Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)

* allow multiple exception users for 99.5.2.4
This commit is contained in:
lgaida 2023-12-27 13:42:10 +01:00 committed by GitHub
parent 73616af4eb
commit 5313799193
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 5 deletions

View File

@ -26,7 +26,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
ALLOWED_IPS="" ALLOWED_IPS=""
USERS_TO_CHECK="" USERS_TO_CHECK=""
EXCEPTION_USER="" EXCEPTION_USERS=""
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin" ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
@ -137,7 +137,10 @@ audit() {
continue continue
else else
info "User $user has a valid shell ($shell)." info "User $user has a valid shell ($shell)."
if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then if grep -qw "$user" <<<"$EXCEPTION_USERS"; then
info "User $user is named in EXEPTION_USERS and is thus skipped from check."
continue
elif [ "$user" = "root" ]; then
check_dir /root check_dir /root
continue continue
elif $SUDO_CMD [ ! -d /home/"$user" ]; then elif $SUDO_CMD [ ! -d /home/"$user" ]; then
@ -164,7 +167,7 @@ status=audit
# Put authorized IPs you want to allow in "from" field of authorized_keys # Put authorized IPs you want to allow in "from" field of authorized_keys
ALLOWED_IPS="" ALLOWED_IPS=""
USERS_TO_CHECK="" USERS_TO_CHECK=""
EXCEPTION_USER="" EXCEPTION_USERS=""
EOF EOF
} }

View File

@ -2,7 +2,7 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
skip_tests skip_tests
# shellcheck disable=2154 # shellcheck disable=2154
@ -12,12 +12,29 @@ test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test dismiss_count_for_test
register_test contain "[INFO] User root has a valid shell"
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file" register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
register_test contain "[INFO] User jeantestuser has a valid shell" register_test contain "[INFO] User jeantestuser has a valid shell"
register_test contain "[INFO] User jeantestuser has no home directory" register_test contain "[INFO] User jeantestuser has no home directory"
# shellcheck disable=2154 # shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
mkdir -p /root/.ssh
ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
describe Check /root is used for root user instead of home by placing key without from field
register_test retvalshouldbe 1
run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
useradd -s /bin/bash exceptiontestuser
describe Check multiple exception users are skipped
register_test retvalshouldbe 0
register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
# shellcheck disable=2154
run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
mkdir -p /home/secaudit/.ssh mkdir -p /home/secaudit/.ssh
touch /home/secaudit/.ssh/authorized_keys2 touch /home/secaudit/.ssh/authorized_keys2
describe empty authorized keys file describe empty authorized keys file
@ -74,7 +91,9 @@ test_audit() {
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup # Cleanup
userdel exceptiontestuser
userdel jeantestuser userdel jeantestuser
userdel -r jeantest2 userdel -r jeantest2
rm -f /tmp/key1 /tmp/key1.pub rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
rm -rf /root/.ssh
} }