feat: add debian12 scripts

- at_is_restricted.sh -> 2.4.2.1 - wireless_interfaces_disabled.sh -> 3.1.2 - bluetooth_is_disabled.sh -> 3.1.3 - sudo_no_nopasswd.sh -> 5.2.4 - aide_is_installed.sh -> 6.1.1
2025-08-04 14:21:15 +02:00 · 2025-07-30 10:09:28 +02:00
parent 57aa0e6ef5
commit 532c40d311
12 changed files with 612 additions and 0 deletions
--- a/tests/hardening/at_is_restricted.sh
+++ b/tests/hardening/at_is_restricted.sh
@@ -0,0 +1,71 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe prepare test
+    rm -f /etc/at.allow
+    apt install -y at
+
+    # at package is going to provide at.deny with default content
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare failing test at.deny
+    # wrong  perm
+    chmod 0644 /etc/at.deny
+
+    describe Running failed test at.deny
+    register_test retvalshouldbe 1
+    run failure "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Running success test at.deny
+    register_test retvalshouldbe 0
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare failing test at.deny
+    # empty file + at.allow inexistent = all users allowed
+    # shellcheck disable=2188
+    >/etc/at.deny
+
+    describe Running failed test at.deny
+    register_test retvalshouldbe 1
+    run failure "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Running success test at.deny
+    register_test retvalshouldbe 0
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare failing test at.allow
+    touch /etc/at.allow
+    # wrong user
+    chown secaudit:root /etc/at.allow
+
+    describe Running failed test at.allow
+    register_test retvalshouldbe 1
+    run failure "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Running success test at.allow
+    register_test retvalshouldbe 0
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe cleanup at
+    apt remove -y at
+    apt autoremove -y
+    rm -f /etc/allow
+
+    describe Running success at package missing
+    register_test retvalshouldbe 0
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}