feat: add debian12 scripts

- at_is_restricted.sh -> 2.4.2.1 - wireless_interfaces_disabled.sh -> 3.1.2 - bluetooth_is_disabled.sh -> 3.1.3 - sudo_no_nopasswd.sh -> 5.2.4 - aide_is_installed.sh -> 6.1.1
2025-08-04 22:31:16 +02:00 · 2025-07-30 10:09:28 +02:00
parent 57aa0e6ef5
commit 532c40d311
12 changed files with 612 additions and 0 deletions
--- a/tests/hardening/aide_is_installed.sh
+++ b/tests/hardening/aide_is_installed.sh
@@ -0,0 +1,20 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Fixing situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Clean installation
+    apt remove -y aide
+    apt autoremove -y
+}
--- a/tests/hardening/at_is_restricted.sh
+++ b/tests/hardening/at_is_restricted.sh
@@ -0,0 +1,71 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe prepare test
+    rm -f /etc/at.allow
+    apt install -y at
+
+    # at package is going to provide at.deny with default content
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare failing test at.deny
+    # wrong  perm
+    chmod 0644 /etc/at.deny
+
+    describe Running failed test at.deny
+    register_test retvalshouldbe 1
+    run failure "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Running success test at.deny
+    register_test retvalshouldbe 0
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare failing test at.deny
+    # empty file + at.allow inexistent = all users allowed
+    # shellcheck disable=2188
+    >/etc/at.deny
+
+    describe Running failed test at.deny
+    register_test retvalshouldbe 1
+    run failure "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Running success test at.deny
+    register_test retvalshouldbe 0
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare failing test at.allow
+    touch /etc/at.allow
+    # wrong user
+    chown secaudit:root /etc/at.allow
+
+    describe Running failed test at.allow
+    register_test retvalshouldbe 1
+    run failure "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Running success test at.allow
+    register_test retvalshouldbe 0
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe cleanup at
+    apt remove -y at
+    apt autoremove -y
+    rm -f /etc/allow
+
+    describe Running success at package missing
+    register_test retvalshouldbe 0
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}
--- a/tests/hardening/bluetooth_is_disabled.sh
+++ b/tests/hardening/bluetooth_is_disabled.sh
@@ -0,0 +1,36 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe Prepare on purpose failed test
+    apt install -y bluez
+    # running on a container, will can only test the package installation, not the service management
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare test package dependencies
+    # try to install a package that depends on 'bluez'
+    apt install -y bluez-test-tools
+    # running on a container, we can only test the package installation, not the service management
+
+    describe Running successfull test
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean installation
+    apt remove -y bluez-test-tools bluez
+    apt autoremove -y
+
+}
--- a/tests/hardening/sudo_no_nopasswd.sh
+++ b/tests/hardening/sudo_no_nopasswd.sh
@@ -0,0 +1,9 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    # we are providing a "NOPASSWD" sudoers for cis tests
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}
--- a/tests/hardening/wireless_interfaces_disabled.sh
+++ b/tests/hardening/wireless_interfaces_disabled.sh
@@ -0,0 +1,10 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}