adding new scripts for debian12

- "users_homedir_is_configured.sh" is a concatenation of different existing scripts: - [users_homedir_exist.sh](https://github.com/ovh/debian-cis/blob/master/bin/hardening/users_homedir_exist.sh) - [users_homedir_ownership.sh](https://github.com/ovh/debian-cis/blob/master/bin/hardening/users_homedir_ownership.sh) - [check_user_dir_perm.sh](https://github.com/ovh/debian-cis/blob/master/bin/hardening/check_user_dir_perm.sh) And so is its test It will be mapped as 7.2.9 for debian 12 - The following scripts are a split from [5.3.1_enable_pwquality.sh](https://github.com/ovh/debian-cis/blob/master/bin/hardening/enable_pwquality.sh): - enable_libpam_pwquality.sh -> will be mapped as 5.3.2.3 - install_libpam_pwquality.sh -> will be mapped as 5.3.1.3 - password_complexity.sh -> will be mapped as 5.3.3.2.3 - password_min_length.sh -> will be mapped as 5.3.3.2.2 The others are scripts are new. They will be mapped as follow for debian 12 CIS : - apt_gpg_is_configured.sh -> 1.2.1.1 - dev_shm_separate_partition.sh -> 1.2.2.1 - install_iptables.sh -> 4.3.1.1 - install_nftables.sh -> 4.2.1 - password_consecutive_characters.sh -> 5.3.3.2.4 - password_max_sequential_characters.sh -> 5.3.3.2.5
2025-07-15 21:32:17 +02:00 · 2025-06-27 17:25:13 +02:00
parent 51bc5825d6
commit 68f629ed36
23 changed files with 1327 additions and 0 deletions
--- a/tests/hardening/apt_gpg_is_configured.sh
+++ b/tests/hardening/apt_gpg_is_configured.sh
@ -0,0 +1,40 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    local APT_KEY_FILE="/etc/apt/trusted.gpg"
+    local APT_KEY_PATH="/etc/apt/trusted.gpg.d"
+    local unsecure_source="/etc/apt/sources.list.d/unsecure.list"
+    local unsecure_conf_file="/etc/apt/apt.conf.d/unsecure"
+
+    # make sure we don't have any key
+    [ -f "$APT_KEY_FILE" ] && mv "$APT_KEY_FILE" /tmp
+    [ -d "$APT_KEY_PATH" ] && mv "$APT_KEY_PATH" /tmp
+
+    describe Running non compliant missing keys
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # fix the situation
+    [ -d /tmp/trusted.gpg.d ] && mv /tmp/trusted.gpg.d /etc/apt/
+    [ -f /tmp/trusted.gpg ] && mv /tmp/trusted.gpg /etc/apt/
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    echo 'deb [allow-insecure=yes] http://deb.debian.org/debian bookworm main' >"$unsecure_source"
+    describe Running non compliant unsecure option in sources list
+    register_test retvalshouldbe 1
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    rm -f "$unsecure_source"
+
+    echo 'Acquire::AllowInsecureRepositories=true' >"$unsecure_conf_file"
+    describe Running non compliant unsecure option in apt conf
+    register_test retvalshouldbe 1
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    rm -f "$unsecure_conf_file"
+
+}
--- a/tests/hardening/dev_shm_separate_partition.sh
+++ b/tests/hardening/dev_shm_separate_partition.sh
@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}
--- a/tests/hardening/enable_libpam_pwquality.sh
+++ b/tests/hardening/enable_libpam_pwquality.sh
@ -0,0 +1,21 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    PATTERN_COMMON='pam_pwquality.so'
+    FILE_COMMON='/etc/pam.d/common-password'
+
+    # create issue
+    sed -i '/'$PATTERN_COMMON'/d' "$FILE_COMMON"
+
+    describe Running non compliant
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}
--- a/tests/hardening/install_iptables.sh
+++ b/tests/hardening/install_iptables.sh
@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}
--- a/tests/hardening/install_libpam_pwquality.sh
+++ b/tests/hardening/install_libpam_pwquality.sh
@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}
--- a/tests/hardening/install_nftables.sh
+++ b/tests/hardening/install_nftables.sh
@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}
--- a/tests/hardening/password_complexity.sh
+++ b/tests/hardening/password_complexity.sh
@ -0,0 +1,28 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local OPTIONS="minclass=3 dcredit=-1 ucredit=-2 ocredit=-1 lcredit=-1"
+    local FILE_QUALITY='/etc/security/pwquality.conf'
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/minclass/d' $FILE_QUALITY
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    echo "$OPTIONS" >>"$FILE_QUALITY"
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
--- a/tests/hardening/password_consecutive_characters.sh
+++ b/tests/hardening/password_consecutive_characters.sh
@ -0,0 +1,28 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local OPTIONS="maxrepeat=3"
+    local FILE_QUALITY='/etc/security/pwquality.conf'
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/maxrepeat/d' $FILE_QUALITY
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    echo "$OPTIONS" >>"$FILE_QUALITY"
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
--- a/tests/hardening/password_max_sequential_characters.sh
+++ b/tests/hardening/password_max_sequential_characters.sh
@ -0,0 +1,28 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local OPTIONS="maxsequence=3"
+    local FILE_QUALITY='/etc/security/pwquality.conf'
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/maxsequence/d' $FILE_QUALITY
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    echo "$OPTIONS" >>"$FILE_QUALITY"
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
--- a/tests/hardening/password_min_length.sh
+++ b/tests/hardening/password_min_length.sh
@ -0,0 +1,27 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local OPTIONS="minlen=14"
+    local FILE_QUALITY='/etc/security/pwquality.conf'
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/minlen/d' $FILE_QUALITY
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    echo "$OPTIONS" >>"$FILE_QUALITY"
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}
--- a/tests/hardening/users_homedir_is_configured.sh
+++ b/tests/hardening/users_homedir_is_configured.sh
@ -0,0 +1,88 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    local no_home_test_user="userwithouthome"
+    local owner_test_user="testhomeuser"
+    local perm_test_user="testhomepermuser"
+
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    home_dir_missing "$no_home_test_user"
+    home_dir_ownership "$owner_test_user"
+    home_dir_perm "$perm_test_user"
+
+    fix_home "$no_home_test_user" "$owner_test_user" "$perm_test_user"
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    cleanup "$no_home_test_user" "$owner_test_user" "$perm_test_user"
+}
+
+home_dir_missing() {
+    local test_user="$1"
+
+    useradd -d /home/"$test_user" "$test_user"
+    describe Tests purposely failing that a homdedir does not exists
+    register_test retvalshouldbe 1
+    register_test contain "does not exist."
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}
+
+home_dir_ownership() {
+    local test_user="$1"
+
+    describe Test purposely failing that a user does not own its home
+    useradd -d /home/"$test_user" -m "$test_user"
+    chown root:root /home/"$test_user"
+    chmod 0750 /home/"$test_user"
+    register_test retvalshouldbe 1
+    register_test contain "[ KO ] The home directory (/home/$test_user) of user $test_user is owned by root"
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}
+
+home_dir_perm() {
+    local test_user="$1"
+
+    describe Tests purposely failing for wrong permissions on home
+    useradd -d /home/"$test_user" --create-home "$test_user"
+    chmod 777 /home/"$test_user"
+    register_test retvalshouldbe 1
+    register_test contain "Group Write permission set on directory"
+    register_test contain "Other Read permission set on directory"
+    register_test contain "Other Write permission set on directory"
+    register_test contain "Other Execute permission set on directory"
+
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}
+
+fix_home() {
+    local missing_home_test_user="$1"
+    local owner_test_user="$2"
+    local perm_test_user="$3"
+
+    describe correcting situation for missing home
+    install -d -m 0750 -o "$missing_home_test_user" /home/"$missing_home_test_user"
+
+    describe correcting situation for ownership
+    # we don't want to erase default configurations, or others checks could fail
+    # shellcheck disable=2086
+    sed -i '/^HOME_OWNER_EXCEPTIONS/s|HOME_OWNER_EXCEPTIONS=\"|HOME_OWNER_EXCEPTIONS=\"/home/'$owner_test_user':'$owner_test_user':root |' ${CIS_CONF_DIR}/conf.d/${script}.cfg
+
+    describe correcting situation for permissions
+    chmod 0750 /home/"$perm_test_user"
+
+}
+
+cleanup() {
+    local users="$*"
+    for user in $users; do
+        # owner_test_user del will fail as its home is owned by another user
+        userdel -r "$user" || true
+        rm -rf /home/"${user:?}" || true
+    done
+}