From 7b73eac6d6a9afca8798469ec29cf0437a164082 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Thu, 5 Nov 2020 14:24:57 +0100 Subject: [PATCH] FIX: fix test for CDS --- tests/hardening/6.1.13_find_suid_files.sh | 2 +- tests/hardening/6.1.14_find_sgid_files.sh | 2 +- tests/hardening/6.2.9_users_valid_homedir.sh | 29 +++++++++++++------- tests/hardening/99.3.1_acc_shadow_sha512.sh | 1 + tests/hardening/99.3.2_acc_sudoers_no_all.sh | 7 ++++- 5 files changed, 28 insertions(+), 13 deletions(-) diff --git a/tests/hardening/6.1.13_find_suid_files.sh b/tests/hardening/6.1.13_find_suid_files.sh index c8d8844..5362467 100755 --- a/tests/hardening/6.1.13_find_suid_files.sh +++ b/tests/hardening/6.1.13_find_suid_files.sh @@ -4,7 +4,7 @@ test_audit() { # shellcheck disable=2154 /opt/debian-cis/bin/hardening/"${script}".sh || true # shellcheck disable=2016 - echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg describe Running on blank host register_test retvalshouldbe 0 diff --git a/tests/hardening/6.1.14_find_sgid_files.sh b/tests/hardening/6.1.14_find_sgid_files.sh index 67727bd..ffda6d6 100755 --- a/tests/hardening/6.1.14_find_sgid_files.sh +++ b/tests/hardening/6.1.14_find_sgid_files.sh @@ -4,7 +4,7 @@ test_audit() { # shellcheck disable=2154 /opt/debian-cis/bin/hardening/"${script}".sh || true # shellcheck disable=2016 - echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg describe Running on blank host register_test retvalshouldbe 0 diff --git a/tests/hardening/6.2.9_users_valid_homedir.sh b/tests/hardening/6.2.9_users_valid_homedir.sh index aa9cc9f..2ab3741 100644 --- a/tests/hardening/6.2.9_users_valid_homedir.sh +++ b/tests/hardening/6.2.9_users_valid_homedir.sh @@ -1,25 +1,34 @@ # run-shellcheck test_audit() { + describe Running void to generate the conf file that will later be edited + # shellcheck disable=2154 + /opt/debian-cis/bin/hardening/"${script}".sh || true + echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg + describe Running on blank host register_test retvalshouldbe 0 + dismiss_count_for_test # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - useradd -m testhomeuser - chown root:root /home/testhomeuser + local test_user="testhomeuser" - describe Wrong home owner + describe Test purposely failing + useradd -m $test_user + chown root:root /home/$test_user register_test retvalshouldbe 1 - run wronghomeowner /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + register_test contain "[ KO ] The home directory (/home/$test_user) of user testhomeuser is owned by root" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - echo "EXCEPTIONS=\"/home/testhomeuser:testhomeuser:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + describe correcting situation + echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" > /opt/debian-cis/etc/conf.d/"${script}".cfg - describe Added exceptions + + describe Checking resolved state register_test retvalshouldbe 0 - run exceptions /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # Cleanup - rm -rf /home/testhomeuser - userdel -r testhomeuser + rm -rf "/home/${test_user:?}" + userdel -r $test_user } diff --git a/tests/hardening/99.3.1_acc_shadow_sha512.sh b/tests/hardening/99.3.1_acc_shadow_sha512.sh index 7c4dbf1..87ab2f4 100644 --- a/tests/hardening/99.3.1_acc_shadow_sha512.sh +++ b/tests/hardening/99.3.1_acc_shadow_sha512.sh @@ -3,6 +3,7 @@ test_audit() { describe Running on blank host register_test retvalshouldbe 0 register_test contain "There is no password in /etc/shadow" + dismiss_count_for_test # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all diff --git a/tests/hardening/99.3.2_acc_sudoers_no_all.sh b/tests/hardening/99.3.2_acc_sudoers_no_all.sh index 461e9b0..90892be 100644 --- a/tests/hardening/99.3.2_acc_sudoers_no_all.sh +++ b/tests/hardening/99.3.2_acc_sudoers_no_all.sh @@ -1,5 +1,10 @@ # run-shellcheck test_audit() { + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + # shellcheck disable=2016 + echo 'EXCEPT="$EXCEPT debian"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + describe Running on blank host register_test retvalshouldbe 0 dismiss_count_for_test @@ -17,7 +22,7 @@ test_audit() { # shellcheck disable=2016 - echo 'EXCEPT="$EXCEPT jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPT="$EXCEPT debian jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg describe Adding jeantestuser to exceptions register_test retvalshouldbe 0 register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"