elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-22 02:33:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shfmt): add shell formatter

Browse Source
This commit is contained in:
Thibault Ayanides
2020-12-04 14:08:01 +01:00
parent bc1aa65b91
commit 3a342b784a
300 changed files with 2370 additions and 2427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
tests/docker_build_and_run_tests.sh
View File

@ -12,7 +12,7 @@ if [ $# -gt 0 ]; then
shift
fi
fi
if [ -z "$target" ] ; then
if [ -z "$target" ]; then
echo "Usage: $0 <TARGET> [test_script...]" >&2
echo -n "Supported targets are: " >&2
#ls -1v "$(dirname "$0")"/docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==' | tr "\n" " " >&2
@ -21,15 +21,12 @@ if [ -z "$target" ] ; then
exit 1
fi
dockerfile="$(dirname "$0")"/docker/Dockerfile.${target}
if [ ! -f "$dockerfile" ] ; then
echo "ERROR: No target available for $target" >&2
if [ ! -f "$dockerfile" ]; then
echo "ERROR: No target available for $target" >&2
exit 1
fi
docker build -f "$dockerfile" -t "debian_cis_test:${target}" "$(dirname "$0")"/../
docker run --rm debian_cis_test:"${target}" "$@"

12
tests/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -4,13 +4,13 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #

10
tests/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

10
tests/hardening/1.1.1.3_disable_hfs.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

10
tests/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

11
tests/hardening/1.1.1.5_disable_udf.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
@ -18,4 +18,3 @@ test_audit() {
# long to test and not very useful. #
##################################################################
}

10
tests/hardening/1.1.1.6_disable_cramfs.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

11
tests/hardening/1.1.1.7_disable_squashfs.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
@ -18,4 +18,3 @@ test_audit() {
# long to test and not very useful. #
##################################################################
}

12
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -1,11 +1,11 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
@ -18,7 +18,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

10
tests/hardening/1.5.1_restrict_core_dumps.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi

2
tests/hardening/1.6.2.1_enable_apparmor.sh
View File

@ -11,7 +11,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

1
tests/hardening/2.2.1.1_use_time_sync.sh
View File

@ -18,4 +18,3 @@ test_audit() {
register_test contain "Time synchronization is available through"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

2
tests/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -12,7 +12,7 @@ test_audit() {
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
# to avoid error during auditd installation in 4.1.1.2, only necessary during tests
sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state

2
tests/hardening/4.1.11_record_failed_access_file.sh
View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
@ -21,4 +20,3 @@ test_audit() {
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/4.1.12_record_privileged_commands.sh
View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true

4
tests/hardening/4.1.15_record_sudoers_edit.sh
View File

@ -7,13 +7,13 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/4.1.5_record_user_group_edit.sh
View File

@ -14,7 +14,7 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules"

1
tests/hardening/4.1.8_record_login_logout.sh
View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true

10
tests/hardening/4.2.2.4_syslog-ng_remote_host.sh
View File

@ -9,16 +9,15 @@ test_audit() {
cp -a /etc/syslog-ng/syslog-ng.conf /tmp/syslog-ng.conf.bak
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/syslog-ng.conf
echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/syslog-ng.conf
grep syslog.example.tld /etc/syslog-ng/syslog-ng.conf
describe Checking one line conf
register_test retvalshouldbe 0
run oneline /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
cat >> /etc/syslog-ng/syslog-ng.conf <<EOF
cat >>/etc/syslog-ng/syslog-ng.conf <<EOF
destination mySyslog {
tcp ("syslog.example.tld"),
port(1234),
@ -31,16 +30,13 @@ EOF
mv /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
#echo "#Sample conf" >/etc/syslog-ng/conf.d/1_tcp_destination
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/conf.d/1_tcp_destination
echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/conf.d/1_tcp_destination
cat /etc/syslog-ng/conf.d/1_tcp_destination
describe Checking file in subdirectory
register_test retvalshouldbe 0
run subfile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
rm /etc/syslog-ng/conf.d/1_tcp_destination

4
tests/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.7_cron_d_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

6
tests/hardening/5.1.8_cron_users.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
touch /etc/cron.allow /etc/at.allow
@ -32,7 +32,7 @@ test_audit() {
userdel "$test_user"
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -46,7 +46,7 @@ test_audit() {
userdel "$test_user"
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

1
tests/hardening/5.2.14_ssh_cry_mac.sh
View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^MACs[[:space:]]*umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/5.2.15_ssh_cry_kex.sh
View File

@ -27,4 +27,3 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

4
tests/hardening/5.2.1_sshd_conf_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
View File

@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -30,7 +30,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
View File

@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -30,7 +30,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

2
tests/hardening/5.2.4_sshd_protocol.sh
View File

@ -6,7 +6,7 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

4
tests/hardening/5.2.5_sshd_loglevel.sh
View File

@ -6,7 +6,7 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed
@ -19,7 +19,7 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "OPTIONS='LogLevel=DEBUG'" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "OPTIONS='LogLevel=DEBUG'" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/LogLevel VERBOSE/LogLevel DEBUG/' /etc/ssh/sshd_config
describe Checking custom conf

2
tests/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -6,7 +6,7 @@ test_audit() {
register_test contain "openssh-server is installed"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

2
tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh
View File

@ -19,4 +19,4 @@ test_audit() {
register_test retvalshouldbe 0
register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}
}

1
tests/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -7,4 +7,3 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/5.4.2_disable_system_accounts.sh
View File

@ -9,7 +9,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

2
tests/hardening/5.4.4_default_umask.sh
View File

@ -8,7 +8,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

7
tests/hardening/6.1.10_find_world_writable_file.sh
View File

@ -1,7 +1,7 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
#run this test only if we're not in docker
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -21,13 +21,12 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
fi
}

1
tests/hardening/6.1.11_find_unowned_files.sh
View File

@ -24,4 +24,3 @@ test_audit() {
register_test contain "No unowned files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

3
tests/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -16,7 +16,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
@ -24,4 +24,3 @@ test_audit() {
register_test contain "No ungrouped files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

3
tests/hardening/6.1.13_find_suid_files.sh
View File

@ -5,7 +5,7 @@ test_audit() {
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -29,4 +29,3 @@ test_audit() {
register_test contain "No unknown suid files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

3
tests/hardening/6.1.14_find_sgid_files.sh
View File

@ -5,7 +5,7 @@ test_audit() {
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -30,4 +30,3 @@ test_audit() {
register_test contain "No unknown sgid files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

4
tests/hardening/6.1.5_etc_passwd_permissions.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.1.6_etc_shadow_permissions.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.1.7_etc_group_permissions.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.10_check_user_dot_file_perm.sh
View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testdotuser"
local test_file=".test"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
chmod 777 "/home/$test_user/$test_file"
@ -20,7 +20,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.11_find_user_forward_files.sh
View File

@ -6,11 +6,11 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
local test_user="testforwarduser"
local test_file=".forward"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1

2
tests/hardening/6.2.12_find_user_netrc_files.sh
View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testnetrcuser"
local test_file=".netrc"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1

4
tests/hardening/6.2.13_set_perm_on_user_netrc.sh
View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testnetrcuser"
local test_file=".netrc"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
chmod 777 "/home/$test_user/$test_file"
@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.14_find_user_rhosts_files.sh
View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testrhostsuser"
local test_file=".rhosts"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1
@ -19,4 +19,4 @@ test_audit() {
# cleanup
userdel -r "$test_user"
}
}

4
tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh
View File

@ -10,8 +10,8 @@ test_audit() {
local test_user="testpasswdgroupuser"
local dir="/etc/passwd"
describe Tests purposely failing
echo "$test_user:x:1100:1100::/home/$test_user:" >> "$dir"
describe Tests purposely failing
echo "$test_user:x:1100:1100::/home/$test_user:" >>"$dir"
register_test retvalshouldbe 1
register_test contain "is referenced by /etc/passwd but does not exist in /etc/group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

3
tests/hardening/6.2.16_check_duplicate_uid.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding exceptions
register_test retvalshouldbe 0
@ -28,4 +28,3 @@ test_audit() {
userdel usertest1
userdel usertest2
}

1
tests/hardening/6.2.17_check_duplicate_gid.sh
View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
groupadd -f -g 120 grouptest
groupadd -fo -g 120 grouptest2

4
tests/hardening/6.2.18_check_duplicate_username.sh
View File

@ -10,10 +10,10 @@ test_audit() {
local test_user="testduplicateuser"
local dir="/etc/passwd"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
temp=$(tail -1 "$dir")
echo "$temp" >> "$dir"
echo "$temp" >>"$dir"
register_test retvalshouldbe 1
register_test contain "Duplicate username"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

4
tests/hardening/6.2.19_check_duplicate_groupname.sh
View File

@ -10,10 +10,10 @@ test_audit() {
local test_group="testduplicategroup"
local dir="/etc/group"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_group"
temp=$(tail -1 "$dir")
echo "$temp" >> "$dir"
echo "$temp" >>"$dir"
register_test retvalshouldbe 1
register_test contain "Duplicate group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

2
tests/hardening/6.2.1_remove_empty_password_field.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

6
tests/hardening/6.2.20_shadow_group_empty.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testshadowuser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
usermod -aG shadow "$test_user"
register_test retvalshouldbe 1
@ -17,11 +17,11 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
userdel "$test_user"
describe Tests purposely failing
describe Tests purposely failing
useradd --no-user-group -g shadow "$test_user"
register_test retvalshouldbe 1
register_test contain "Some users have shadow id as their primary group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
userdel "$test_user"
}

4
tests/hardening/6.2.2_remove_legacy_passwd_entries.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcpasswduser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:x/+:$test_user:x/" /etc/passwd
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.3_remove_legacy_shadow_entries.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcshadowusr"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:/+:$test_user:/" /etc/shadow
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.4_remove_legacy_group_entries.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcgroupuser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:x/+:$test_user:x/" /etc/group
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

3
tests/hardening/6.2.5_find_0_uid_non_root_account.sh
View File

@ -16,7 +16,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding exceptions
register_test retvalshouldbe 0
@ -26,4 +26,3 @@ test_audit() {
# Cleanup
userdel -f usertest1
}

2
tests/hardening/6.2.6_sanitize_root_path.sh
View File

@ -26,7 +26,7 @@ test_audit() {
run noncompliant path="$PATH:." /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
mkdir -m 770 "$dir"
mkdir -m 770 "$dir"
register_test retvalshouldbe 1
register_test contain "Group Write permission set on directory $dir"
run noncompliant path="$PATH:$dir" /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

2
tests/hardening/6.2.7_users_valid_homedir.sh
View File

@ -16,4 +16,4 @@ test_audit() {
# cleanup
userdel "$test_user"
}
}

4
tests/hardening/6.2.8_check_user_dir_perm.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testhomepermuser"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
chmod 777 /home/"$test_user"
register_test retvalshouldbe 1
@ -21,7 +21,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

7
tests/hardening/6.2.9_users_valid_homedir.sh
View File

@ -4,7 +4,7 @@ test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -19,11 +19,10 @@ test_audit() {
chown root:root /home/"$test_user"
register_test retvalshouldbe 1
register_test contain "[ KO ] The home directory (/home/$test_user) of user testhomeuser is owned by root"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" > /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Checking resolved state
register_test retvalshouldbe 0

4
tests/hardening/99.1_timeout_tty.sh
View File

@ -7,7 +7,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "TMOUT=600" > /etc/profile.d/CIS_99.1_timeout.sh
echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh
describe compliant
register_test retvalshouldbe 0
@ -16,5 +16,5 @@ test_audit() {
# TODO fill comprehensive tests
# Cleanup
rm /etc/profile.d/CIS_99.1_timeout.sh
rm /etc/profile.d/CIS_99.1_timeout.sh
}

4
tests/hardening/99.2_disable_usb_devices.sh
View File

@ -13,7 +13,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' > /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' >/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
describe compliant
register_test retvalshouldbe 0
@ -22,6 +22,6 @@ test_audit() {
# TODO fill comprehensive tests
# Cleanup
rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
fi
}

3
tests/hardening/99.3.1_acc_shadow_sha512.sh
View File

@ -22,7 +22,7 @@ test_audit() {
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
mv /tmp/shadow.bak /etc/shadow
chpasswd << EOF
chpasswd <<EOF
secaudit:mypassword
EOF
describe Pass: Found properly hashed password
@ -30,4 +30,3 @@ EOF
register_test contain "User secaudit has suitable SHA512 hashed password"
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

8
tests/hardening/99.3.2_acc_sudoers_no_all.sh
View File

@ -4,7 +4,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPT="$EXCEPT debian"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPT="$EXCEPT debian"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -15,15 +15,14 @@ test_audit() {
# Proceed to operation that will end up to a non compliant system
useradd -s /bin/bash jeantestuser
echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >> /etc/sudoers.d/jeantestuser
echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >>/etc/sudoers.d/jeantestuser
describe Fail: Not compliant system
register_test retvalshouldbe 1
register_test contain "[ KO ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser"
run userallcmd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPT="$EXCEPT debian jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPT="$EXCEPT debian jeantestuser"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding jeantestuser to exceptions
register_test retvalshouldbe 0
register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"
@ -32,4 +31,3 @@ test_audit() {
rm -f /etc/sudoers.d/jeantestuser
userdel jeantestuser
}

1
tests/hardening/99.3.4_acc_logindefs_sha512.sh
View File

@ -36,4 +36,3 @@ test_audit() {
register_test retvalshouldbe 0
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.1_ssh_auth_pubk_only.sh
View File

@ -27,4 +27,3 @@ test_audit() {
register_test contain "[ OK ] ^GSSAPIKeyExchange[[:space:]]+no is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.2.3_ssh_cry_rekey.sh
View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^RekeyLimit[[:space:]]*512M\s+6h is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.3_ssh_disable_features.sh
View File

@ -26,4 +26,3 @@ test_audit() {
register_test contain "[ OK ] ^GatewayPorts[[:space:]]*no is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

38
tests/hardening/99.5.4_ssh_keys_from.sh
View File

@ -1,8 +1,8 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
test_audit() {
# shellcheck disable=2154
echo 'EXCEPTION_USER="root"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTION_USER="root"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
skip_tests
# shellcheck disable=2154
@ -25,58 +25,56 @@ test_audit() {
run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ssh-keygen -N "" -t ed25519 -f /tmp/key1
cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
describe Key without from field
register_test retvalshouldbe 1
run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
{
echo -n 'from="127.0.0.1" ';
cat /tmp/key1.pub;
} > /home/secaudit/.ssh/authorized_keys2
echo -n 'from="127.0.0.1" '
cat /tmp/key1.pub
} >/home/secaudit/.ssh/authorized_keys2
describe Key with from, no ip check
register_test retvalshouldbe 0
run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
{
echo -n 'from="10.0.1.2" ';
cat /tmp/key1.pub;
} >> /home/secaudit/.ssh/authorized_keys2
echo -n 'from="10.0.1.2" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from, filled allowed IPs, one bad ip
register_test retvalshouldbe 1
run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Key with from, filled allowed IPs, all IPs allowed
register_test retvalshouldbe 0
run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
{
echo -n 'from="10.0.1.2",command="echo bla" ';
cat /tmp/key1.pub;
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" ';
cat /tmp/key1.pub;
} >> /home/secaudit/.ssh/authorized_keys2
echo -n 'from="10.0.1.2",command="echo bla" '
cat /tmp/key1.pub
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from and command options
register_test retvalshouldbe 0
run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
useradd -s /bin/bash -m jeantest2
# shellcheck disable=2016
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Check only specified user
register_test retvalshouldbe 0
run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
userdel jeantestuser
userdel -r jeantest2
rm -f /tmp/key1 /tmp/key1.pub
}

1
tests/hardening/99.5.5_ssh_strict_modes.sh
View File

@ -21,4 +21,3 @@ test_audit() {
register_test contain "[ OK ] ^StrictModes[[:space:]]*yes is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/99.5.6_ssh_sys_accept_env.sh
View File

@ -14,7 +14,6 @@ test_audit() {
register_test contain "[ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed
@ -28,4 +27,3 @@ test_audit() {
register_test contain "[ OK ] ^\s*AcceptEnv\s+LANG LC_\* is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.7_ssh_sys_no_legacy.sh
View File

@ -6,4 +6,3 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

3
tests/hardening/99.5.8_ssh_sys_sandbox.sh
View File

@ -1,6 +1,6 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
test_audit() {
describe Running on blank host
register_test retvalshouldbe 1
register_test contain "openssh-server is installed"
@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.9_ssh_loglevel.sh
View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

42
tests/launch_tests.sh
View File

@ -63,8 +63,7 @@ skip() {
printf "%b %b\n" "\033[30m\e[43m[SKIP]\033[0m" "$*" >&2
}
# retrieves audit script logfile
get_stdout()
{
get_stdout() {
cat "$outdir"/"$usecase_name".log
}
@ -107,7 +106,7 @@ play_consistency_tests() {
retfile_root=$outdir/${usecase_name_root}.retval
retfile_sudo=$outdir/${usecase_name_sudo}.retval
cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1
if [[ ! 0 -eq $ret ]] ; then
if [[ ! 0 -eq $ret ]]; then
fail "$name" return values differ
diff "$retfile_root" "$retfile_sudo" || true
consist_test=1
@ -118,28 +117,28 @@ play_consistency_tests() {
retfile_root=$outdir/${usecase_name_root}.log
retfile_sudo=$outdir/${usecase_name_sudo}.log
cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1
if [[ ! 0 -eq $ret ]] ; then
if [[ ! 0 -eq $ret ]]; then
fail "$name" logs differ
diff "$retfile_root" "$retfile_sudo" || true
diff "$retfile_root" "$retfile_sudo" || true
consist_test=1
else
ok "$name logs are identical"
fi
if [ 1 -eq $consist_test ]; then
nbfailedconsist=$(( nbfailedconsist + 1 ))
nbfailedconsist=$((nbfailedconsist + 1))
listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
fi
}
# Actually runs one signel audit script
_run()
{
_run() {
usecase_name=$1
shift
printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
bash -c "$*" >"$outdir/$usecase_name.log" && true; echo $? > "$outdir/$usecase_name.retval"
ret=$(< "$outdir"/"$usecase_name".retval)
bash -c "$*" >"$outdir/$usecase_name.log" && true
echo $? >"$outdir/$usecase_name.retval"
ret=$(<"$outdir"/"$usecase_name".retval)
get_stdout
}
@ -153,18 +152,17 @@ fi
###################
# Execution start #
###################
printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing"
printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing"
# if no scripts were passed as arguments, list all available test scenarii to be played
if [ $# -eq 0 ]; then
tests_list=$(ls -v "$(dirname "$0")"/hardening/)
testcount=$(wc -l <<< "$tests_list")
testcount=$(wc -l <<<"$tests_list")
else
tests_list="$*"
testcount=$#
fi
for test_file in $tests_list; do
test_file_path=$(dirname "$0")/hardening/"$test_file"
if [ ! -f "$test_file_path" ]; then
@ -176,9 +174,9 @@ for test_file in $tests_list; do
# source test scenario file to add `test_audit` func
# shellcheck disable=1090
. "$test_file_path"
testno=$(( testno + 1 ))
testno=$((testno + 1))
# shellcheck disable=2001
name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//' )"
name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//')"
printf "\033[1;36m### [%03d/%03d] %s \033[0m\n" "$testno" "$testcount" "$test_file"
# test_audit is the function defined in $test_file, that carries the actual functional tests for this script
test_audit
@ -190,22 +188,22 @@ for test_file in $tests_list; do
echo ""
done
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist )) -eq 0 ] ; then
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then
echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
else
(
echo -e "\033[41mOne or more tests failed :(\033[0m"
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
echo -e "\033[41mOne or more tests failed :(\033[0m"
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
) | tee "$outdir"/summary
fi
echo
set +e
set +u
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist ))
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
# leave `exit 255` for runtime errors
[ $totalerrors -ge 255 ] && totalerrors=254
exit $totalerrors

25
tests/lib.sh
View File

@ -18,24 +18,23 @@ describe() {
register_test() {
export numtest=0
if [[ "notempty" == "${REGISTERED_TESTS[*]:+notempty}" ]]; then
numtest=${#REGISTERED_TESTS[@]}
fi
REGISTERED_TESTS[numtest]="$*"
numtest=${#REGISTERED_TESTS[@]}
fi
REGISTERED_TESTS[numtest]="$*"
}
# retvalshouldbe checks that the audit return value equals the one passed as parameter
# retvalshoudbe <NUMBER>
retvalshouldbe()
{
retvalshouldbe() {
# shellcheck disable=2154
retfile=$outdir/${usecase_name}.retval
shouldbe=$1
got=$(< "$retfile")
if [ "$got" = "$shouldbe" ] ; then
got=$(<"$retfile")
if [ "$got" = "$shouldbe" ]; then
ok "RETURN VALUE" "($shouldbe)"
else
if [ 0 -eq "$dismiss_count" ]; then
nbfailedret=$(( nbfailedret + 1 ))
nbfailedret=$((nbfailedret + 1))
listfailedret="$listfailedret $usecase_name"
fi
fail "RETURN VALUE" "(got $got instead of $shouldbe)"
@ -44,10 +43,9 @@ retvalshouldbe()
# contain looks for a string in audit logfile
# contain [REGEX] <STRING|regexSTRING>
contain()
{
contain() {
local specialoption=''
if [ "$1" != "REGEX" ] ; then
if [ "$1" != "REGEX" ]; then
specialoption='-F'
else
specialoption='-E'
@ -59,8 +57,8 @@ contain()
ok "MUST CONTAIN" "($pattern)"
else
if [ 0 -eq "$dismiss_count" ]; then
nbfailedgrep=$(( nbfailedgrep + 1 ))
listfailedgrep="$listfailedgrep $usecase_name"
nbfailedgrep=$((nbfailedgrep + 1))
listfailedgrep="$listfailedgrep $usecase_name"
fi
fail "MUST CONTAIN" "($pattern)"
fi
@ -95,4 +93,3 @@ run() {
play_consistency_tests
clear_registered_tests
}

27
tests/run_all_targets.sh
View File

@ -30,27 +30,36 @@ eval set -- "$OPTIONS"
# Treating options
while true; do
case "$1" in
--nodel ) nodel=1; shift ;;
--nowait ) nowait=1; shift ;;
-- ) shift; break ;;
* ) break ;;
--nodel)
nodel=1
shift
;;
--nowait)
nowait=1
shift
;;
--)
shift
break
;;
*) break ;;
esac
done
# Execution summary
if [ "$nodel" -eq 1 ]; then
echo -e "\e[34mLog directory: $tmpdir \e[0m"
echo -e "\e[34mLog directory: $tmpdir \e[0m"
fi
if [ "$nowait" -eq 1 ]; then
echo -e "\e[34mRunning in non-interactive mode\e[0m"
echo -e "\e[34mRunning in non-interactive mode\e[0m"
fi
# Actual execution
# Loops over found targets and runs docker_build_and_run_tests
for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Supported" | cut -d ':' -f 2); do
echo "Running $target $*"
"$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 | \
tee "${tmpdir}"/"${target}" | \
"$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 |
tee "${tmpdir}"/"${target}" |
grep -q "All tests succeeded"
ret=$?
if [[ 0 -eq $ret ]]; then
@ -61,7 +70,7 @@ for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Sup
fi
done
if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then
if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then
echo -e "\nPress \e[1mENTER\e[0m to display failed test logs"
echo -e "Use \e[1m:n\e[0m (next) and \e[1m:p\e[0m (previous) to navigate between log files"
echo -e "and \e[1mq\e[0m to quit"