From 774af39a34f683f226de61a51fbb51429674a448 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Thu, 29 Oct 2020 11:18:31 +0100 Subject: [PATCH] IMP(5.2.x): add tests and default_config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh --- bin/hardening/5.2.10_disable_root_login.sh | 11 +++++++++- ....2.11_disable_sshd_permitemptypasswords.sh | 11 +++++++++- bin/hardening/5.2.12_disable_sshd_setenv.sh | 11 +++++++++- bin/hardening/5.2.13_sshd_ciphers.sh | 12 ++++++++++- bin/hardening/5.2.16_sshd_idle_timeout.sh | 9 +++------ bin/hardening/5.2.17_sshd_login_grace_time.sh | 9 +++------ bin/hardening/5.2.4_sshd_protocol.sh | 11 +++++++++- bin/hardening/5.2.6_disable_x11_forwarding.sh | 12 ++++++++++- bin/hardening/5.2.7_sshd_maxauthtries.sh | 11 +++++++++- .../5.2.8_enable_sshd_ignorerhosts.sh | 10 +++++++++- ....9_disable_sshd_hostbasedauthentication.sh | 11 +++++++++- tests/hardening/5.2.10_disable_root_login.sh | 17 +++++++++++++--- ....2.11_disable_sshd_permitemptypasswords.sh | 13 +++++++++++- tests/hardening/5.2.12_disable_sshd_setenv.sh | 17 +++++++++++++--- tests/hardening/5.2.13_sshd_ciphers.sh | 17 +++++++++++++--- tests/hardening/5.2.16_sshd_idle_timeout.sh | 18 ++++++++++++++--- .../hardening/5.2.17_sshd_login_grace_time.sh | 17 +++++++++++++--- tests/hardening/5.2.18_sshd_limit_access.sh | 20 ++++++++++++++++--- tests/hardening/5.2.19_ssh_banner.sh | 17 +++++++++++++--- tests/hardening/5.2.4_sshd_protocol.sh | 14 ++++++++++++- tests/hardening/5.2.5_sshd_loglevel.sh | 10 +++++++--- .../hardening/5.2.6_disable_x11_forwarding.sh | 17 +++++++++++++--- tests/hardening/5.2.7_sshd_maxauthtries.sh | 17 +++++++++++++--- .../5.2.8_enable_sshd_ignorerhosts.sh | 15 ++++++++++++-- ....9_disable_sshd_hostbasedauthentication.sh | 13 +++++++++++- 25 files changed, 284 insertions(+), 56 deletions(-) diff --git a/bin/hardening/5.2.10_disable_root_login.sh b/bin/hardening/5.2.10_disable_root_login.sh index 3b01009..a89f8ef 100755 --- a/bin/hardening/5.2.10_disable_root_login.sh +++ b/bin/hardening/5.2.10_disable_root_login.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=3 DESCRIPTION="Disable SSH Root Login." PACKAGE='openssh-server' -OPTIONS='PermitRootLogin=no' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,15 @@ check_config() { : } +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here the root login boolean for ssh +OPTIONS='PermitRootLogin=no' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh index 39bbb1a..a76db6c 100755 --- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=2 DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs." PACKAGE='openssh-server' -OPTIONS='PermitEmptyPasswords=no' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,15 @@ check_config() { : } +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here the empty password boolean for ssh +OPTIONS='PermitEmptyPasswords=no' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/bin/hardening/5.2.12_disable_sshd_setenv.sh b/bin/hardening/5.2.12_disable_sshd_setenv.sh index 514c222..872413e 100755 --- a/bin/hardening/5.2.12_disable_sshd_setenv.sh +++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=2 DESCRIPTION="Do not allow users to set environment options." PACKAGE='openssh-server' -OPTIONS='PermitUserEnvironment=no' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,15 @@ check_config() { : } +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here the permit user env boolean for ssh +OPTIONS='PermitUserEnvironment=no' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/bin/hardening/5.2.13_sshd_ciphers.sh b/bin/hardening/5.2.13_sshd_ciphers.sh index 8c16860..e674f35 100755 --- a/bin/hardening/5.2.13_sshd_ciphers.sh +++ b/bin/hardening/5.2.13_sshd_ciphers.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=2 DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)." PACKAGE='openssh-server' -OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,16 @@ check_config() { : } +# This function will create the config file for this check with default values +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here the ciphers +OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/bin/hardening/5.2.16_sshd_idle_timeout.sh b/bin/hardening/5.2.16_sshd_idle_timeout.sh index 3588e12..0b9bedd 100755 --- a/bin/hardening/5.2.16_sshd_idle_timeout.sh +++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh @@ -16,11 +16,11 @@ HARDENING_LEVEL=3 DESCRIPTION="Set Idle Timeout Interval for user login." PACKAGE='openssh-server' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0" is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -76,16 +76,13 @@ create_config() { status=audit # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0 # Settles sshd idle timeout -SSHD_TIMEOUT=300 +OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0" EOF } # This function will check config parameters required check_config() { - if [ -z $SSHD_TIMEOUT ]; then - crit "SSHD_TIMEOUT is not set, please edit configuration file" - exit 128 - fi + : } # Source Root Dir Parameter diff --git a/bin/hardening/5.2.17_sshd_login_grace_time.sh b/bin/hardening/5.2.17_sshd_login_grace_time.sh index 6bb4011..4d2deac 100755 --- a/bin/hardening/5.2.17_sshd_login_grace_time.sh +++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh @@ -15,11 +15,11 @@ HARDENING_LEVEL=3 DESCRIPTION="Set Login Grace Time for user login." PACKAGE='openssh-server' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME" is_pkg_installed $PACKAGE if [ $FNRET != 0 ]; then crit "$PACKAGE is not installed!" @@ -75,16 +75,13 @@ create_config() { status=audit # In seconds, value of LoginGraceTime # Settles sshd login grace time -SSHD_LOGIN_GRACE_TIME=60 +OPTIONS="LoginGraceTime=60" EOF } # This function will check config parameters required check_config() { - if [ -z $SSHD_LOGIN_GRACE_TIME ]; then - crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file" - exit 128 - fi + : } # Source Root Dir Parameter diff --git a/bin/hardening/5.2.4_sshd_protocol.sh b/bin/hardening/5.2.4_sshd_protocol.sh index 1e57c18..0da5412 100755 --- a/bin/hardening/5.2.4_sshd_protocol.sh +++ b/bin/hardening/5.2.4_sshd_protocol.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=2 DESCRIPTION="Set secure shell (SSH) protocol to 2." PACKAGE='openssh-server' -OPTIONS='Protocol=2' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,15 @@ check_config() { : } +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here your protocol for ssh +OPTIONS='Protocol=2' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/bin/hardening/5.2.6_disable_x11_forwarding.sh b/bin/hardening/5.2.6_disable_x11_forwarding.sh index 98e59e8..576f70d 100755 --- a/bin/hardening/5.2.6_disable_x11_forwarding.sh +++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=2 DESCRIPTION="Disable SSH X11 forwarding." PACKAGE='openssh-server' -OPTIONS='X11Forwarding=no' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,16 @@ check_config() { : } +# This function will create the config file for this check with default values +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here the forwarding boolean for ssh +OPTIONS='X11Forwarding=no' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/bin/hardening/5.2.7_sshd_maxauthtries.sh b/bin/hardening/5.2.7_sshd_maxauthtries.sh index f0e90f7..f61dbe5 100755 --- a/bin/hardening/5.2.7_sshd_maxauthtries.sh +++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=2 DESCRIPTION="Set SSH MaxAuthTries to 4." PACKAGE='openssh-server' -OPTIONS='MaxAuthTries=4' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,15 @@ check_config() { : } +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here the max auth tries for ssh +OPTIONS='MaxAuthTries=4' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh index 380f092..417d060 100755 --- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=2 DESCRIPTION="Set SSH IgnoreRhosts to Yes." PACKAGE='openssh-server' -OPTIONS='IgnoreRhosts=yes' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,14 @@ check_config() { : } +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here the rhosts boolean for ssh +OPTIONS='IgnoreRhosts=yes' +EOF +} # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh index 5e5c7e6..0ddc208 100755 --- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=2 DESCRIPTION="Set SSH HostbasedAUthentication to No." PACKAGE='openssh-server' -OPTIONS='HostbasedAuthentication=no' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode @@ -74,6 +74,15 @@ check_config() { : } +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here the hostbase boolean for ssh +OPTIONS='HostbasedAuthentication=no' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/tests/hardening/5.2.10_disable_root_login.sh b/tests/hardening/5.2.10_disable_root_login.sh index b333419..41c63c4 100644 --- a/tests/hardening/5.2.10_disable_root_login.sh +++ b/tests/hardening/5.2.10_disable_root_login.sh @@ -1,10 +1,21 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^PermitRootLogin[[:space:]]*no is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh b/tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh index b333419..361dadb 100644 --- a/tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh +++ b/tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh @@ -6,5 +6,16 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^PermitEmptyPasswords[[:space:]]*no is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.12_disable_sshd_setenv.sh b/tests/hardening/5.2.12_disable_sshd_setenv.sh index b333419..549da9b 100644 --- a/tests/hardening/5.2.12_disable_sshd_setenv.sh +++ b/tests/hardening/5.2.12_disable_sshd_setenv.sh @@ -1,10 +1,21 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^PermitUserEnvironment[[:space:]]*no is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.13_sshd_ciphers.sh b/tests/hardening/5.2.13_sshd_ciphers.sh index b333419..0f49f42 100644 --- a/tests/hardening/5.2.13_sshd_ciphers.sh +++ b/tests/hardening/5.2.13_sshd_ciphers.sh @@ -1,10 +1,21 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^Ciphers[[:space:]]*chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.16_sshd_idle_timeout.sh b/tests/hardening/5.2.16_sshd_idle_timeout.sh index b333419..438d9a6 100644 --- a/tests/hardening/5.2.16_sshd_idle_timeout.sh +++ b/tests/hardening/5.2.16_sshd_idle_timeout.sh @@ -1,10 +1,22 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^ClientAliveInterval[[:space:]]*300 is present in /etc/ssh/sshd_config" + register_test contain "[ OK ] ^ClientAliveCountMax[[:space:]]*0 is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.17_sshd_login_grace_time.sh b/tests/hardening/5.2.17_sshd_login_grace_time.sh index b333419..b2aea94 100755 --- a/tests/hardening/5.2.17_sshd_login_grace_time.sh +++ b/tests/hardening/5.2.17_sshd_login_grace_time.sh @@ -1,10 +1,21 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^LoginGraceTime[[:space:]]*60 is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.18_sshd_limit_access.sh b/tests/hardening/5.2.18_sshd_limit_access.sh index b333419..976d038 100644 --- a/tests/hardening/5.2.18_sshd_limit_access.sh +++ b/tests/hardening/5.2.18_sshd_limit_access.sh @@ -1,10 +1,24 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config" + register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config" + register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config" + register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.19_ssh_banner.sh b/tests/hardening/5.2.19_ssh_banner.sh index b333419..bcf1f0e 100644 --- a/tests/hardening/5.2.19_ssh_banner.sh +++ b/tests/hardening/5.2.19_ssh_banner.sh @@ -1,10 +1,21 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^Banner[[:space:]]* is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.4_sshd_protocol.sh b/tests/hardening/5.2.4_sshd_protocol.sh index b333419..f311fee 100644 --- a/tests/hardening/5.2.4_sshd_protocol.sh +++ b/tests/hardening/5.2.4_sshd_protocol.sh @@ -5,6 +5,18 @@ test_audit() { dismiss_count_for_test # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^Protocol[[:space:]]*2 is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests } diff --git a/tests/hardening/5.2.5_sshd_loglevel.sh b/tests/hardening/5.2.5_sshd_loglevel.sh index bdfa4a6..42f1ef3 100644 --- a/tests/hardening/5.2.5_sshd_loglevel.sh +++ b/tests/hardening/5.2.5_sshd_loglevel.sh @@ -1,12 +1,16 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 1 + register_test retvalshouldbe 0 dismiss_count_for_test # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - describe Fix state + + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh || true diff --git a/tests/hardening/5.2.6_disable_x11_forwarding.sh b/tests/hardening/5.2.6_disable_x11_forwarding.sh index b333419..1d45b25 100644 --- a/tests/hardening/5.2.6_disable_x11_forwarding.sh +++ b/tests/hardening/5.2.6_disable_x11_forwarding.sh @@ -1,10 +1,21 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^X11Forwarding[[:space:]]*no is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.7_sshd_maxauthtries.sh b/tests/hardening/5.2.7_sshd_maxauthtries.sh index b333419..7e5b274 100644 --- a/tests/hardening/5.2.7_sshd_maxauthtries.sh +++ b/tests/hardening/5.2.7_sshd_maxauthtries.sh @@ -1,10 +1,21 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 + register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true - # TODO fill comprehensive tests + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^MaxAuthTries[[:space:]]*4 is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh b/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh index b333419..83b268c 100644 --- a/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh +++ b/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh @@ -6,5 +6,16 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests -} + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all} +} \ No newline at end of file diff --git a/tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh b/tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh index b333419..d5a53ad 100644 --- a/tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh +++ b/tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh @@ -6,5 +6,16 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + # `apply` performs a service reload after each change in the config file + # the service needs to be started for the reload to succeed + service ssh start + # if the audit script provides "apply" option, enable and run it + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^HostbasedAuthentication[[:space:]]*no is present in /etc/ssh/sshd_config" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }