elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-23 11:04:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shfmt): add shell formatter

Browse Source
This commit is contained in:
Thibault Ayanides
2020-12-04 14:08:01 +01:00
parent bc1aa65b91
commit 3a342b784a
300 changed files with 2370 additions and 2427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tests/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -4,13 +4,13 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #

10
tests/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

10
tests/hardening/1.1.1.3_disable_hfs.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

10
tests/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

11
tests/hardening/1.1.1.5_disable_udf.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
@ -18,4 +18,3 @@ test_audit() {
# long to test and not very useful. #
##################################################################
}

10
tests/hardening/1.1.1.6_disable_cramfs.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################

11
tests/hardening/1.1.1.7_disable_squashfs.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
##################################################################
@ -18,4 +18,3 @@ test_audit() {
# long to test and not very useful. #
##################################################################
}

12
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -1,11 +1,11 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
@ -18,7 +18,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

10
tests/hardening/1.5.1_restrict_core_dumps.sh
View File

@ -4,11 +4,11 @@ test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
fi

2
tests/hardening/1.6.2.1_enable_apparmor.sh
View File

@ -11,7 +11,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

1
tests/hardening/2.2.1.1_use_time_sync.sh
View File

@ -18,4 +18,3 @@ test_audit() {
register_test contain "Time synchronization is available through"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

2
tests/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -12,7 +12,7 @@ test_audit() {
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
# to avoid error during auditd installation in 4.1.1.2, only necessary during tests
sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state

2
tests/hardening/4.1.11_record_failed_access_file.sh
View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
@ -21,4 +20,3 @@ test_audit() {
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/4.1.12_record_privileged_commands.sh
View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true

4
tests/hardening/4.1.15_record_sudoers_edit.sh
View File

@ -7,13 +7,13 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/4.1.5_record_user_group_edit.sh
View File

@ -14,7 +14,7 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules"
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules"

1
tests/hardening/4.1.8_record_login_logout.sh
View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true

10
tests/hardening/4.2.2.4_syslog-ng_remote_host.sh
View File

@ -9,16 +9,15 @@ test_audit() {
cp -a /etc/syslog-ng/syslog-ng.conf /tmp/syslog-ng.conf.bak
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/syslog-ng.conf
echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/syslog-ng.conf
grep syslog.example.tld /etc/syslog-ng/syslog-ng.conf
describe Checking one line conf
register_test retvalshouldbe 0
run oneline /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
cat >> /etc/syslog-ng/syslog-ng.conf <<EOF
cat >>/etc/syslog-ng/syslog-ng.conf <<EOF
destination mySyslog {
tcp ("syslog.example.tld"),
port(1234),
@ -31,16 +30,13 @@ EOF
mv /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
#echo "#Sample conf" >/etc/syslog-ng/conf.d/1_tcp_destination
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/conf.d/1_tcp_destination
echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/conf.d/1_tcp_destination
cat /etc/syslog-ng/conf.d/1_tcp_destination
describe Checking file in subdirectory
register_test retvalshouldbe 0
run subfile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
rm /etc/syslog-ng/conf.d/1_tcp_destination

4
tests/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.1.7_cron_d_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

6
tests/hardening/5.1.8_cron_users.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
touch /etc/cron.allow /etc/at.allow
@ -32,7 +32,7 @@ test_audit() {
userdel "$test_user"
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -46,7 +46,7 @@ test_audit() {
userdel "$test_user"
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

1
tests/hardening/5.2.14_ssh_cry_mac.sh
View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^MACs[[:space:]]*umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/5.2.15_ssh_cry_kex.sh
View File

@ -27,4 +27,3 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

4
tests/hardening/5.2.1_sshd_conf_perm_ownership.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
View File

@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -30,7 +30,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
View File

@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -30,7 +30,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

2
tests/hardening/5.2.4_sshd_protocol.sh
View File

@ -6,7 +6,7 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

4
tests/hardening/5.2.5_sshd_loglevel.sh
View File

@ -6,7 +6,7 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed
@ -19,7 +19,7 @@ test_audit() {
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "OPTIONS='LogLevel=DEBUG'" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "OPTIONS='LogLevel=DEBUG'" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/LogLevel VERBOSE/LogLevel DEBUG/' /etc/ssh/sshd_config
describe Checking custom conf

2
tests/hardening/5.2.7_sshd_maxauthtries.sh
View File

@ -6,7 +6,7 @@ test_audit() {
register_test contain "openssh-server is installed"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed

2
tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh
View File

@ -19,4 +19,4 @@ test_audit() {
register_test retvalshouldbe 0
register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}
}

1
tests/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -7,4 +7,3 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/5.4.2_disable_system_accounts.sh
View File

@ -9,7 +9,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

2
tests/hardening/5.4.4_default_umask.sh
View File

@ -8,7 +8,7 @@ test_audit() {
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

7
tests/hardening/6.1.10_find_world_writable_file.sh
View File

@ -1,7 +1,7 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
#run this test only if we're not in docker
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
@ -21,13 +21,12 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
fi
}

1
tests/hardening/6.1.11_find_unowned_files.sh
View File

@ -24,4 +24,3 @@ test_audit() {
register_test contain "No unowned files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

3
tests/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -16,7 +16,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
@ -24,4 +24,3 @@ test_audit() {
register_test contain "No ungrouped files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

3
tests/hardening/6.1.13_find_suid_files.sh
View File

@ -5,7 +5,7 @@ test_audit() {
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -29,4 +29,3 @@ test_audit() {
register_test contain "No unknown suid files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

3
tests/hardening/6.1.14_find_sgid_files.sh
View File

@ -5,7 +5,7 @@ test_audit() {
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -30,4 +30,3 @@ test_audit() {
register_test contain "No unknown sgid files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

4
tests/hardening/6.1.5_etc_passwd_permissions.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.1.6_etc_shadow_permissions.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.1.7_etc_group_permissions.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Tests purposely failing
@ -28,7 +28,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.10_check_user_dot_file_perm.sh
View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testdotuser"
local test_file=".test"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
chmod 777 "/home/$test_user/$test_file"
@ -20,7 +20,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.11_find_user_forward_files.sh
View File

@ -6,11 +6,11 @@ test_audit() {
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
local test_user="testforwarduser"
local test_file=".forward"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1

2
tests/hardening/6.2.12_find_user_netrc_files.sh
View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testnetrcuser"
local test_file=".netrc"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1

4
tests/hardening/6.2.13_set_perm_on_user_netrc.sh
View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testnetrcuser"
local test_file=".netrc"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
chmod 777 "/home/$test_user/$test_file"
@ -19,7 +19,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.14_find_user_rhosts_files.sh
View File

@ -10,7 +10,7 @@ test_audit() {
local test_user="testrhostsuser"
local test_file=".rhosts"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
touch "/home/$test_user/$test_file"
register_test retvalshouldbe 1
@ -19,4 +19,4 @@ test_audit() {
# cleanup
userdel -r "$test_user"
}
}

4
tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh
View File

@ -10,8 +10,8 @@ test_audit() {
local test_user="testpasswdgroupuser"
local dir="/etc/passwd"
describe Tests purposely failing
echo "$test_user:x:1100:1100::/home/$test_user:" >> "$dir"
describe Tests purposely failing
echo "$test_user:x:1100:1100::/home/$test_user:" >>"$dir"
register_test retvalshouldbe 1
register_test contain "is referenced by /etc/passwd but does not exist in /etc/group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

3
tests/hardening/6.2.16_check_duplicate_uid.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding exceptions
register_test retvalshouldbe 0
@ -28,4 +28,3 @@ test_audit() {
userdel usertest1
userdel usertest2
}

1
tests/hardening/6.2.17_check_duplicate_gid.sh
View File

@ -7,7 +7,6 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
groupadd -f -g 120 grouptest
groupadd -fo -g 120 grouptest2

4
tests/hardening/6.2.18_check_duplicate_username.sh
View File

@ -10,10 +10,10 @@ test_audit() {
local test_user="testduplicateuser"
local dir="/etc/passwd"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
temp=$(tail -1 "$dir")
echo "$temp" >> "$dir"
echo "$temp" >>"$dir"
register_test retvalshouldbe 1
register_test contain "Duplicate username"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

4
tests/hardening/6.2.19_check_duplicate_groupname.sh
View File

@ -10,10 +10,10 @@ test_audit() {
local test_group="testduplicategroup"
local dir="/etc/group"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_group"
temp=$(tail -1 "$dir")
echo "$temp" >> "$dir"
echo "$temp" >>"$dir"
register_test retvalshouldbe 1
register_test contain "Duplicate group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

2
tests/hardening/6.2.1_remove_empty_password_field.sh
View File

@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

6
tests/hardening/6.2.20_shadow_group_empty.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testshadowuser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
usermod -aG shadow "$test_user"
register_test retvalshouldbe 1
@ -17,11 +17,11 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
userdel "$test_user"
describe Tests purposely failing
describe Tests purposely failing
useradd --no-user-group -g shadow "$test_user"
register_test retvalshouldbe 1
register_test contain "Some users have shadow id as their primary group"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
userdel "$test_user"
}

4
tests/hardening/6.2.2_remove_legacy_passwd_entries.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcpasswduser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:x/+:$test_user:x/" /etc/passwd
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.3_remove_legacy_shadow_entries.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcshadowusr"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:/+:$test_user:/" /etc/shadow
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

4
tests/hardening/6.2.4_remove_legacy_group_entries.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testetcgroupuser"
describe Tests purposely failing
describe Tests purposely failing
useradd "$test_user"
sed -i "s/$test_user:x/+:$test_user:x/" /etc/group
register_test retvalshouldbe 1
@ -17,7 +17,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

3
tests/hardening/6.2.5_find_0_uid_non_root_account.sh
View File

@ -16,7 +16,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding exceptions
register_test retvalshouldbe 0
@ -26,4 +26,3 @@ test_audit() {
# Cleanup
userdel -f usertest1
}

2
tests/hardening/6.2.6_sanitize_root_path.sh
View File

@ -26,7 +26,7 @@ test_audit() {
run noncompliant path="$PATH:." /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
mkdir -m 770 "$dir"
mkdir -m 770 "$dir"
register_test retvalshouldbe 1
register_test contain "Group Write permission set on directory $dir"
run noncompliant path="$PATH:$dir" /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

2
tests/hardening/6.2.7_users_valid_homedir.sh
View File

@ -16,4 +16,4 @@ test_audit() {
# cleanup
userdel "$test_user"
}
}

4
tests/hardening/6.2.8_check_user_dir_perm.sh
View File

@ -9,7 +9,7 @@ test_audit() {
local test_user="testhomepermuser"
describe Tests purposely failing
describe Tests purposely failing
useradd --create-home "$test_user"
chmod 777 /home/"$test_user"
register_test retvalshouldbe 1
@ -21,7 +21,7 @@ test_audit() {
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state

7
tests/hardening/6.2.9_users_valid_homedir.sh
View File

@ -4,7 +4,7 @@ test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -19,11 +19,10 @@ test_audit() {
chown root:root /home/"$test_user"
register_test retvalshouldbe 1
register_test contain "[ KO ] The home directory (/home/$test_user) of user testhomeuser is owned by root"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" > /opt/debian-cis/etc/conf.d/"${script}".cfg
echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Checking resolved state
register_test retvalshouldbe 0

4
tests/hardening/99.1_timeout_tty.sh
View File

@ -7,7 +7,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "TMOUT=600" > /etc/profile.d/CIS_99.1_timeout.sh
echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh
describe compliant
register_test retvalshouldbe 0
@ -16,5 +16,5 @@ test_audit() {
# TODO fill comprehensive tests
# Cleanup
rm /etc/profile.d/CIS_99.1_timeout.sh
rm /etc/profile.d/CIS_99.1_timeout.sh
}

4
tests/hardening/99.2_disable_usb_devices.sh
View File

@ -13,7 +13,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' > /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' >/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
describe compliant
register_test retvalshouldbe 0
@ -22,6 +22,6 @@ test_audit() {
# TODO fill comprehensive tests
# Cleanup
rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh
fi
}

3
tests/hardening/99.3.1_acc_shadow_sha512.sh
View File

@ -22,7 +22,7 @@ test_audit() {
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
mv /tmp/shadow.bak /etc/shadow
chpasswd << EOF
chpasswd <<EOF
secaudit:mypassword
EOF
describe Pass: Found properly hashed password
@ -30,4 +30,3 @@ EOF
register_test contain "User secaudit has suitable SHA512 hashed password"
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

8
tests/hardening/99.3.2_acc_sudoers_no_all.sh
View File

@ -4,7 +4,7 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPT="$EXCEPT debian"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPT="$EXCEPT debian"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
@ -15,15 +15,14 @@ test_audit() {
# Proceed to operation that will end up to a non compliant system
useradd -s /bin/bash jeantestuser
echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >> /etc/sudoers.d/jeantestuser
echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >>/etc/sudoers.d/jeantestuser
describe Fail: Not compliant system
register_test retvalshouldbe 1
register_test contain "[ KO ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser"
run userallcmd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPT="$EXCEPT debian jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPT="$EXCEPT debian jeantestuser"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding jeantestuser to exceptions
register_test retvalshouldbe 0
register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"
@ -32,4 +31,3 @@ test_audit() {
rm -f /etc/sudoers.d/jeantestuser
userdel jeantestuser
}

1
tests/hardening/99.3.4_acc_logindefs_sha512.sh
View File

@ -36,4 +36,3 @@ test_audit() {
register_test retvalshouldbe 0
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.1_ssh_auth_pubk_only.sh
View File

@ -27,4 +27,3 @@ test_audit() {
register_test contain "[ OK ] ^GSSAPIKeyExchange[[:space:]]+no is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.2.3_ssh_cry_rekey.sh
View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^RekeyLimit[[:space:]]*512M\s+6h is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.3_ssh_disable_features.sh
View File

@ -26,4 +26,3 @@ test_audit() {
register_test contain "[ OK ] ^GatewayPorts[[:space:]]*no is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

38
tests/hardening/99.5.4_ssh_keys_from.sh
View File

@ -1,8 +1,8 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
test_audit() {
# shellcheck disable=2154
echo 'EXCEPTION_USER="root"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'EXCEPTION_USER="root"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
skip_tests
# shellcheck disable=2154
@ -25,58 +25,56 @@ test_audit() {
run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
ssh-keygen -N "" -t ed25519 -f /tmp/key1
cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
describe Key without from field
register_test retvalshouldbe 1
run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
{
echo -n 'from="127.0.0.1" ';
cat /tmp/key1.pub;
} > /home/secaudit/.ssh/authorized_keys2
echo -n 'from="127.0.0.1" '
cat /tmp/key1.pub
} >/home/secaudit/.ssh/authorized_keys2
describe Key with from, no ip check
register_test retvalshouldbe 0
run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
{
echo -n 'from="10.0.1.2" ';
cat /tmp/key1.pub;
} >> /home/secaudit/.ssh/authorized_keys2
echo -n 'from="10.0.1.2" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from, filled allowed IPs, one bad ip
register_test retvalshouldbe 1
run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Key with from, filled allowed IPs, all IPs allowed
register_test retvalshouldbe 0
run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
{
echo -n 'from="10.0.1.2",command="echo bla" ';
cat /tmp/key1.pub;
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" ';
cat /tmp/key1.pub;
} >> /home/secaudit/.ssh/authorized_keys2
echo -n 'from="10.0.1.2",command="echo bla" '
cat /tmp/key1.pub
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from and command options
register_test retvalshouldbe 0
run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
useradd -s /bin/bash -m jeantest2
# shellcheck disable=2016
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
describe Check only specified user
register_test retvalshouldbe 0
run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
userdel jeantestuser
userdel -r jeantest2
rm -f /tmp/key1 /tmp/key1.pub
}

1
tests/hardening/99.5.5_ssh_strict_modes.sh
View File

@ -21,4 +21,3 @@ test_audit() {
register_test contain "[ OK ] ^StrictModes[[:space:]]*yes is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

2
tests/hardening/99.5.6_ssh_sys_accept_env.sh
View File

@ -14,7 +14,6 @@ test_audit() {
register_test contain "[ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Correcting situation
# `apply` performs a service reload after each change in the config file
# the service needs to be started for the reload to succeed
@ -28,4 +27,3 @@ test_audit() {
register_test contain "[ OK ] ^\s*AcceptEnv\s+LANG LC_\* is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.7_ssh_sys_no_legacy.sh
View File

@ -6,4 +6,3 @@ test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

3
tests/hardening/99.5.8_ssh_sys_sandbox.sh
View File

@ -1,6 +1,6 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
test_audit() {
describe Running on blank host
register_test retvalshouldbe 1
register_test contain "openssh-server is installed"
@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

1
tests/hardening/99.5.9_ssh_loglevel.sh
View File

@ -20,4 +20,3 @@ test_audit() {
register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}