mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 06:54:29 +01:00
IMP(5.2.x): add tests and default_config
I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh
This commit is contained in:
parent
e288835381
commit
774af39a34
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Disable SSH Root Login."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='PermitRootLogin=no'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,15 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the root login boolean for ssh
|
||||
OPTIONS='PermitRootLogin=no'
|
||||
EOF
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='PermitEmptyPasswords=no'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,15 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the empty password boolean for ssh
|
||||
OPTIONS='PermitEmptyPasswords=no'
|
||||
EOF
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Do not allow users to set environment options."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='PermitUserEnvironment=no'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,15 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the permit user env boolean for ssh
|
||||
OPTIONS='PermitUserEnvironment=no'
|
||||
EOF
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,16 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the ciphers
|
||||
OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
|
||||
EOF
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -16,11 +16,11 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Set Idle Timeout Interval for user login."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
@ -76,16 +76,13 @@ create_config() {
|
||||
status=audit
|
||||
# In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
|
||||
# Settles sshd idle timeout
|
||||
SSHD_TIMEOUT=300
|
||||
OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0"
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z $SSHD_TIMEOUT ]; then
|
||||
crit "SSHD_TIMEOUT is not set, please edit configuration file"
|
||||
exit 128
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
@ -15,11 +15,11 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Set Login Grace Time for user login."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
@ -75,16 +75,13 @@ create_config() {
|
||||
status=audit
|
||||
# In seconds, value of LoginGraceTime
|
||||
# Settles sshd login grace time
|
||||
SSHD_LOGIN_GRACE_TIME=60
|
||||
OPTIONS="LoginGraceTime=60"
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
|
||||
crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
|
||||
exit 128
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Set secure shell (SSH) protocol to 2."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='Protocol=2'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,15 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here your protocol for ssh
|
||||
OPTIONS='Protocol=2'
|
||||
EOF
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Disable SSH X11 forwarding."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='X11Forwarding=no'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,16 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the forwarding boolean for ssh
|
||||
OPTIONS='X11Forwarding=no'
|
||||
EOF
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Set SSH MaxAuthTries to 4."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='MaxAuthTries=4'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,15 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the max auth tries for ssh
|
||||
OPTIONS='MaxAuthTries=4'
|
||||
EOF
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Set SSH IgnoreRhosts to Yes."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='IgnoreRhosts=yes'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,14 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the rhosts boolean for ssh
|
||||
OPTIONS='IgnoreRhosts=yes'
|
||||
EOF
|
||||
}
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Set SSH HostbasedAUthentication to No."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
OPTIONS='HostbasedAuthentication=no'
|
||||
OPTIONS=''
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -74,6 +74,15 @@ check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
create_config() {
|
||||
cat << EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the hostbase boolean for ssh
|
||||
OPTIONS='HostbasedAuthentication=no'
|
||||
EOF
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
|
@ -1,10 +1,21 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^PermitRootLogin[[:space:]]*no is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -6,5 +6,16 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^PermitEmptyPasswords[[:space:]]*no is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -1,10 +1,21 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^PermitUserEnvironment[[:space:]]*no is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -1,10 +1,21 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^Ciphers[[:space:]]*chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -1,10 +1,22 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^ClientAliveInterval[[:space:]]*300 is present in /etc/ssh/sshd_config"
|
||||
register_test contain "[ OK ] ^ClientAliveCountMax[[:space:]]*0 is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -1,10 +1,21 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^LoginGraceTime[[:space:]]*60 is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -1,10 +1,24 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -1,10 +1,21 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^Banner[[:space:]]* is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -5,6 +5,18 @@ test_audit() {
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^Protocol[[:space:]]*2 is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
}
|
||||
|
@ -1,12 +1,16 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 1
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Fix state
|
||||
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
|
@ -1,10 +1,21 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^X11Forwarding[[:space:]]*no is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -1,10 +1,21 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "openssh-server is installed"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^MaxAuthTries[[:space:]]*4 is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -6,5 +6,16 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
}
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all}
|
||||
}
|
@ -6,5 +6,16 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
# `apply` performs a service reload after each change in the config file
|
||||
# the service needs to be started for the reload to succeed
|
||||
service ssh start
|
||||
# if the audit script provides "apply" option, enable and run it
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^HostbasedAuthentication[[:space:]]*no is present in /etc/ssh/sshd_config"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user