mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-21 21:17:00 +01:00
Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
* allow multiple exception users for 99.5.2.4
This commit is contained in:
parent
73616af4eb
commit
5313799193
@ -26,7 +26,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
|
|||||||
|
|
||||||
ALLOWED_IPS=""
|
ALLOWED_IPS=""
|
||||||
USERS_TO_CHECK=""
|
USERS_TO_CHECK=""
|
||||||
EXCEPTION_USER=""
|
EXCEPTION_USERS=""
|
||||||
|
|
||||||
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
|
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
|
||||||
|
|
||||||
@ -137,7 +137,10 @@ audit() {
|
|||||||
continue
|
continue
|
||||||
else
|
else
|
||||||
info "User $user has a valid shell ($shell)."
|
info "User $user has a valid shell ($shell)."
|
||||||
if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
|
if grep -qw "$user" <<<"$EXCEPTION_USERS"; then
|
||||||
|
info "User $user is named in EXEPTION_USERS and is thus skipped from check."
|
||||||
|
continue
|
||||||
|
elif [ "$user" = "root" ]; then
|
||||||
check_dir /root
|
check_dir /root
|
||||||
continue
|
continue
|
||||||
elif $SUDO_CMD [ ! -d /home/"$user" ]; then
|
elif $SUDO_CMD [ ! -d /home/"$user" ]; then
|
||||||
@ -164,7 +167,7 @@ status=audit
|
|||||||
# Put authorized IPs you want to allow in "from" field of authorized_keys
|
# Put authorized IPs you want to allow in "from" field of authorized_keys
|
||||||
ALLOWED_IPS=""
|
ALLOWED_IPS=""
|
||||||
USERS_TO_CHECK=""
|
USERS_TO_CHECK=""
|
||||||
EXCEPTION_USER=""
|
EXCEPTION_USERS=""
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
test_audit() {
|
test_audit() {
|
||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||||
|
|
||||||
skip_tests
|
skip_tests
|
||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
@ -12,12 +12,29 @@ test_audit() {
|
|||||||
describe Running on blank host
|
describe Running on blank host
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
dismiss_count_for_test
|
dismiss_count_for_test
|
||||||
|
register_test contain "[INFO] User root has a valid shell"
|
||||||
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
|
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
|
||||||
register_test contain "[INFO] User jeantestuser has a valid shell"
|
register_test contain "[INFO] User jeantestuser has a valid shell"
|
||||||
register_test contain "[INFO] User jeantestuser has no home directory"
|
register_test contain "[INFO] User jeantestuser has no home directory"
|
||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||||
|
|
||||||
|
mkdir -p /root/.ssh
|
||||||
|
ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
|
||||||
|
cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
|
||||||
|
describe Check /root is used for root user instead of home by placing key without from field
|
||||||
|
register_test retvalshouldbe 1
|
||||||
|
run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||||
|
|
||||||
|
echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||||
|
useradd -s /bin/bash exceptiontestuser
|
||||||
|
describe Check multiple exception users are skipped
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
|
||||||
|
register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||||
|
|
||||||
mkdir -p /home/secaudit/.ssh
|
mkdir -p /home/secaudit/.ssh
|
||||||
touch /home/secaudit/.ssh/authorized_keys2
|
touch /home/secaudit/.ssh/authorized_keys2
|
||||||
describe empty authorized keys file
|
describe empty authorized keys file
|
||||||
@ -74,7 +91,9 @@ test_audit() {
|
|||||||
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||||
|
|
||||||
# Cleanup
|
# Cleanup
|
||||||
|
userdel exceptiontestuser
|
||||||
userdel jeantestuser
|
userdel jeantestuser
|
||||||
userdel -r jeantest2
|
userdel -r jeantest2
|
||||||
rm -f /tmp/key1 /tmp/key1.pub
|
rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
|
||||||
|
rm -rf /root/.ssh
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user