mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 14:05:23 +01:00
Add dealing with debian 11
* ADD: add dockerfile for debian11 * FIX: fix crontab file not found on debian11 blank * Add workflow for debian11 * FIX: fix debian version func to manage debian11 * Add dealing with unsupported version and distro * Add 99.99 check that check if distro version is supported * Use global var for debian major and distro fix #26
This commit is contained in:
parent
449c695415
commit
6ae05f3fa2
7
.github/workflows/functionnal-tests.yml
vendored
7
.github/workflows/functionnal-tests.yml
vendored
@ -18,3 +18,10 @@ jobs:
|
||||
uses: actions/checkout@v2
|
||||
- name: Run the tests debian10
|
||||
run: ./tests/docker_build_and_run_tests.sh debian10
|
||||
functionnal-tests-docker-debian11:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@v2
|
||||
- name: Run the tests debian11
|
||||
run: ./tests/docker_build_and_run_tests.sh debian11
|
||||
|
@ -124,6 +124,11 @@ will create a timestamped backup in this directory.
|
||||
captures all output to print only one line once the check is done, formatted like :
|
||||
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
||||
|
||||
`--allow-unsupported-distribution`
|
||||
Must be specified manually in the command line to allow the run on non compatible
|
||||
version or distribution. If you want to mute the warning change the LOGLEVEL
|
||||
in /etc/hardening.cfg
|
||||
|
||||
|
||||
# AUTHORS
|
||||
|
||||
|
@ -44,7 +44,7 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
|
||||
$ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
|
||||
$ cp debian/default /etc/default/cis-hardening
|
||||
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||
$ bin/hardening/1.1_install_updates.sh --audit-all
|
||||
$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
|
||||
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
|
||||
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
|
||||
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
|
||||
@ -123,6 +123,10 @@ Default value is : info
|
||||
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
|
||||
before running the audit with user secaudit, to have the rights setup well on the conf files.
|
||||
|
||||
``--allow-unsupported-distribution``: must be specified manually in the command line to allow
|
||||
the run on non compatible version or distribution. If you want to mute the warning change the
|
||||
LOGLEVEL in /etc/hardening.cfg
|
||||
|
||||
## :computer: Hacking
|
||||
|
||||
**Getting the source**
|
||||
|
@ -27,6 +27,7 @@ SET_HARDENING_LEVEL=0
|
||||
SUDO_MODE=''
|
||||
BATCH_MODE=''
|
||||
ASK_LOGLEVEL=''
|
||||
ALLOW_UNSUPPORTED_DISTRIBUTION=0
|
||||
|
||||
usage() {
|
||||
cat <<EOF
|
||||
@ -107,6 +108,11 @@ OPTIONS:
|
||||
While performing system audit, this option sets LOGLEVEL to 'ok' and
|
||||
captures all output to print only one line once the check is done, formatted like :
|
||||
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
||||
|
||||
--allow-unsupported-distribution
|
||||
Must be specified manually in the command line to allow the run on non compatible
|
||||
version or distribution. If you want to mute the warning change the LOGLEVEL
|
||||
in /etc/hardening.cfg
|
||||
|
||||
EOF
|
||||
exit 0
|
||||
@ -163,6 +169,9 @@ while [[ $# -gt 0 ]]; do
|
||||
BATCH_MODE='--batch'
|
||||
ASK_LOGLEVEL=ok
|
||||
;;
|
||||
--allow-unsupported-distribution)
|
||||
ALLOW_UNSUPPORTED_DISTRIBUTION=1
|
||||
;;
|
||||
-h | --help)
|
||||
usage
|
||||
;;
|
||||
@ -188,8 +197,7 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
# shellcheck source=../lib/constants.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
||||
|
||||
# shellcheck source=../etc/hardening.cfg
|
||||
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
||||
if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
|
||||
@ -197,6 +205,45 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
|
||||
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
||||
# shellcheck source=../lib/utils.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
|
||||
# shellcheck source=../lib/constants.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
||||
|
||||
# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
|
||||
# print warning, otherwise quit
|
||||
|
||||
if [ "$DISTRIBUTION" != "debian" ]; then
|
||||
echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
|
||||
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
|
||||
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
|
||||
echo "Exiting now"
|
||||
exit 100
|
||||
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
|
||||
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
|
||||
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
|
||||
fi
|
||||
else
|
||||
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
|
||||
echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
|
||||
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
|
||||
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
|
||||
echo "Exiting now"
|
||||
exit 100
|
||||
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
|
||||
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
|
||||
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
|
||||
fi
|
||||
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
|
||||
echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
|
||||
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
|
||||
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
|
||||
echo "Exiting now"
|
||||
exit 100
|
||||
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
|
||||
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
|
||||
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
|
||||
|
@ -24,6 +24,10 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
|
@ -24,6 +24,10 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
|
@ -24,6 +24,10 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
|
@ -24,6 +24,10 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
|
@ -24,6 +24,10 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
|
@ -73,15 +73,12 @@ apply() {
|
||||
}
|
||||
|
||||
create_config() {
|
||||
get_debian_major_version
|
||||
set +u
|
||||
debug "Debian version : $DEB_MAJ_VER "
|
||||
if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
|
||||
if [[ 7 -le "$DEB_MAJ_VER" ]]; then
|
||||
KEX='diffie-hellman-group-exchange-sha256'
|
||||
elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
|
||||
KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
|
||||
else
|
||||
KEX='diffie-hellman-group-exchange-sha256'
|
||||
KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
|
||||
fi
|
||||
set -u
|
||||
cat <<EOF
|
||||
@ -89,6 +86,7 @@ status=audit
|
||||
# Put your KexAlgorithms
|
||||
OPTIONS="KexAlgorithms=$KEX"
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
@ -24,15 +24,14 @@ FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
get_debian_major_version
|
||||
set +u
|
||||
debug "Debian version : $DEB_MAJ_VER "
|
||||
if [[ -z $DEB_MAJ_VER ]]; then
|
||||
if [[ -z "$DEB_MAJ_VER" ]]; then
|
||||
set -u
|
||||
crit "Cannot get Debian version. Aborting..."
|
||||
return
|
||||
fi
|
||||
if [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
|
||||
if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
|
||||
set -u
|
||||
warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
|
||||
return
|
||||
|
65
bin/hardening/99.99_check_distribution.sh
Executable file
65
bin/hardening/99.99_check_distribution.sh
Executable file
@ -0,0 +1,65 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# OVH Security audit
|
||||
#
|
||||
|
||||
#
|
||||
# 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=1
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Check the distribution and the distribution version"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
if [ "$DISTRIBUTION" != "debian" ]; then
|
||||
crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
|
||||
else
|
||||
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
|
||||
crit "Your distribution is too recent and is not yet supported."
|
||||
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
|
||||
crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."
|
||||
else
|
||||
ok "Your distribution is debian and the version is supported"
|
||||
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
echo "Reporting only here, upgrade your debian version to a supported version if you're on debian"
|
||||
echo "If you use another distribution, consider applying rules corresponding with your distribution available at https://www.cisecurity.org/"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
6
debian/cis-hardening.8
vendored
6
debian/cis-hardening.8
vendored
@ -136,6 +136,12 @@ Default value is : info
|
||||
While performing system audit, this option sets LOGLEVEL to `ok' and
|
||||
captures all output to print only one line once the check is done,
|
||||
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
|
||||
.PP
|
||||
\f[C]--allow-unsupported-distribution\f[R] Must be specified manually in
|
||||
the command line to allow the run on non compatible version or
|
||||
distribution.
|
||||
If you want to mute the warning change the LOGLEVEL in
|
||||
/etc/hardening.cfg
|
||||
.SH AUTHORS
|
||||
.IP \[bu] 2
|
||||
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
|
||||
|
@ -113,31 +113,6 @@ sudo_wrapper() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# detect if container based on cgroup detection
|
||||
#
|
||||
is_running_in_container() {
|
||||
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
|
||||
}
|
||||
|
||||
CONTAINER_TYPE=""
|
||||
IS_CONTAINER=0
|
||||
|
||||
if [ "$(is_running_in_container "docker")" != "" ]; then
|
||||
CONTAINER_TYPE="docker"
|
||||
IS_CONTAINER=1
|
||||
fi
|
||||
if [ "$(is_running_in_container "lxc")" != "" ]; then
|
||||
CONTAINER_TYPE="lxc"
|
||||
IS_CONTAINER=1
|
||||
fi
|
||||
if [ "$(is_running_in_container "kubepods")" != "" ]; then
|
||||
# shellcheck disable=SC2034
|
||||
CONTAINER_TYPE="kubepods"
|
||||
# shellcheck disable=SC2034
|
||||
IS_CONTAINER=1
|
||||
fi
|
||||
|
||||
#
|
||||
# Math functions
|
||||
#
|
||||
|
@ -31,3 +31,32 @@ BGREEN='\033[1;32m' # Green
|
||||
BYELLOW='\033[1;33m' # Yellow
|
||||
# shellcheck disable=2034
|
||||
BWHITE='\033[1;37m' # White
|
||||
|
||||
# Debian version variables
|
||||
|
||||
CONTAINER_TYPE=""
|
||||
IS_CONTAINER=0
|
||||
|
||||
if [ "$(is_running_in_container "docker")" != "" ]; then
|
||||
CONTAINER_TYPE="docker"
|
||||
IS_CONTAINER=1
|
||||
fi
|
||||
if [ "$(is_running_in_container "lxc")" != "" ]; then
|
||||
CONTAINER_TYPE="lxc"
|
||||
IS_CONTAINER=1
|
||||
fi
|
||||
if [ "$(is_running_in_container "kubepods")" != "" ]; then
|
||||
# shellcheck disable=SC2034
|
||||
CONTAINER_TYPE="kubepods"
|
||||
# shellcheck disable=SC2034
|
||||
IS_CONTAINER=1
|
||||
fi
|
||||
|
||||
get_distribution
|
||||
|
||||
get_debian_major_version
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
SMALLEST_SUPPORTED_DEBIAN_VERSION=9
|
||||
# shellcheck disable=SC2034
|
||||
HIGHEST_SUPPORTED_DEBIAN_VERSION=10
|
||||
|
@ -10,14 +10,15 @@ BATCH_OUTPUT=""
|
||||
status=""
|
||||
forcedstatus=""
|
||||
SUDO_CMD=""
|
||||
# shellcheck source=constants.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
||||
|
||||
# shellcheck source=../etc/hardening.cfg
|
||||
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
||||
# shellcheck source=../lib/common.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
||||
# shellcheck source=../lib/utils.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
|
||||
# shellcheck source=constants.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
||||
|
||||
# Environment Sanitizing
|
||||
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
||||
|
26
lib/utils.sh
26
lib/utils.sh
@ -538,9 +538,33 @@ get_debian_major_version() {
|
||||
DEB_MAJ_VER=""
|
||||
does_file_exist /etc/debian_version
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
|
||||
if grep -q "sid" /etc/debian_version; then
|
||||
DEB_MAJ_VER="sid"
|
||||
else
|
||||
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
|
||||
fi
|
||||
else
|
||||
# shellcheck disable=2034
|
||||
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
|
||||
fi
|
||||
}
|
||||
|
||||
# Returns the distribution
|
||||
|
||||
get_distribution() {
|
||||
DISTRIBUTION=""
|
||||
if [ -f /etc/os-release ]; then
|
||||
# shellcheck disable=2034
|
||||
DISTRIBUTION=$(grep "^ID=" /etc/os-release | sed 's/ID=//' | tr '[:upper:]' '[:lower:]')
|
||||
FNRET=0
|
||||
else
|
||||
debug "Distribution not found !"
|
||||
FNRET=127
|
||||
fi
|
||||
}
|
||||
|
||||
# Detect if container based on cgroup detection
|
||||
|
||||
is_running_in_container() {
|
||||
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
|
||||
}
|
||||
|
21
tests/docker/Dockerfile.debian11
Normal file
21
tests/docker/Dockerfile.debian11
Normal file
@ -0,0 +1,21 @@
|
||||
FROM debian:bullseye
|
||||
|
||||
LABEL vendor="OVH"
|
||||
LABEL project="debian-cis"
|
||||
LABEL url="https://github.com/ovh/debian-cis"
|
||||
LABEL description="This image is used to run tests"
|
||||
|
||||
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
||||
|
||||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron
|
||||
|
||||
COPY --chown=500:500 . /opt/debian-cis/
|
||||
|
||||
COPY debian/default /etc/default/cis-hardening
|
||||
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
|
||||
|
||||
COPY cisharden.sudoers /etc/sudoers.d/secaudit
|
||||
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
|
||||
|
||||
|
||||
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
|
@ -10,6 +10,8 @@ test_audit() {
|
||||
local test_user="testcrontabduser"
|
||||
local test_file="/etc/crontab"
|
||||
|
||||
touch "$test_file"
|
||||
|
||||
describe Tests purposely failing
|
||||
chmod 777 "$test_file"
|
||||
register_test retvalshouldbe 1
|
||||
|
@ -10,6 +10,8 @@ test_audit() {
|
||||
local test_user="testcrontabuser"
|
||||
local test_file="/etc/cron.hourly"
|
||||
|
||||
touch "$test_file"
|
||||
|
||||
describe Tests purposely failing
|
||||
chmod 777 "$test_file"
|
||||
register_test retvalshouldbe 1
|
||||
|
@ -10,6 +10,8 @@ test_audit() {
|
||||
local test_user="testcrontabuser"
|
||||
local test_file="/etc/cron.daily"
|
||||
|
||||
touch "$test_file"
|
||||
|
||||
describe Tests purposely failing
|
||||
chmod 777 "$test_file"
|
||||
register_test retvalshouldbe 1
|
||||
|
@ -10,6 +10,8 @@ test_audit() {
|
||||
local test_user="testcrontabuser"
|
||||
local test_file="/etc/cron.weekly"
|
||||
|
||||
touch "$test_file"
|
||||
|
||||
describe Tests purposely failing
|
||||
chmod 777 "$test_file"
|
||||
register_test retvalshouldbe 1
|
||||
|
@ -10,6 +10,8 @@ test_audit() {
|
||||
local test_user="testcrontabuser"
|
||||
local test_file="/etc/cron.monthly"
|
||||
|
||||
touch "$test_file"
|
||||
|
||||
describe Tests purposely failing
|
||||
chmod 777 "$test_file"
|
||||
register_test retvalshouldbe 1
|
||||
|
16
tests/hardening/99.99_check_distribution.sh
Normal file
16
tests/hardening/99.99_check_distribution.sh
Normal file
@ -0,0 +1,16 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
##################################################################
|
||||
# For this test, we only check that it runs properly on a blank #
|
||||
# host, and we check root/sudo consistency. But, we don't test #
|
||||
# the apply function because it can't be automated or it is very #
|
||||
# long to test and not very useful. #
|
||||
##################################################################
|
||||
}
|
Loading…
Reference in New Issue
Block a user