Add dealing with debian 11

* ADD: add dockerfile for debian11 * FIX: fix crontab file not found on debian11 blank * Add workflow for debian11 * FIX: fix debian version func to manage debian11 * Add dealing with unsupported version and distro * Add 99.99 check that check if distro version is supported * Use global var for debian major and distro fix #26
2025-06-21 18:23:42 +02:00 · 2021-02-08 13:54:24 +01:00
parent 449c695415
commit 6ae05f3fa2
24 changed files with 266 additions and 39 deletions
--- a/tests/docker/Dockerfile.debian11
+++ b/tests/docker/Dockerfile.debian11
@ -0,0 +1,21 @@
+FROM debian:bullseye
+
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
+
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron
+
+COPY --chown=500:500 . /opt/debian-cis/
+
+COPY debian/default /etc/default/cis-hardening
+RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
+
+COPY cisharden.sudoers /etc/sudoers.d/secaudit
+RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
+
+
+ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
--- a/tests/hardening/5.1.2_crontab_perm_ownership.sh
+++ b/tests/hardening/5.1.2_crontab_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabduser"
    local test_file="/etc/crontab"

+    touch "$test_file"
+
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh
+++ b/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabuser"
    local test_file="/etc/cron.hourly"

+    touch "$test_file"
+
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/5.1.4_cron_daily_perm_ownership.sh
+++ b/tests/hardening/5.1.4_cron_daily_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabuser"
    local test_file="/etc/cron.daily"

+    touch "$test_file"
+
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh
+++ b/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabuser"
    local test_file="/etc/cron.weekly"

+    touch "$test_file"
+
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh
+++ b/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabuser"
    local test_file="/etc/cron.monthly"

+    touch "$test_file"
+
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/99.99_check_distribution.sh
+++ b/tests/hardening/99.99_check_distribution.sh
@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}