mirror of
https://github.com/ovh/debian-cis.git
synced 2025-06-22 02:33:42 +02:00
IMP(shfmt): add shell formatter
This commit is contained in:
@ -12,7 +12,7 @@ if [ $# -gt 0 ]; then
|
||||
shift
|
||||
fi
|
||||
fi
|
||||
if [ -z "$target" ] ; then
|
||||
if [ -z "$target" ]; then
|
||||
echo "Usage: $0 <TARGET> [test_script...]" >&2
|
||||
echo -n "Supported targets are: " >&2
|
||||
#ls -1v "$(dirname "$0")"/docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==' | tr "\n" " " >&2
|
||||
@ -21,15 +21,12 @@ if [ -z "$target" ] ; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
dockerfile="$(dirname "$0")"/docker/Dockerfile.${target}
|
||||
if [ ! -f "$dockerfile" ] ; then
|
||||
echo "ERROR: No target available for $target" >&2
|
||||
if [ ! -f "$dockerfile" ]; then
|
||||
echo "ERROR: No target available for $target" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
docker build -f "$dockerfile" -t "debian_cis_test:${target}" "$(dirname "$0")"/../
|
||||
|
||||
docker run --rm debian_cis_test:"${target}" "$@"
|
||||
|
||||
|
@ -4,13 +4,13 @@ test_audit() {
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
|
||||
|
||||
##################################################################
|
||||
# For this test, we only check that it runs properly on a blank #
|
||||
# host, and we check root/sudo consistency. But, we don't test #
|
||||
|
@ -4,11 +4,11 @@ test_audit() {
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
|
||||
##################################################################
|
||||
|
@ -4,11 +4,11 @@ test_audit() {
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
|
||||
##################################################################
|
||||
|
@ -4,11 +4,11 @@ test_audit() {
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
|
||||
##################################################################
|
||||
|
@ -4,11 +4,11 @@ test_audit() {
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
|
||||
##################################################################
|
||||
@ -18,4 +18,3 @@ test_audit() {
|
||||
# long to test and not very useful. #
|
||||
##################################################################
|
||||
}
|
||||
|
||||
|
@ -4,11 +4,11 @@ test_audit() {
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
|
||||
##################################################################
|
||||
|
@ -4,11 +4,11 @@ test_audit() {
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
|
||||
##################################################################
|
||||
@ -18,4 +18,3 @@ test_audit() {
|
||||
# long to test and not very useful. #
|
||||
##################################################################
|
||||
}
|
||||
|
||||
|
@ -1,11 +1,11 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "All world writable directories have a sticky bit"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "All world writable directories have a sticky bit"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
@ -18,7 +18,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -4,11 +4,11 @@ test_audit() {
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
fi
|
||||
|
@ -11,7 +11,7 @@ test_audit() {
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -18,4 +18,3 @@ test_audit() {
|
||||
register_test contain "Time synchronization is available through"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -12,7 +12,7 @@ test_audit() {
|
||||
describe Correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
# to avoid error during auditd installation in 4.1.1.2, only necessary during tests
|
||||
sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -7,7 +7,6 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
describe Correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
@ -21,4 +20,3 @@ test_audit() {
|
||||
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -7,7 +7,6 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
describe Correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
@ -7,13 +7,13 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Correcting situation
|
||||
describe Correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
|
||||
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
|
||||
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -14,7 +14,7 @@ test_audit() {
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules"
|
||||
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
|
||||
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
|
||||
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules"
|
||||
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules"
|
||||
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules"
|
||||
|
@ -7,7 +7,6 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
describe Correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
@ -9,16 +9,15 @@ test_audit() {
|
||||
|
||||
cp -a /etc/syslog-ng/syslog-ng.conf /tmp/syslog-ng.conf.bak
|
||||
|
||||
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/syslog-ng.conf
|
||||
echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/syslog-ng.conf
|
||||
grep syslog.example.tld /etc/syslog-ng/syslog-ng.conf
|
||||
|
||||
describe Checking one line conf
|
||||
register_test retvalshouldbe 0
|
||||
run oneline /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
|
||||
cat >> /etc/syslog-ng/syslog-ng.conf <<EOF
|
||||
cat >>/etc/syslog-ng/syslog-ng.conf <<EOF
|
||||
destination mySyslog {
|
||||
tcp ("syslog.example.tld"),
|
||||
port(1234),
|
||||
@ -31,16 +30,13 @@ EOF
|
||||
mv /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
|
||||
|
||||
#echo "#Sample conf" >/etc/syslog-ng/conf.d/1_tcp_destination
|
||||
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/conf.d/1_tcp_destination
|
||||
echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/conf.d/1_tcp_destination
|
||||
cat /etc/syslog-ng/conf.d/1_tcp_destination
|
||||
|
||||
|
||||
describe Checking file in subdirectory
|
||||
register_test retvalshouldbe 0
|
||||
run subfile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
|
||||
# Cleanup
|
||||
rm /etc/syslog-ng/conf.d/1_tcp_destination
|
||||
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
touch /etc/cron.allow /etc/at.allow
|
||||
@ -32,7 +32,7 @@ test_audit() {
|
||||
userdel "$test_user"
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -46,7 +46,7 @@ test_audit() {
|
||||
userdel "$test_user"
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -20,4 +20,3 @@ test_audit() {
|
||||
register_test contain "[ OK ] ^MACs[[:space:]]*umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -27,4 +27,3 @@ test_audit() {
|
||||
register_test retvalshouldbe 0
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -19,7 +19,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -30,7 +30,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -19,7 +19,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -30,7 +30,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -6,7 +6,7 @@ test_audit() {
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
|
@ -6,7 +6,7 @@ test_audit() {
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
@ -19,7 +19,7 @@ test_audit() {
|
||||
register_test retvalshouldbe 0
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
echo "OPTIONS='LogLevel=DEBUG'" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo "OPTIONS='LogLevel=DEBUG'" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/LogLevel VERBOSE/LogLevel DEBUG/' /etc/ssh/sshd_config
|
||||
|
||||
describe Checking custom conf
|
||||
|
@ -6,7 +6,7 @@ test_audit() {
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
|
@ -19,4 +19,4 @@ test_audit() {
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
}
|
||||
|
@ -7,4 +7,3 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -9,7 +9,7 @@ test_audit() {
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -8,7 +8,7 @@ test_audit() {
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -1,7 +1,7 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
|
||||
|
||||
#run this test only if we're not in docker
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
@ -21,13 +21,12 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No world writable files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -24,4 +24,3 @@ test_audit() {
|
||||
register_test contain "No unowned files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -16,7 +16,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
@ -24,4 +24,3 @@ test_audit() {
|
||||
register_test contain "No ungrouped files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -5,7 +5,7 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
@ -29,4 +29,3 @@ test_audit() {
|
||||
register_test contain "No unknown suid files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -5,7 +5,7 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
@ -30,4 +30,3 @@ test_audit() {
|
||||
register_test contain "No unknown sgid files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Tests purposely failing
|
||||
@ -28,7 +28,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -10,7 +10,7 @@ test_audit() {
|
||||
local test_user="testdotuser"
|
||||
local test_file=".test"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd --create-home "$test_user"
|
||||
touch "/home/$test_user/$test_file"
|
||||
chmod 777 "/home/$test_user/$test_file"
|
||||
@ -20,7 +20,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -6,11 +6,11 @@ test_audit() {
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
local test_user="testforwarduser"
|
||||
local test_file=".forward"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd --create-home "$test_user"
|
||||
touch "/home/$test_user/$test_file"
|
||||
register_test retvalshouldbe 1
|
||||
|
@ -10,7 +10,7 @@ test_audit() {
|
||||
local test_user="testnetrcuser"
|
||||
local test_file=".netrc"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd --create-home "$test_user"
|
||||
touch "/home/$test_user/$test_file"
|
||||
register_test retvalshouldbe 1
|
||||
|
@ -10,7 +10,7 @@ test_audit() {
|
||||
local test_user="testnetrcuser"
|
||||
local test_file=".netrc"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd --create-home "$test_user"
|
||||
touch "/home/$test_user/$test_file"
|
||||
chmod 777 "/home/$test_user/$test_file"
|
||||
@ -19,7 +19,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -10,7 +10,7 @@ test_audit() {
|
||||
local test_user="testrhostsuser"
|
||||
local test_file=".rhosts"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd --create-home "$test_user"
|
||||
touch "/home/$test_user/$test_file"
|
||||
register_test retvalshouldbe 1
|
||||
@ -19,4 +19,4 @@ test_audit() {
|
||||
|
||||
# cleanup
|
||||
userdel -r "$test_user"
|
||||
}
|
||||
}
|
||||
|
@ -10,8 +10,8 @@ test_audit() {
|
||||
local test_user="testpasswdgroupuser"
|
||||
local dir="/etc/passwd"
|
||||
|
||||
describe Tests purposely failing
|
||||
echo "$test_user:x:1100:1100::/home/$test_user:" >> "$dir"
|
||||
describe Tests purposely failing
|
||||
echo "$test_user:x:1100:1100::/home/$test_user:" >>"$dir"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "is referenced by /etc/passwd but does not exist in /etc/group"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Adding exceptions
|
||||
register_test retvalshouldbe 0
|
||||
@ -28,4 +28,3 @@ test_audit() {
|
||||
userdel usertest1
|
||||
userdel usertest2
|
||||
}
|
||||
|
||||
|
@ -7,7 +7,6 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
groupadd -f -g 120 grouptest
|
||||
groupadd -fo -g 120 grouptest2
|
||||
|
||||
|
@ -10,10 +10,10 @@ test_audit() {
|
||||
local test_user="testduplicateuser"
|
||||
local dir="/etc/passwd"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd "$test_user"
|
||||
temp=$(tail -1 "$dir")
|
||||
echo "$temp" >> "$dir"
|
||||
echo "$temp" >>"$dir"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Duplicate username"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
@ -10,10 +10,10 @@ test_audit() {
|
||||
local test_group="testduplicategroup"
|
||||
local dir="/etc/group"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd "$test_group"
|
||||
temp=$(tail -1 "$dir")
|
||||
echo "$temp" >> "$dir"
|
||||
echo "$temp" >>"$dir"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Duplicate group"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -9,7 +9,7 @@ test_audit() {
|
||||
|
||||
local test_user="testshadowuser"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd "$test_user"
|
||||
usermod -aG shadow "$test_user"
|
||||
register_test retvalshouldbe 1
|
||||
@ -17,11 +17,11 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
userdel "$test_user"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd --no-user-group -g shadow "$test_user"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some users have shadow id as their primary group"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
userdel "$test_user"
|
||||
|
||||
|
||||
}
|
||||
|
@ -9,7 +9,7 @@ test_audit() {
|
||||
|
||||
local test_user="testetcpasswduser"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd "$test_user"
|
||||
sed -i "s/$test_user:x/+:$test_user:x/" /etc/passwd
|
||||
register_test retvalshouldbe 1
|
||||
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -9,7 +9,7 @@ test_audit() {
|
||||
|
||||
local test_user="testetcshadowusr"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd "$test_user"
|
||||
sed -i "s/$test_user:/+:$test_user:/" /etc/shadow
|
||||
register_test retvalshouldbe 1
|
||||
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -9,7 +9,7 @@ test_audit() {
|
||||
|
||||
local test_user="testetcgroupuser"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd "$test_user"
|
||||
sed -i "s/$test_user:x/+:$test_user:x/" /etc/group
|
||||
register_test retvalshouldbe 1
|
||||
@ -17,7 +17,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -16,7 +16,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Adding exceptions
|
||||
register_test retvalshouldbe 0
|
||||
@ -26,4 +26,3 @@ test_audit() {
|
||||
# Cleanup
|
||||
userdel -f usertest1
|
||||
}
|
||||
|
||||
|
@ -26,7 +26,7 @@ test_audit() {
|
||||
run noncompliant path="$PATH:." /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
mkdir -m 770 "$dir"
|
||||
mkdir -m 770 "$dir"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Group Write permission set on directory $dir"
|
||||
run noncompliant path="$PATH:$dir" /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
@ -16,4 +16,4 @@ test_audit() {
|
||||
|
||||
# cleanup
|
||||
userdel "$test_user"
|
||||
}
|
||||
}
|
||||
|
@ -9,7 +9,7 @@ test_audit() {
|
||||
|
||||
local test_user="testhomepermuser"
|
||||
|
||||
describe Tests purposely failing
|
||||
describe Tests purposely failing
|
||||
useradd --create-home "$test_user"
|
||||
chmod 777 /home/"$test_user"
|
||||
register_test retvalshouldbe 1
|
||||
@ -21,7 +21,7 @@ test_audit() {
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
|
@ -4,7 +4,7 @@ test_audit() {
|
||||
describe Running void to generate the conf file that will later be edited
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
@ -19,11 +19,10 @@ test_audit() {
|
||||
chown root:root /home/"$test_user"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "[ KO ] The home directory (/home/$test_user) of user testhomeuser is owned by root"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" > /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
|
@ -7,7 +7,7 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
echo "TMOUT=600" > /etc/profile.d/CIS_99.1_timeout.sh
|
||||
echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh
|
||||
|
||||
describe compliant
|
||||
register_test retvalshouldbe 0
|
||||
@ -16,5 +16,5 @@ test_audit() {
|
||||
# TODO fill comprehensive tests
|
||||
|
||||
# Cleanup
|
||||
rm /etc/profile.d/CIS_99.1_timeout.sh
|
||||
rm /etc/profile.d/CIS_99.1_timeout.sh
|
||||
}
|
||||
|
@ -13,7 +13,7 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' > /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
|
||||
echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' >/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
|
||||
|
||||
describe compliant
|
||||
register_test retvalshouldbe 0
|
||||
@ -22,6 +22,6 @@ test_audit() {
|
||||
# TODO fill comprehensive tests
|
||||
|
||||
# Cleanup
|
||||
rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
|
||||
rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
|
||||
fi
|
||||
}
|
||||
|
@ -22,7 +22,7 @@ test_audit() {
|
||||
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
mv /tmp/shadow.bak /etc/shadow
|
||||
chpasswd << EOF
|
||||
chpasswd <<EOF
|
||||
secaudit:mypassword
|
||||
EOF
|
||||
describe Pass: Found properly hashed password
|
||||
@ -30,4 +30,3 @@ EOF
|
||||
register_test contain "User secaudit has suitable SHA512 hashed password"
|
||||
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -4,7 +4,7 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPT="$EXCEPT debian"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCEPT="$EXCEPT debian"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
@ -15,15 +15,14 @@ test_audit() {
|
||||
|
||||
# Proceed to operation that will end up to a non compliant system
|
||||
useradd -s /bin/bash jeantestuser
|
||||
echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >> /etc/sudoers.d/jeantestuser
|
||||
echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >>/etc/sudoers.d/jeantestuser
|
||||
describe Fail: Not compliant system
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "[ KO ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser"
|
||||
run userallcmd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPT="$EXCEPT debian jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCEPT="$EXCEPT debian jeantestuser"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
describe Adding jeantestuser to exceptions
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"
|
||||
@ -32,4 +31,3 @@ test_audit() {
|
||||
rm -f /etc/sudoers.d/jeantestuser
|
||||
userdel jeantestuser
|
||||
}
|
||||
|
||||
|
@ -36,4 +36,3 @@ test_audit() {
|
||||
register_test retvalshouldbe 0
|
||||
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -27,4 +27,3 @@ test_audit() {
|
||||
register_test contain "[ OK ] ^GSSAPIKeyExchange[[:space:]]+no is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -20,4 +20,3 @@ test_audit() {
|
||||
register_test contain "[ OK ] ^RekeyLimit[[:space:]]*512M\s+6h is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -26,4 +26,3 @@ test_audit() {
|
||||
register_test contain "[ OK ] ^GatewayPorts[[:space:]]*no is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
test_audit() {
|
||||
# shellcheck disable=2154
|
||||
echo 'EXCEPTION_USER="root"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCEPTION_USER="root"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
skip_tests
|
||||
# shellcheck disable=2154
|
||||
@ -25,58 +25,56 @@ test_audit() {
|
||||
run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
ssh-keygen -N "" -t ed25519 -f /tmp/key1
|
||||
cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2
|
||||
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
|
||||
describe Key without from field
|
||||
register_test retvalshouldbe 1
|
||||
run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
{
|
||||
echo -n 'from="127.0.0.1" ';
|
||||
cat /tmp/key1.pub;
|
||||
} > /home/secaudit/.ssh/authorized_keys2
|
||||
echo -n 'from="127.0.0.1" '
|
||||
cat /tmp/key1.pub
|
||||
} >/home/secaudit/.ssh/authorized_keys2
|
||||
describe Key with from, no ip check
|
||||
register_test retvalshouldbe 0
|
||||
run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
{
|
||||
echo -n 'from="10.0.1.2" ';
|
||||
cat /tmp/key1.pub;
|
||||
} >> /home/secaudit/.ssh/authorized_keys2
|
||||
echo -n 'from="10.0.1.2" '
|
||||
cat /tmp/key1.pub
|
||||
} >>/home/secaudit/.ssh/authorized_keys2
|
||||
describe Key with from, filled allowed IPs, one bad ip
|
||||
register_test retvalshouldbe 1
|
||||
run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
describe Key with from, filled allowed IPs, all IPs allowed
|
||||
register_test retvalshouldbe 0
|
||||
run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
{
|
||||
echo -n 'from="10.0.1.2",command="echo bla" ';
|
||||
cat /tmp/key1.pub;
|
||||
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" ';
|
||||
cat /tmp/key1.pub;
|
||||
} >> /home/secaudit/.ssh/authorized_keys2
|
||||
echo -n 'from="10.0.1.2",command="echo bla" '
|
||||
cat /tmp/key1.pub
|
||||
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
|
||||
cat /tmp/key1.pub
|
||||
} >>/home/secaudit/.ssh/authorized_keys2
|
||||
describe Key with from and command options
|
||||
register_test retvalshouldbe 0
|
||||
run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
useradd -s /bin/bash -m jeantest2
|
||||
# shellcheck disable=2016
|
||||
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
describe Check only specified user
|
||||
register_test retvalshouldbe 0
|
||||
run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
# Cleanup
|
||||
userdel jeantestuser
|
||||
userdel -r jeantest2
|
||||
rm -f /tmp/key1 /tmp/key1.pub
|
||||
}
|
||||
|
||||
|
@ -21,4 +21,3 @@ test_audit() {
|
||||
register_test contain "[ OK ] ^StrictModes[[:space:]]*yes is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -14,7 +14,6 @@ test_audit() {
|
||||
register_test contain "[ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
@ -28,4 +27,3 @@ test_audit() {
|
||||
register_test contain "[ OK ] ^\s*AcceptEnv\s+LANG LC_\* is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -6,4 +6,3 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
@ -20,4 +20,3 @@ test_audit() {
|
||||
register_test contain "[ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -20,4 +20,3 @@ test_audit() {
|
||||
register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
||||
|
@ -63,8 +63,7 @@ skip() {
|
||||
printf "%b %b\n" "\033[30m\e[43m[SKIP]\033[0m" "$*" >&2
|
||||
}
|
||||
# retrieves audit script logfile
|
||||
get_stdout()
|
||||
{
|
||||
get_stdout() {
|
||||
cat "$outdir"/"$usecase_name".log
|
||||
}
|
||||
|
||||
@ -107,7 +106,7 @@ play_consistency_tests() {
|
||||
retfile_root=$outdir/${usecase_name_root}.retval
|
||||
retfile_sudo=$outdir/${usecase_name_sudo}.retval
|
||||
cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1
|
||||
if [[ ! 0 -eq $ret ]] ; then
|
||||
if [[ ! 0 -eq $ret ]]; then
|
||||
fail "$name" return values differ
|
||||
diff "$retfile_root" "$retfile_sudo" || true
|
||||
consist_test=1
|
||||
@ -118,28 +117,28 @@ play_consistency_tests() {
|
||||
retfile_root=$outdir/${usecase_name_root}.log
|
||||
retfile_sudo=$outdir/${usecase_name_sudo}.log
|
||||
cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1
|
||||
if [[ ! 0 -eq $ret ]] ; then
|
||||
if [[ ! 0 -eq $ret ]]; then
|
||||
fail "$name" logs differ
|
||||
diff "$retfile_root" "$retfile_sudo" || true
|
||||
diff "$retfile_root" "$retfile_sudo" || true
|
||||
consist_test=1
|
||||
else
|
||||
ok "$name logs are identical"
|
||||
fi
|
||||
|
||||
if [ 1 -eq $consist_test ]; then
|
||||
nbfailedconsist=$(( nbfailedconsist + 1 ))
|
||||
nbfailedconsist=$((nbfailedconsist + 1))
|
||||
listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
|
||||
fi
|
||||
}
|
||||
|
||||
# Actually runs one signel audit script
|
||||
_run()
|
||||
{
|
||||
_run() {
|
||||
usecase_name=$1
|
||||
shift
|
||||
printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
|
||||
bash -c "$*" >"$outdir/$usecase_name.log" && true; echo $? > "$outdir/$usecase_name.retval"
|
||||
ret=$(< "$outdir"/"$usecase_name".retval)
|
||||
bash -c "$*" >"$outdir/$usecase_name.log" && true
|
||||
echo $? >"$outdir/$usecase_name.retval"
|
||||
ret=$(<"$outdir"/"$usecase_name".retval)
|
||||
get_stdout
|
||||
}
|
||||
|
||||
@ -153,18 +152,17 @@ fi
|
||||
###################
|
||||
# Execution start #
|
||||
###################
|
||||
printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing"
|
||||
printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing"
|
||||
|
||||
# if no scripts were passed as arguments, list all available test scenarii to be played
|
||||
if [ $# -eq 0 ]; then
|
||||
tests_list=$(ls -v "$(dirname "$0")"/hardening/)
|
||||
testcount=$(wc -l <<< "$tests_list")
|
||||
testcount=$(wc -l <<<"$tests_list")
|
||||
else
|
||||
tests_list="$*"
|
||||
testcount=$#
|
||||
fi
|
||||
|
||||
|
||||
for test_file in $tests_list; do
|
||||
test_file_path=$(dirname "$0")/hardening/"$test_file"
|
||||
if [ ! -f "$test_file_path" ]; then
|
||||
@ -176,9 +174,9 @@ for test_file in $tests_list; do
|
||||
# source test scenario file to add `test_audit` func
|
||||
# shellcheck disable=1090
|
||||
. "$test_file_path"
|
||||
testno=$(( testno + 1 ))
|
||||
testno=$((testno + 1))
|
||||
# shellcheck disable=2001
|
||||
name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//' )"
|
||||
name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//')"
|
||||
printf "\033[1;36m### [%03d/%03d] %s \033[0m\n" "$testno" "$testcount" "$test_file"
|
||||
# test_audit is the function defined in $test_file, that carries the actual functional tests for this script
|
||||
test_audit
|
||||
@ -190,22 +188,22 @@ for test_file in $tests_list; do
|
||||
echo ""
|
||||
done
|
||||
|
||||
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
|
||||
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist )) -eq 0 ] ; then
|
||||
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
|
||||
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then
|
||||
echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
|
||||
else
|
||||
(
|
||||
echo -e "\033[41mOne or more tests failed :(\033[0m"
|
||||
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
|
||||
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
|
||||
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
|
||||
echo -e "\033[41mOne or more tests failed :(\033[0m"
|
||||
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
|
||||
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
|
||||
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
|
||||
) | tee "$outdir"/summary
|
||||
fi
|
||||
echo
|
||||
|
||||
set +e
|
||||
set +u
|
||||
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist ))
|
||||
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
|
||||
# leave `exit 255` for runtime errors
|
||||
[ $totalerrors -ge 255 ] && totalerrors=254
|
||||
exit $totalerrors
|
||||
|
25
tests/lib.sh
25
tests/lib.sh
@ -18,24 +18,23 @@ describe() {
|
||||
register_test() {
|
||||
export numtest=0
|
||||
if [[ "notempty" == "${REGISTERED_TESTS[*]:+notempty}" ]]; then
|
||||
numtest=${#REGISTERED_TESTS[@]}
|
||||
fi
|
||||
REGISTERED_TESTS[numtest]="$*"
|
||||
numtest=${#REGISTERED_TESTS[@]}
|
||||
fi
|
||||
REGISTERED_TESTS[numtest]="$*"
|
||||
}
|
||||
|
||||
# retvalshouldbe checks that the audit return value equals the one passed as parameter
|
||||
# retvalshoudbe <NUMBER>
|
||||
retvalshouldbe()
|
||||
{
|
||||
retvalshouldbe() {
|
||||
# shellcheck disable=2154
|
||||
retfile=$outdir/${usecase_name}.retval
|
||||
shouldbe=$1
|
||||
got=$(< "$retfile")
|
||||
if [ "$got" = "$shouldbe" ] ; then
|
||||
got=$(<"$retfile")
|
||||
if [ "$got" = "$shouldbe" ]; then
|
||||
ok "RETURN VALUE" "($shouldbe)"
|
||||
else
|
||||
if [ 0 -eq "$dismiss_count" ]; then
|
||||
nbfailedret=$(( nbfailedret + 1 ))
|
||||
nbfailedret=$((nbfailedret + 1))
|
||||
listfailedret="$listfailedret $usecase_name"
|
||||
fi
|
||||
fail "RETURN VALUE" "(got $got instead of $shouldbe)"
|
||||
@ -44,10 +43,9 @@ retvalshouldbe()
|
||||
|
||||
# contain looks for a string in audit logfile
|
||||
# contain [REGEX] <STRING|regexSTRING>
|
||||
contain()
|
||||
{
|
||||
contain() {
|
||||
local specialoption=''
|
||||
if [ "$1" != "REGEX" ] ; then
|
||||
if [ "$1" != "REGEX" ]; then
|
||||
specialoption='-F'
|
||||
else
|
||||
specialoption='-E'
|
||||
@ -59,8 +57,8 @@ contain()
|
||||
ok "MUST CONTAIN" "($pattern)"
|
||||
else
|
||||
if [ 0 -eq "$dismiss_count" ]; then
|
||||
nbfailedgrep=$(( nbfailedgrep + 1 ))
|
||||
listfailedgrep="$listfailedgrep $usecase_name"
|
||||
nbfailedgrep=$((nbfailedgrep + 1))
|
||||
listfailedgrep="$listfailedgrep $usecase_name"
|
||||
fi
|
||||
fail "MUST CONTAIN" "($pattern)"
|
||||
fi
|
||||
@ -95,4 +93,3 @@ run() {
|
||||
play_consistency_tests
|
||||
clear_registered_tests
|
||||
}
|
||||
|
||||
|
@ -30,27 +30,36 @@ eval set -- "$OPTIONS"
|
||||
# Treating options
|
||||
while true; do
|
||||
case "$1" in
|
||||
--nodel ) nodel=1; shift ;;
|
||||
--nowait ) nowait=1; shift ;;
|
||||
-- ) shift; break ;;
|
||||
* ) break ;;
|
||||
--nodel)
|
||||
nodel=1
|
||||
shift
|
||||
;;
|
||||
--nowait)
|
||||
nowait=1
|
||||
shift
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
*) break ;;
|
||||
esac
|
||||
done
|
||||
|
||||
# Execution summary
|
||||
if [ "$nodel" -eq 1 ]; then
|
||||
echo -e "\e[34mLog directory: $tmpdir \e[0m"
|
||||
echo -e "\e[34mLog directory: $tmpdir \e[0m"
|
||||
fi
|
||||
if [ "$nowait" -eq 1 ]; then
|
||||
echo -e "\e[34mRunning in non-interactive mode\e[0m"
|
||||
echo -e "\e[34mRunning in non-interactive mode\e[0m"
|
||||
fi
|
||||
|
||||
# Actual execution
|
||||
# Loops over found targets and runs docker_build_and_run_tests
|
||||
for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Supported" | cut -d ':' -f 2); do
|
||||
echo "Running $target $*"
|
||||
"$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 | \
|
||||
tee "${tmpdir}"/"${target}" | \
|
||||
"$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 |
|
||||
tee "${tmpdir}"/"${target}" |
|
||||
grep -q "All tests succeeded"
|
||||
ret=$?
|
||||
if [[ 0 -eq $ret ]]; then
|
||||
@ -61,7 +70,7 @@ for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Sup
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then
|
||||
if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then
|
||||
echo -e "\nPress \e[1mENTER\e[0m to display failed test logs"
|
||||
echo -e "Use \e[1m:n\e[0m (next) and \e[1m:p\e[0m (previous) to navigate between log files"
|
||||
echo -e "and \e[1mq\e[0m to quit"
|
||||
|
Reference in New Issue
Block a user