elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX: fix test for CDS

Browse Source
This commit is contained in:
Thibault Ayanides 2020-11-05 14:24:57 +01:00
parent 67649ec407
commit 7b73eac6d6
5 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tests/hardening/6.1.13_find_suid_files.sh
View File

@ -4,7 +4,7 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true /opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016 # shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0

2
tests/hardening/6.1.14_find_sgid_files.sh
View File

@ -4,7 +4,7 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true /opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016 # shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0

29
tests/hardening/6.2.9_users_valid_homedir.sh
View File

@ -1,25 +1,34 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
useradd -m testhomeuser local test_user="testhomeuser"
chown root:root /home/testhomeuser
describe Wrong home owner describe Test purposely failing
useradd -m $test_user
chown root:root /home/$test_user
register_test retvalshouldbe 1 register_test retvalshouldbe 1
run wronghomeowner /opt/debian-cis/bin/hardening/"${script}".sh --audit-all register_test contain "[ KO ] The home directory (/home/$test_user) of user testhomeuser is owned by root"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "EXCEPTIONS=\"/home/testhomeuser:testhomeuser:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" > /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Added exceptions
describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
run exceptions /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
rm -rf /home/testhomeuser rm -rf "/home/${test_user:?}"
userdel -r testhomeuser userdel -r $test_user
} }

1
tests/hardening/99.3.1_acc_shadow_sha512.sh
View File

@ -3,6 +3,7 @@ test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "There is no password in /etc/shadow" register_test contain "There is no password in /etc/shadow"
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

7
tests/hardening/99.3.2_acc_sudoers_no_all.sh
View File

@ -1,5 +1,10 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# shellcheck disable=2016
echo 'EXCEPT="$EXCEPT debian"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test dismiss_count_for_test
@ -17,7 +22,7 @@ test_audit() {
# shellcheck disable=2016 # shellcheck disable=2016
echo 'EXCEPT="$EXCEPT jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg echo 'EXCEPT="$EXCEPT debian jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Adding jeantestuser to exceptions describe Adding jeantestuser to exceptions
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions" register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"