mirror of
https://github.com/ovh/debian-cis.git
synced 2025-06-21 18:23:42 +02:00
fix: invalid behavior on sid/alternative in 5.3.4/99.5.4.5.1 (#237)
This commit is contained in:
@ -6,4 +6,50 @@ test_audit() {
|
||||
register_test contain "is present in /etc/pam.d/common-password"
|
||||
# shellcheck disable=2154
|
||||
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password" # Debian 10
|
||||
sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "is not present"
|
||||
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "is present in /etc/pam.d/common-password"
|
||||
run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# DEB_MAJ_VER cannot be overwritten here;
|
||||
# therefore we need to trick get_debian_major_version
|
||||
ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
|
||||
echo "sid" >/etc/debian_version
|
||||
|
||||
describe Running on blank host as sid
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "(sha512|yescrypt)"
|
||||
run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Tests purposely failing as sid
|
||||
sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password" # Debian 10
|
||||
sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "is not present"
|
||||
run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe correcting situation as sid
|
||||
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
|
||||
|
||||
describe Checking resolved state as sid
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "is present in /etc/pam.d/common-password"
|
||||
run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# Cleanup
|
||||
echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
|
||||
unset ORIGINAL_DEB_VER
|
||||
}
|
||||
|
@ -28,11 +28,43 @@ test_audit() {
|
||||
run wrongconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Correcting situation
|
||||
sed -i 's/disabled/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
||||
|
||||
describe Checking resolved state
|
||||
mv /tmp/login.defs.bak /etc/login.defs
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "is present in /etc/login.defs"
|
||||
run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# DEB_MAJ_VER cannot be overwritten here;
|
||||
# therefore we need to trick get_debian_major_version
|
||||
ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
|
||||
echo "sid" >/etc/debian_version
|
||||
|
||||
describe Running on blank host as sid
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "(SHA512|yescrypt|YESCRYPT)"
|
||||
# shellcheck disable=2154
|
||||
run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
cp /etc/login.defs /tmp/login.defs.bak
|
||||
sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs
|
||||
|
||||
describe Fail: wrong hash function configuration as sid
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "(SHA512|yescrypt|YESCRYPT)"
|
||||
run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Correcting situation as sid
|
||||
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
||||
|
||||
describe Checking resolved state as sid
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "(SHA512|yescrypt|YESCRYPT)"
|
||||
run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# Cleanup
|
||||
echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
|
||||
unset ORIGINAL_DEB_VER
|
||||
}
|
||||
|
Reference in New Issue
Block a user