Add dealing with debian 11

* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro

fix #26
This commit is contained in:
Thibault Ayanides 2021-02-08 13:54:24 +01:00 committed by GitHub
parent 449c695415
commit 6ae05f3fa2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 266 additions and 39 deletions

View File

@ -18,3 +18,10 @@ jobs:
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Run the tests debian10 - name: Run the tests debian10
run: ./tests/docker_build_and_run_tests.sh debian10 run: ./tests/docker_build_and_run_tests.sh debian10
functionnal-tests-docker-debian11:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Run the tests debian11
run: ./tests/docker_build_and_run_tests.sh debian11

View File

@ -124,6 +124,11 @@ will create a timestamped backup in this directory.
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
`--allow-unsupported-distribution`
Must be specified manually in the command line to allow the run on non compatible
version or distribution. If you want to mute the warning change the LOGLEVEL
in /etc/hardening.cfg
# AUTHORS # AUTHORS

View File

@ -44,7 +44,7 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
$ git clone https://github.com/ovh/debian-cis.git && cd debian-cis $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
$ cp debian/default /etc/default/cis-hardening $ cp debian/default /etc/default/cis-hardening
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ bin/hardening/1.1_install_updates.sh --audit-all $ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs 1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems. 1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
@ -123,6 +123,10 @@ Default value is : info
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root, ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files. before running the audit with user secaudit, to have the rights setup well on the conf files.
``--allow-unsupported-distribution``: must be specified manually in the command line to allow
the run on non compatible version or distribution. If you want to mute the warning change the
LOGLEVEL in /etc/hardening.cfg
## :computer: Hacking ## :computer: Hacking
**Getting the source** **Getting the source**

View File

@ -27,6 +27,7 @@ SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
BATCH_MODE='' BATCH_MODE=''
ASK_LOGLEVEL='' ASK_LOGLEVEL=''
ALLOW_UNSUPPORTED_DISTRIBUTION=0
usage() { usage() {
cat <<EOF cat <<EOF
@ -108,6 +109,11 @@ OPTIONS:
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
--allow-unsupported-distribution
Must be specified manually in the command line to allow the run on non compatible
version or distribution. If you want to mute the warning change the LOGLEVEL
in /etc/hardening.cfg
EOF EOF
exit 0 exit 0
} }
@ -163,6 +169,9 @@ while [[ $# -gt 0 ]]; do
BATCH_MODE='--batch' BATCH_MODE='--batch'
ASK_LOGLEVEL=ok ASK_LOGLEVEL=ok
;; ;;
--allow-unsupported-distribution)
ALLOW_UNSUPPORTED_DISTRIBUTION=1
;;
-h | --help) -h | --help)
usage usage
;; ;;
@ -188,8 +197,7 @@ if [ -z "$CIS_ROOT_DIR" ]; then
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# shellcheck source=../lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg # shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
@ -197,6 +205,45 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh # shellcheck source=../lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
# shellcheck source=../lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
# print warning, otherwise quit
if [ "$DISTRIBUTION" != "debian" ]; then
echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
else
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
echo "Exiting now"
exit 100
elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi
fi
fi
# If --allow-service-list is specified, don't run anything, just list the supported services # If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then if [ "$ALLOW_SERVICE_LIST" = 1 ]; then

View File

@ -24,6 +24,10 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"

View File

@ -24,6 +24,10 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"

View File

@ -24,6 +24,10 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"

View File

@ -24,6 +24,10 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"

View File

@ -24,6 +24,10 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"

View File

@ -73,15 +73,12 @@ apply() {
} }
create_config() { create_config() {
get_debian_major_version
set +u set +u
debug "Debian version : $DEB_MAJ_VER " debug "Debian version : $DEB_MAJ_VER "
if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then if [[ 7 -le "$DEB_MAJ_VER" ]]; then
KEX='diffie-hellman-group-exchange-sha256' KEX='diffie-hellman-group-exchange-sha256'
elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
else else
KEX='diffie-hellman-group-exchange-sha256' KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
fi fi
set -u set -u
cat <<EOF cat <<EOF
@ -89,6 +86,7 @@ status=audit
# Put your KexAlgorithms # Put your KexAlgorithms
OPTIONS="KexAlgorithms=$KEX" OPTIONS="KexAlgorithms=$KEX"
EOF EOF
} }
# This function will check config parameters required # This function will check config parameters required

View File

@ -24,15 +24,14 @@ FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
get_debian_major_version
set +u set +u
debug "Debian version : $DEB_MAJ_VER " debug "Debian version : $DEB_MAJ_VER "
if [[ -z $DEB_MAJ_VER ]]; then if [[ -z "$DEB_MAJ_VER" ]]; then
set -u set -u
crit "Cannot get Debian version. Aborting..." crit "Cannot get Debian version. Aborting..."
return return
fi fi
if [[ "${DEB_MAJ_VER}" -lt "8" ]]; then if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
set -u set -u
warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check." warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
return return

View File

@ -0,0 +1,65 @@
#!/bin/bash
# run-shellcheck
#
# OVH Security audit
#
#
# 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=1
# shellcheck disable=2034
DESCRIPTION="Check the distribution and the distribution version"
# This function will be called if the script status is on enabled / audit mode
audit() {
if [ "$DISTRIBUTION" != "debian" ]; then
crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
else
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
crit "Your distribution is too recent and is not yet supported."
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."
else
ok "Your distribution is debian and the version is supported"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
echo "Reporting only here, upgrade your debian version to a supported version if you're on debian"
echo "If you use another distribution, consider applying rules corresponding with your distribution available at https://www.cisecurity.org/"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

View File

@ -136,6 +136,12 @@ Default value is : info
While performing system audit, this option sets LOGLEVEL to `ok' and While performing system audit, this option sets LOGLEVEL to `ok' and
captures all output to print only one line once the check is done, captures all output to print only one line once the check is done,
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}] formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
.PP
\f[C]--allow-unsupported-distribution\f[R] Must be specified manually in
the command line to allow the run on non compatible version or
distribution.
If you want to mute the warning change the LOGLEVEL in
/etc/hardening.cfg
.SH AUTHORS .SH AUTHORS
.IP \[bu] 2 .IP \[bu] 2
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com> Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>

View File

@ -113,31 +113,6 @@ sudo_wrapper() {
fi fi
} }
#
# detect if container based on cgroup detection
#
is_running_in_container() {
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
}
CONTAINER_TYPE=""
IS_CONTAINER=0
if [ "$(is_running_in_container "docker")" != "" ]; then
CONTAINER_TYPE="docker"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "lxc")" != "" ]; then
CONTAINER_TYPE="lxc"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "kubepods")" != "" ]; then
# shellcheck disable=SC2034
CONTAINER_TYPE="kubepods"
# shellcheck disable=SC2034
IS_CONTAINER=1
fi
# #
# Math functions # Math functions
# #

View File

@ -31,3 +31,32 @@ BGREEN='\033[1;32m' # Green
BYELLOW='\033[1;33m' # Yellow BYELLOW='\033[1;33m' # Yellow
# shellcheck disable=2034 # shellcheck disable=2034
BWHITE='\033[1;37m' # White BWHITE='\033[1;37m' # White
# Debian version variables
CONTAINER_TYPE=""
IS_CONTAINER=0
if [ "$(is_running_in_container "docker")" != "" ]; then
CONTAINER_TYPE="docker"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "lxc")" != "" ]; then
CONTAINER_TYPE="lxc"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "kubepods")" != "" ]; then
# shellcheck disable=SC2034
CONTAINER_TYPE="kubepods"
# shellcheck disable=SC2034
IS_CONTAINER=1
fi
get_distribution
get_debian_major_version
# shellcheck disable=SC2034
SMALLEST_SUPPORTED_DEBIAN_VERSION=9
# shellcheck disable=SC2034
HIGHEST_SUPPORTED_DEBIAN_VERSION=10

View File

@ -10,14 +10,15 @@ BATCH_OUTPUT=""
status="" status=""
forcedstatus="" forcedstatus=""
SUDO_CMD="" SUDO_CMD=""
# shellcheck source=constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg # shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
# shellcheck source=../lib/common.sh # shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh # shellcheck source=../lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
# shellcheck source=constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# Environment Sanitizing # Environment Sanitizing
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

View File

@ -538,9 +538,33 @@ get_debian_major_version() {
DEB_MAJ_VER="" DEB_MAJ_VER=""
does_file_exist /etc/debian_version does_file_exist /etc/debian_version
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version) if grep -q "sid" /etc/debian_version; then
DEB_MAJ_VER="sid"
else
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
fi
else else
# shellcheck disable=2034 # shellcheck disable=2034
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1) DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
fi fi
} }
# Returns the distribution
get_distribution() {
DISTRIBUTION=""
if [ -f /etc/os-release ]; then
# shellcheck disable=2034
DISTRIBUTION=$(grep "^ID=" /etc/os-release | sed 's/ID=//' | tr '[:upper:]' '[:lower:]')
FNRET=0
else
debug "Distribution not found !"
FNRET=127
fi
}
# Detect if container based on cgroup detection
is_running_in_container() {
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
}

View File

@ -0,0 +1,21 @@
FROM debian:bullseye
LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron
COPY --chown=500:500 . /opt/debian-cis/
COPY debian/default /etc/default/cis-hardening
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
COPY cisharden.sudoers /etc/sudoers.d/secaudit
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]

View File

@ -10,6 +10,8 @@ test_audit() {
local test_user="testcrontabduser" local test_user="testcrontabduser"
local test_file="/etc/crontab" local test_file="/etc/crontab"
touch "$test_file"
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1

View File

@ -10,6 +10,8 @@ test_audit() {
local test_user="testcrontabuser" local test_user="testcrontabuser"
local test_file="/etc/cron.hourly" local test_file="/etc/cron.hourly"
touch "$test_file"
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1

View File

@ -10,6 +10,8 @@ test_audit() {
local test_user="testcrontabuser" local test_user="testcrontabuser"
local test_file="/etc/cron.daily" local test_file="/etc/cron.daily"
touch "$test_file"
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1

View File

@ -10,6 +10,8 @@ test_audit() {
local test_user="testcrontabuser" local test_user="testcrontabuser"
local test_file="/etc/cron.weekly" local test_file="/etc/cron.weekly"
touch "$test_file"
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1

View File

@ -10,6 +10,8 @@ test_audit() {
local test_user="testcrontabuser" local test_user="testcrontabuser"
local test_file="/etc/cron.monthly" local test_file="/etc/cron.monthly"
touch "$test_file"
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1

View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}