From 730ab47437f3ddd0dc34bccedd1ae203ea47ff00 Mon Sep 17 00:00:00 2001
From: lgaida <9195031+lgaida@users.noreply.github.com>
Date: Wed, 10 Jan 2024 17:07:02 +0100
Subject: [PATCH] allow multiple users in 5.2.18 (#228)

* allow multiple exception users for 99.5.2.4

* move clean up part of previous commit

* split clean up part of previous commit

* add tests for multiple allowed and denied ssh users

* fix script to correctly set multiple allowed and denied ssh users

* add cleanup resolved check to 5.2.18

* apply shellfmt to 5.2.18

---------

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
---
 bin/hardening/5.2.18_sshd_limit_access.sh   |   6 +-
 tests/hardening/5.2.18_sshd_limit_access.sh | 105 ++++++++++++++++++++
 2 files changed, 108 insertions(+), 3 deletions(-)

diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh
index 99198f7..60d5e8c 100755
--- a/bin/hardening/5.2.18_sshd_limit_access.sh
+++ b/bin/hardening/5.2.18_sshd_limit_access.sh
@@ -22,13 +22,13 @@ FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
+    OPTIONS=("AllowUsers='$ALLOWED_USERS'" "AllowGroups='$ALLOWED_GROUPS'" "DenyUsers='$DENIED_USERS'" "DenyGroups='$DENIED_GROUPS'")
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
         ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+        for SSH_OPTION in "${OPTIONS[@]}"; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             # shellcheck disable=SC2001
@@ -53,7 +53,7 @@ apply() {
         crit "$PACKAGE is absent, installing it"
         apt_install "$PACKAGE"
     fi
-    for SSH_OPTION in $OPTIONS; do
+    for SSH_OPTION in "${OPTIONS[@]}"; do
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         # shellcheck disable=SC2001
diff --git a/tests/hardening/5.2.18_sshd_limit_access.sh b/tests/hardening/5.2.18_sshd_limit_access.sh
index debeb86..3e3e971 100644
--- a/tests/hardening/5.2.18_sshd_limit_access.sh
+++ b/tests/hardening/5.2.18_sshd_limit_access.sh
@@ -22,4 +22,109 @@ test_audit() {
     register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
     register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
     run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Check and report mismatch for allowed user
+    useradd -s /bin/bash johnallow
+    sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply allowed user
+    # the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
+
+    describe Check and report mismatch for multiple allowed users
+    useradd -s /bin/bash janeallow
+    sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply multiple allowed users
+    # the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    tail -n 5 /etc/ssh/sshd_config
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reset allowed users to default before continuing
+    sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+    describe Check and report mismatch for denied user
+    useradd -s /bin/bash peterdeny
+    sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply denied user
+    # the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
+
+    describe Check and report mismatch for multiple denied users
+    useradd -s /bin/bash marrydeny
+    sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply multiple denied users
+    # the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reset to prevent other test from possibly failing in the future
+    sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    userdel johnallow
+    userdel janeallow
+    userdel peterdeny
+    userdel marrydeny
 }