IMP(8.2.5): find multiline pattern in files (syslog)

Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')

Improved pattern in 8.2.5

Add syslog-ng to installed dependencies in Dockerfiles

Fixed multifile arguments when looking for pattern that got broken
in d2bbf754 due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`

Improved test files
Applied shellcheck recommendations
This commit is contained in:
Charles Herlin
2019-02-22 12:39:41 +01:00
parent 7408216957
commit 80a1146af7
8 changed files with 123 additions and 30 deletions

View File

@ -2,7 +2,7 @@ FROM debian:buster-20181226
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng
COPY --chown=500:500 . /opt/debian-cis/

View File

@ -2,7 +2,7 @@ FROM debian:jessie
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng
COPY --chown=500:500 . /opt/debian-cis/

View File

@ -2,7 +2,7 @@ FROM debian:stretch
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng
COPY --chown=500:500 . /opt/debian-cis/

View File

@ -1,10 +1,49 @@
# run-shellcheck
test_audit() {
#set -x
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
register_test retvalshouldbe 1
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
cp -a /etc/syslog-ng/syslog-ng.conf /tmp/syslog-ng.conf.bak
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/syslog-ng.conf
grep syslog.example.tld /etc/syslog-ng/syslog-ng.conf
describe Checking one line conf
register_test retvalshouldbe 0
run oneline /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
cat >> /etc/syslog-ng/syslog-ng.conf <<EOF
destination mySyslog {
tcp ("syslog.example.tld"),
port(1234),
EOF
describe Checking mutliline conf
register_test retvalshouldbe 0
run multiline /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
mv /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
#echo "#Sample conf" >/etc/syslog-ng/conf.d/1_tcp_destination
echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/conf.d/1_tcp_destination
cat /etc/syslog-ng/conf.d/1_tcp_destination
describe Checking file in subdirectory
register_test retvalshouldbe 0
run subfile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
#mv /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
rm /etc/syslog-ng/conf.d/1_tcp_destination
}

View File

@ -1,10 +1,14 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
register_test retvalshouldbe 1
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking auto resolved state
register_test retvalshouldbe 0
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}