is contained in:
@ -2,11 +2,11 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
# shellcheck disable=2154
|
||||
echo 'EXCEPTION_USER="root"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
|
||||
skip_tests
|
||||
# shellcheck disable=2154
|
||||
run genconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run genconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
useradd -s /bin/bash jeantestuser
|
||||
describe Running on blank host
|
||||
@ -16,19 +16,19 @@ test_audit() {
|
||||
register_test contain "[INFO] User jeantestuser has a valid shell"
|
||||
register_test contain "[INFO] User jeantestuser has no home directory"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
mkdir -p /home/secaudit/.ssh
|
||||
touch /home/secaudit/.ssh/authorized_keys2
|
||||
describe empty authorized keys file
|
||||
register_test retvalshouldbe 0
|
||||
run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run emptyauthkey "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
ssh-keygen -N "" -t ed25519 -f /tmp/key1
|
||||
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
|
||||
describe Key without from field
|
||||
register_test retvalshouldbe 1
|
||||
run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run keynofrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
{
|
||||
echo -n 'from="127.0.0.1" '
|
||||
@ -36,26 +36,26 @@ test_audit() {
|
||||
} >/home/secaudit/.ssh/authorized_keys2
|
||||
describe Key with from, no ip check
|
||||
register_test retvalshouldbe 0
|
||||
run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run keyfrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
{
|
||||
echo -n 'from="10.0.1.2" '
|
||||
cat /tmp/key1.pub
|
||||
} >>/home/secaudit/.ssh/authorized_keys2
|
||||
describe Key with from, filled allowed IPs, one bad ip
|
||||
register_test retvalshouldbe 1
|
||||
run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run badfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
describe Key with from, filled allowed IPs, all IPs allowed
|
||||
register_test retvalshouldbe 0
|
||||
run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
{
|
||||
echo -n 'from="10.0.1.2",command="echo bla" '
|
||||
cat /tmp/key1.pub
|
||||
@ -64,14 +64,14 @@ test_audit() {
|
||||
} >>/home/secaudit/.ssh/authorized_keys2
|
||||
describe Key with from and command options
|
||||
register_test retvalshouldbe 0
|
||||
run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run keyfromcommand "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
useradd -s /bin/bash -m jeantest2
|
||||
# shellcheck disable=2016
|
||||
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
describe Check only specified user
|
||||
register_test retvalshouldbe 0
|
||||
run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# Cleanup
|
||||
userdel jeantestuser
|
||||
|
Reference in New Issue
Block a user