feat: add debian12 scripts

- sudo_re_authenticate.sh -> 5.2.5 - pam_pwhistory_enabled.sh -> 5.3.2.4 - pam_faillock_enabled.sh -> 5.3.2.2 This is an updated version of enable_lockout_failed_password.sh (renamed) - pam_unix_enabled.sh -> 5.3.2.1 - password_failed_lockout.sh -> 5.3.3.1.1 - password_unlock_time.sh -> 5.3.3.1.2 - password_root_unlock.sh -> 5.3.3.1.3
2025-09-03 13:18:21 +02:00 · 2025-08-08 16:12:00 +02:00
parent 1926758707
commit 37b4f5982e
17 changed files with 814 additions and 116 deletions
--- a/tests/hardening/enable_lockout_failed_password.sh
+++ b/tests/hardening/enable_lockout_failed_password.sh
@@ -1,19 +0,0 @@
-# shellcheck shell=bash
-# run-shellcheck
-test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
-    # shellcheck disable=2154
-    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe Correcting situation
-    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
-    "${CIS_CHECKS_DIR}/${script}.sh" || true
-
-    describe Checking resolved state
-    register_test retvalshouldbe 0
-    register_test contain "[ OK ] ^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so is present in /etc/pam.d/common-auth"
-    register_test contain "[ OK ] pam_((tally[2]?)|(faillock))\.so is present in /etc/pam.d/common-account"
-    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-}
--- a/tests/hardening/pam_faillock_enabled.sh
+++ b/tests/hardening/pam_faillock_enabled.sh
@@ -0,0 +1,30 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local PAM_FILES=""
+    PAM_FILES="/etc/pam.d/common-auth /etc/pam.d/common-account"
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    # shellcheck disable=2086
+    sed -i '/pam_faillock.so/s/^/#/g' $PAM_FILES
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
--- a/tests/hardening/pam_pwhistory_enabled.sh
+++ b/tests/hardening/pam_pwhistory_enabled.sh
@@ -0,0 +1,29 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local PAM_FILE=""
+    local PAM_FILE="/etc/pam.d/common-password"
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/pam_pwhistory.so/s/^/#/g' "$PAM_FILE"
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
--- a/tests/hardening/pam_unix_enabled.sh
+++ b/tests/hardening/pam_unix_enabled.sh
@@ -0,0 +1,30 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local PAM_FILES=""
+    PAM_FILES="/etc/pam.d/common-password"
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    # shellcheck disable=2086
+    sed -i '/pam_unix.so/s/^/#/g' $PAM_FILES
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
--- a/tests/hardening/password_failed_lockout.sh
+++ b/tests/hardening/password_failed_lockout.sh
@@ -0,0 +1,26 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/^[^#]*deny/d' /etc/security/faillock.conf
+    echo "auth requisite pam_faillock.so deny=6" >/usr/share/pam-configs/test_cis
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    rm -f /usr/share/pam-configs/test_cis
+
+}
--- a/tests/hardening/password_root_unlock.sh
+++ b/tests/hardening/password_root_unlock.sh
@@ -0,0 +1,26 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/^[[:space:]]?root_unlock_time/d' /etc/security/faillock.conf
+    echo "auth pam_faillock.so root_unlock_time=0" >/usr/share/pam-configs/test_cis
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    rm -f /usr/share/pam-configs/test_cis
+
+}
--- a/tests/hardening/password_unlock_time.sh
+++ b/tests/hardening/password_unlock_time.sh
@@ -0,0 +1,26 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -E -i '/^[[:space:]]?unlock_time/d' /etc/security/faillock.conf
+    echo "pam_faillock.so unlock_time=0" >/usr/share/pam-configs/test_cis
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    rm -f /usr/share/pam-configs/test_cis
+
+}
--- a/tests/hardening/sudo_re_authenticate.sh
+++ b/tests/hardening/sudo_re_authenticate.sh
@@ -0,0 +1,20 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe prepare failing test
+    echo "Defaults !authenticate" >/etc/sudoers.d/sudo_test
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    rm -f /etc/sudoers.d/sudo_test
+
+}