From 5313799193561f6067b91468c8f4268fcbb71453 Mon Sep 17 00:00:00 2001 From: lgaida <9195031+lgaida@users.noreply.github.com> Date: Wed, 27 Dec 2023 13:42:10 +0100 Subject: [PATCH] Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221) * allow multiple exception users for 99.5.2.4 --- bin/hardening/99.5.2.4_ssh_keys_from.sh | 9 ++++++--- tests/hardening/99.5.2.4_ssh_keys_from.sh | 23 +++++++++++++++++++++-- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/bin/hardening/99.5.2.4_ssh_keys_from.sh b/bin/hardening/99.5.2.4_ssh_keys_from.sh index 073963f..5699122 100755 --- a/bin/hardening/99.5.2.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.2.4_ssh_keys_from.sh @@ -26,7 +26,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2" ALLOWED_IPS="" USERS_TO_CHECK="" -EXCEPTION_USER="" +EXCEPTION_USERS="" ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin" @@ -137,7 +137,10 @@ audit() { continue else info "User $user has a valid shell ($shell)." - if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then + if grep -qw "$user" <<<"$EXCEPTION_USERS"; then + info "User $user is named in EXEPTION_USERS and is thus skipped from check." + continue + elif [ "$user" = "root" ]; then check_dir /root continue elif $SUDO_CMD [ ! -d /home/"$user" ]; then @@ -164,7 +167,7 @@ status=audit # Put authorized IPs you want to allow in "from" field of authorized_keys ALLOWED_IPS="" USERS_TO_CHECK="" -EXCEPTION_USER="" +EXCEPTION_USERS="" EOF } diff --git a/tests/hardening/99.5.2.4_ssh_keys_from.sh b/tests/hardening/99.5.2.4_ssh_keys_from.sh index 4da2290..a675d64 100644 --- a/tests/hardening/99.5.2.4_ssh_keys_from.sh +++ b/tests/hardening/99.5.2.4_ssh_keys_from.sh @@ -2,7 +2,7 @@ # run-shellcheck test_audit() { # shellcheck disable=2154 - echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" + echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" skip_tests # shellcheck disable=2154 @@ -12,12 +12,29 @@ test_audit() { describe Running on blank host register_test retvalshouldbe 0 dismiss_count_for_test + register_test contain "[INFO] User root has a valid shell" register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file" register_test contain "[INFO] User jeantestuser has a valid shell" register_test contain "[INFO] User jeantestuser has no home directory" # shellcheck disable=2154 run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + mkdir -p /root/.ssh + ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1 + cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys + describe Check /root is used for root user instead of home by placing key without from field + register_test retvalshouldbe 1 + run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" + useradd -s /bin/bash exceptiontestuser + describe Check multiple exception users are skipped + register_test retvalshouldbe 0 + register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check." + register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check." + # shellcheck disable=2154 + run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + mkdir -p /home/secaudit/.ssh touch /home/secaudit/.ssh/authorized_keys2 describe empty authorized keys file @@ -74,7 +91,9 @@ test_audit() { run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all # Cleanup + userdel exceptiontestuser userdel jeantestuser userdel -r jeantest2 - rm -f /tmp/key1 /tmp/key1.pub + rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub + rm -rf /root/.ssh }