IMP(shfmt): add shell formatter

This commit is contained in:
Thibault Ayanides
2020-12-04 14:08:01 +01:00
parent bc1aa65b91
commit 3a342b784a
300 changed files with 2370 additions and 2427 deletions

View File

@ -12,7 +12,7 @@ if [ $# -gt 0 ]; then
shift
fi
fi
if [ -z "$target" ] ; then
if [ -z "$target" ]; then
echo "Usage: $0 <TARGET> [test_script...]" >&2
echo -n "Supported targets are: " >&2
#ls -1v "$(dirname "$0")"/docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==' | tr "\n" " " >&2
@ -21,15 +21,12 @@ if [ -z "$target" ] ; then
exit 1
fi
dockerfile="$(dirname "$0")"/docker/Dockerfile.${target}
if [ ! -f "$dockerfile" ] ; then
echo "ERROR: No target available for $target" >&2
if [ ! -f "$dockerfile" ]; then
echo "ERROR: No target available for $target" >&2
exit 1
fi
docker build -f "$dockerfile" -t "debian_cis_test:${target}" "$(dirname "$0")"/../
docker run --rm debian_cis_test:"${target}" "$@"

View File

@ -4,13 +4,13 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #

View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
@ -18,4 +18,3 @@ test_audit() {
# long to test and not very useful. #
##################################################################
}

View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
@ -18,4 +18,3 @@ test_audit() {
# long to test and not very useful. #
##################################################################
}

View File

@ -1,11 +1,11 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
@ -18,7 +18,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi

View File

@ -11,7 +11,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -18,4 +18,3 @@ test_audit() {
register_test contain "Time synchronization is available through"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -12,7 +12,7 @@ test_audit() {
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
# to avoid error during auditd installation in 4.1.1.2, only necessary during tests
sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state

View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
@ -21,4 +20,3 @@ test_audit() {
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true

View File

@ -7,13 +7,13 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -14,7 +14,7 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules"

View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true

View File

@ -9,16 +9,15 @@ test_audit() {
cp -a /etc/syslog-ng/syslog-ng.conf /tmp/syslog-ng.conf.bak
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/syslog-ng.conf
echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/syslog-ng.conf
grep syslog.example.tld /etc/syslog-ng/syslog-ng.conf
describe Checking one line conf
register_test retvalshouldbe 0
run oneline /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
cat >> /etc/syslog-ng/syslog-ng.conf <<EOF
cat >>/etc/syslog-ng/syslog-ng.conf <<EOF
destination mySyslog {
tcp ("syslog.example.tld"),
port(1234),
@ -31,16 +30,13 @@ EOF
mv /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
#echo "#Sample conf" >/etc/syslog-ng/conf.d/1_tcp_destination
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/conf.d/1_tcp_destination
echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/conf.d/1_tcp_destination
cat /etc/syslog-ng/conf.d/1_tcp_destination
describe Checking file in subdirectory
register_test retvalshouldbe 0
run subfile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
rm /etc/syslog-ng/conf.d/1_tcp_destination

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
touch /etc/cron.allow /etc/at.allow
@ -32,7 +32,7 @@ test_audit() {
userdel "$test_user"
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -46,7 +46,7 @@ test_audit() {
userdel "$test_user"
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^MACs[[:space:]]*umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -27,4 +27,3 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -30,7 +30,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -30,7 +30,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -6,7 +6,7 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

View File

@ -6,7 +6,7 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed
@ -19,7 +19,7 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "OPTIONS='LogLevel=DEBUG'" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "OPTIONS='LogLevel=DEBUG'" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/LogLevel VERBOSE/LogLevel DEBUG/' /etc/ssh/sshd_config
describe Checking custom conf

View File

@ -6,7 +6,7 @@ test_audit() {
register_test contain "openssh-server is installed"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

View File

@ -19,4 +19,4 @@ test_audit() {
register_test retvalshouldbe 0
register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}
}

View File

@ -7,4 +7,3 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -9,7 +9,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -8,7 +8,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -1,7 +1,7 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
#run this test only if we're not in docker
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -21,13 +21,12 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
fi
}

View File

@ -24,4 +24,3 @@ test_audit() {
register_test contain "No unowned files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -16,7 +16,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
@ -24,4 +24,3 @@ test_audit() {
register_test contain "No ungrouped files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -5,7 +5,7 @@ test_audit() {
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -29,4 +29,3 @@ test_audit() {
register_test contain "No unknown suid files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -5,7 +5,7 @@ test_audit() {
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -30,4 +30,3 @@ test_audit() {
register_test contain "No unknown sgid files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testdotuser"
local test_file=".test"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
chmod 777 "/home/$test_user/$test_file"
@ -20,7 +20,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -6,11 +6,11 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
local test_user="testforwarduser"
local test_file=".forward"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1

View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testnetrcuser"
local test_file=".netrc"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1

View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testnetrcuser"
local test_file=".netrc"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
chmod 777 "/home/$test_user/$test_file"
@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testrhostsuser"
local test_file=".rhosts"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1
@ -19,4 +19,4 @@ test_audit() {
# cleanup
userdel -r "$test_user"
}
}

View File

@ -10,8 +10,8 @@ test_audit() {
local test_user="testpasswdgroupuser"
local dir="/etc/passwd"
describe Tests purposely failing
echo "$test_user:x:1100:1100::/home/$test_user:" >> "$dir"
describe Tests purposely failing
echo "$test_user:x:1100:1100::/home/$test_user:" >>"$dir"
register_test retvalshouldbe 1
register_test contain "is referenced by /etc/passwd but does not exist in /etc/group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding exceptions
register_test retvalshouldbe 0
@ -28,4 +28,3 @@ test_audit() {
userdel usertest1
userdel usertest2
}

View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
groupadd -f -g 120 grouptest
groupadd -fo -g 120 grouptest2

View File

@ -10,10 +10,10 @@ test_audit() {
local test_user="testduplicateuser"
local dir="/etc/passwd"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
temp=$(tail -1 "$dir")
echo "$temp" >> "$dir"
echo "$temp" >>"$dir"
register_test retvalshouldbe 1
register_test contain "Duplicate username"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

View File

@ -10,10 +10,10 @@ test_audit() {
local test_group="testduplicategroup"
local dir="/etc/group"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_group"
temp=$(tail -1 "$dir")
echo "$temp" >> "$dir"
echo "$temp" >>"$dir"
register_test retvalshouldbe 1
register_test contain "Duplicate group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testshadowuser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
usermod -aG shadow "$test_user"
register_test retvalshouldbe 1
@ -17,11 +17,11 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
userdel "$test_user"
describe Tests purposely failing
describe Tests purposely failing
useradd --no-user-group -g shadow "$test_user"
register_test retvalshouldbe 1
register_test contain "Some users have shadow id as their primary group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
userdel "$test_user"
}

View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcpasswduser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:x/+:$test_user:x/" /etc/passwd
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcshadowusr"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:/+:$test_user:/" /etc/shadow
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcgroupuser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:x/+:$test_user:x/" /etc/group
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -16,7 +16,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding exceptions
register_test retvalshouldbe 0
@ -26,4 +26,3 @@ test_audit() {
# Cleanup
userdel -f usertest1
}

View File

@ -26,7 +26,7 @@ test_audit() {
run noncompliant path="$PATH:." /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
mkdir -m 770 "$dir"
mkdir -m 770 "$dir"
register_test retvalshouldbe 1
register_test contain "Group Write permission set on directory $dir"
run noncompliant path="$PATH:$dir" /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

View File

@ -16,4 +16,4 @@ test_audit() {
# cleanup
userdel "$test_user"
}
}

View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testhomepermuser"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
chmod 777 /home/"$test_user"
register_test retvalshouldbe 1
@ -21,7 +21,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

View File

@ -4,7 +4,7 @@ test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -19,11 +19,10 @@ test_audit() {
chown root:root /home/"$test_user"
register_test retvalshouldbe 1
register_test contain "[ KO ] The home directory (/home/$test_user) of user testhomeuser is owned by root"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" > /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Checking resolved state
register_test retvalshouldbe 0

View File

@ -7,7 +7,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "TMOUT=600" > /etc/profile.d/CIS_99.1_timeout.sh
echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh
describe compliant
register_test retvalshouldbe 0
@ -16,5 +16,5 @@ test_audit() {
# TODO fill comprehensive tests
# Cleanup
rm /etc/profile.d/CIS_99.1_timeout.sh
rm /etc/profile.d/CIS_99.1_timeout.sh
}

View File

@ -13,7 +13,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' > /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' >/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
describe compliant
register_test retvalshouldbe 0
@ -22,6 +22,6 @@ test_audit() {
# TODO fill comprehensive tests
# Cleanup
rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
fi
}

View File

@ -22,7 +22,7 @@ test_audit() {
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
mv /tmp/shadow.bak /etc/shadow
chpasswd << EOF
chpasswd <<EOF
secaudit:mypassword
EOF
describe Pass: Found properly hashed password
@ -30,4 +30,3 @@ EOF
register_test contain "User secaudit has suitable SHA512 hashed password"
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -4,7 +4,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPT="$EXCEPT debian"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPT="$EXCEPT debian"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -15,15 +15,14 @@ test_audit() {
# Proceed to operation that will end up to a non compliant system
useradd -s /bin/bash jeantestuser
echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >> /etc/sudoers.d/jeantestuser
echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >>/etc/sudoers.d/jeantestuser
describe Fail: Not compliant system
register_test retvalshouldbe 1
register_test contain "[ KO ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser"
run userallcmd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPT="$EXCEPT debian jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPT="$EXCEPT debian jeantestuser"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding jeantestuser to exceptions
register_test retvalshouldbe 0
register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"
@ -32,4 +31,3 @@ test_audit() {
rm -f /etc/sudoers.d/jeantestuser
userdel jeantestuser
}

View File

@ -36,4 +36,3 @@ test_audit() {
register_test retvalshouldbe 0
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -27,4 +27,3 @@ test_audit() {
register_test contain "[ OK ] ^GSSAPIKeyExchange[[:space:]]+no is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^RekeyLimit[[:space:]]*512M\s+6h is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -26,4 +26,3 @@ test_audit() {
register_test contain "[ OK ] ^GatewayPorts[[:space:]]*no is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -1,8 +1,8 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
test_audit() {
# shellcheck disable=2154
echo 'EXCEPTION_USER="root"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTION_USER="root"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
skip_tests
# shellcheck disable=2154
@ -25,58 +25,56 @@ test_audit() {
run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ssh-keygen -N "" -t ed25519 -f /tmp/key1
cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
describe Key without from field
register_test retvalshouldbe 1
run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
{
echo -n 'from="127.0.0.1" ';
cat /tmp/key1.pub;
} > /home/secaudit/.ssh/authorized_keys2
echo -n 'from="127.0.0.1" '
cat /tmp/key1.pub
} >/home/secaudit/.ssh/authorized_keys2
describe Key with from, no ip check
register_test retvalshouldbe 0
run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
{
echo -n 'from="10.0.1.2" ';
cat /tmp/key1.pub;
} >> /home/secaudit/.ssh/authorized_keys2
echo -n 'from="10.0.1.2" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from, filled allowed IPs, one bad ip
register_test retvalshouldbe 1
run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Key with from, filled allowed IPs, all IPs allowed
register_test retvalshouldbe 0
run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
{
echo -n 'from="10.0.1.2",command="echo bla" ';
cat /tmp/key1.pub;
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" ';
cat /tmp/key1.pub;
} >> /home/secaudit/.ssh/authorized_keys2
echo -n 'from="10.0.1.2",command="echo bla" '
cat /tmp/key1.pub
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from and command options
register_test retvalshouldbe 0
run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
useradd -s /bin/bash -m jeantest2
# shellcheck disable=2016
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Check only specified user
register_test retvalshouldbe 0
run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
userdel jeantestuser
userdel -r jeantest2
rm -f /tmp/key1 /tmp/key1.pub
}

View File

@ -21,4 +21,3 @@ test_audit() {
register_test contain "[ OK ] ^StrictModes[[:space:]]*yes is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -14,7 +14,6 @@ test_audit() {
register_test contain "[ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed
@ -28,4 +27,3 @@ test_audit() {
register_test contain "[ OK ] ^\s*AcceptEnv\s+LANG LC_\* is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -6,4 +6,3 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -1,6 +1,6 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
test_audit() {
describe Running on blank host
register_test retvalshouldbe 1
register_test contain "openssh-server is installed"
@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -63,8 +63,7 @@ skip() {
printf "%b %b\n" "\033[30m\e[43m[SKIP]\033[0m" "$*" >&2
}
# retrieves audit script logfile
get_stdout()
{
get_stdout() {
cat "$outdir"/"$usecase_name".log
}
@ -107,7 +106,7 @@ play_consistency_tests() {
retfile_root=$outdir/${usecase_name_root}.retval
retfile_sudo=$outdir/${usecase_name_sudo}.retval
cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1
if [[ ! 0 -eq $ret ]] ; then
if [[ ! 0 -eq $ret ]]; then
fail "$name" return values differ
diff "$retfile_root" "$retfile_sudo" || true
consist_test=1
@ -118,28 +117,28 @@ play_consistency_tests() {
retfile_root=$outdir/${usecase_name_root}.log
retfile_sudo=$outdir/${usecase_name_sudo}.log
cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1
if [[ ! 0 -eq $ret ]] ; then
if [[ ! 0 -eq $ret ]]; then
fail "$name" logs differ
diff "$retfile_root" "$retfile_sudo" || true
diff "$retfile_root" "$retfile_sudo" || true
consist_test=1
else
ok "$name logs are identical"
fi
if [ 1 -eq $consist_test ]; then
nbfailedconsist=$(( nbfailedconsist + 1 ))
nbfailedconsist=$((nbfailedconsist + 1))
listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
fi
}
# Actually runs one signel audit script
_run()
{
_run() {
usecase_name=$1
shift
printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
bash -c "$*" >"$outdir/$usecase_name.log" && true; echo $? > "$outdir/$usecase_name.retval"
ret=$(< "$outdir"/"$usecase_name".retval)
bash -c "$*" >"$outdir/$usecase_name.log" && true
echo $? >"$outdir/$usecase_name.retval"
ret=$(<"$outdir"/"$usecase_name".retval)
get_stdout
}
@ -153,18 +152,17 @@ fi
###################
# Execution start #
###################
printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing"
printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing"
# if no scripts were passed as arguments, list all available test scenarii to be played
if [ $# -eq 0 ]; then
tests_list=$(ls -v "$(dirname "$0")"/hardening/)
testcount=$(wc -l <<< "$tests_list")
testcount=$(wc -l <<<"$tests_list")
else
tests_list="$*"
testcount=$#
fi
for test_file in $tests_list; do
test_file_path=$(dirname "$0")/hardening/"$test_file"
if [ ! -f "$test_file_path" ]; then
@ -176,9 +174,9 @@ for test_file in $tests_list; do
# source test scenario file to add `test_audit` func
# shellcheck disable=1090
. "$test_file_path"
testno=$(( testno + 1 ))
testno=$((testno + 1))
# shellcheck disable=2001
name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//' )"
name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//')"
printf "\033[1;36m### [%03d/%03d] %s \033[0m\n" "$testno" "$testcount" "$test_file"
# test_audit is the function defined in $test_file, that carries the actual functional tests for this script
test_audit
@ -190,22 +188,22 @@ for test_file in $tests_list; do
echo ""
done
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist )) -eq 0 ] ; then
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then
echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
else
(
echo -e "\033[41mOne or more tests failed :(\033[0m"
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
echo -e "\033[41mOne or more tests failed :(\033[0m"
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
) | tee "$outdir"/summary
fi
echo
set +e
set +u
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist ))
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
# leave `exit 255` for runtime errors
[ $totalerrors -ge 255 ] && totalerrors=254
exit $totalerrors

View File

@ -18,24 +18,23 @@ describe() {
register_test() {
export numtest=0
if [[ "notempty" == "${REGISTERED_TESTS[*]:+notempty}" ]]; then
numtest=${#REGISTERED_TESTS[@]}
fi
REGISTERED_TESTS[numtest]="$*"
numtest=${#REGISTERED_TESTS[@]}
fi
REGISTERED_TESTS[numtest]="$*"
}
# retvalshouldbe checks that the audit return value equals the one passed as parameter
# retvalshoudbe <NUMBER>
retvalshouldbe()
{
retvalshouldbe() {
# shellcheck disable=2154
retfile=$outdir/${usecase_name}.retval
shouldbe=$1
got=$(< "$retfile")
if [ "$got" = "$shouldbe" ] ; then
got=$(<"$retfile")
if [ "$got" = "$shouldbe" ]; then
ok "RETURN VALUE" "($shouldbe)"
else
if [ 0 -eq "$dismiss_count" ]; then
nbfailedret=$(( nbfailedret + 1 ))
nbfailedret=$((nbfailedret + 1))
listfailedret="$listfailedret $usecase_name"
fi
fail "RETURN VALUE" "(got $got instead of $shouldbe)"
@ -44,10 +43,9 @@ retvalshouldbe()
# contain looks for a string in audit logfile
# contain [REGEX] <STRING|regexSTRING>
contain()
{
contain() {
local specialoption=''
if [ "$1" != "REGEX" ] ; then
if [ "$1" != "REGEX" ]; then
specialoption='-F'
else
specialoption='-E'
@ -59,8 +57,8 @@ contain()
ok "MUST CONTAIN" "($pattern)"
else
if [ 0 -eq "$dismiss_count" ]; then
nbfailedgrep=$(( nbfailedgrep + 1 ))
listfailedgrep="$listfailedgrep $usecase_name"
nbfailedgrep=$((nbfailedgrep + 1))
listfailedgrep="$listfailedgrep $usecase_name"
fi
fail "MUST CONTAIN" "($pattern)"
fi
@ -95,4 +93,3 @@ run() {
play_consistency_tests
clear_registered_tests
}

View File

@ -30,27 +30,36 @@ eval set -- "$OPTIONS"
# Treating options
while true; do
case "$1" in
--nodel ) nodel=1; shift ;;
--nowait ) nowait=1; shift ;;
-- ) shift; break ;;
* ) break ;;
--nodel)
nodel=1
shift
;;
--nowait)
nowait=1
shift
;;
--)
shift
break
;;
*) break ;;
esac
done
# Execution summary
if [ "$nodel" -eq 1 ]; then
echo -e "\e[34mLog directory: $tmpdir \e[0m"
echo -e "\e[34mLog directory: $tmpdir \e[0m"
fi
if [ "$nowait" -eq 1 ]; then
echo -e "\e[34mRunning in non-interactive mode\e[0m"
echo -e "\e[34mRunning in non-interactive mode\e[0m"
fi
# Actual execution
# Loops over found targets and runs docker_build_and_run_tests
for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Supported" | cut -d ':' -f 2); do
echo "Running $target $*"
"$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 | \
tee "${tmpdir}"/"${target}" | \
"$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 |
tee "${tmpdir}"/"${target}" |
grep -q "All tests succeeded"
ret=$?
if [[ 0 -eq $ret ]]; then
@ -61,7 +70,7 @@ for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Sup
fi
done
if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then
if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then
echo -e "\nPress \e[1mENTER\e[0m to display failed test logs"
echo -e "Use \e[1m:n\e[0m (next) and \e[1m:p\e[0m (previous) to navigate between log files"
echo -e "and \e[1mq\e[0m to quit"