mirror of
https://github.com/ovh/debian-cis.git
synced 2025-06-24 11:34:35 +02:00
IMP(test): Add feature to run functional tests in docker instance
Add usecase in basename Add test files for checks with find command Always show logs FIX: run void script to generate config and avoid sed failure Update README with functional test description Add skeleton for functional test Add argument to launch only specific test suite Add support for debian8 and compulsory mention of debian version at launch Improve README Simplify test file syntax to avoid copy/paste mistake Add script that runs tests on all debian targets Improve run_all_target script with nowait and nodel options Add dockerfile for Buster pre-version Chore: Use getopt for options and reviewed code by shellcheck Add trap to ensure cleanup on exit/interrupt Remove quotes that lead to `less` misinterpretation of the filenames Set `local` for variables inside `test_audit` func Move functional assertion functions to dedicated file Add cleanup for logs and containers Improve cleanup, and now exits Apply shellcheck recommendations FIX: allow script to be run from anywhere (dirname $0) Changes to be committed: modified: README.md new file: src/skel.test new file: tests/docker/Dockerfile.debian10_20181226 new file: tests/docker/Dockerfile.debian8 new file: tests/docker/Dockerfile.debian9 new file: tests/docker_build_and_run_tests.sh new file: tests/hardening/12.10_find_suid_files.sh new file: tests/hardening/12.11_find_sgid_files.sh new file: tests/hardening/12.7_find_world_writable_file.sh new file: tests/hardening/12.8_find_unowned_files.sh new file: tests/hardening/12.9_find_ungrouped_files.sh new file: tests/hardening/2.17_sticky_bit_world_writable_folder.sh new file: tests/launch_tests.sh new file: tests/lib.sh new file: tests/run_all_targets.sh
This commit is contained in:
29
tests/hardening/12.10_find_suid_files.sh
Executable file
29
tests/hardening/12.10_find_suid_files.sh
Executable file
@ -0,0 +1,29 @@
|
||||
test_audit() {
|
||||
describe Running void to generate the conf file that will later be edited
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No unknown suid files found"
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
local targetfile="/home/secaudit/suid_file"
|
||||
touch $targetfile
|
||||
chmod 4700 $targetfile
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some suid files are present"
|
||||
register_test contain "$targetfile"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
chmod 700 $targetfile
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No unknown suid files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
25
tests/hardening/12.11_find_sgid_files.sh
Executable file
25
tests/hardening/12.11_find_sgid_files.sh
Executable file
@ -0,0 +1,25 @@
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No unknown sgid files found"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
local targetfile="/home/secaudit/sgid_file"
|
||||
touch $targetfile
|
||||
chmod 2700 $targetfile
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some sgid files are present"
|
||||
register_test contain "$targetfile"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
chmod 700 $targetfile
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No unknown sgid files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
25
tests/hardening/12.7_find_world_writable_file.sh
Executable file
25
tests/hardening/12.7_find_world_writable_file.sh
Executable file
@ -0,0 +1,25 @@
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No world writable files found"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
local targetfile="/home/secaudit/worldwritable"
|
||||
touch $targetfile
|
||||
chmod 777 $targetfile
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some world writable files are present"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No world writable files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
25
tests/hardening/12.8_find_unowned_files.sh
Executable file
25
tests/hardening/12.8_find_unowned_files.sh
Executable file
@ -0,0 +1,25 @@
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No unowned files found"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
local targetfile="/home/secaudit/unowned"
|
||||
touch $targetfile
|
||||
chown 1200 $targetfile
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some unowned files are present"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No unowned files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
25
tests/hardening/12.9_find_ungrouped_files.sh
Executable file
25
tests/hardening/12.9_find_ungrouped_files.sh
Executable file
@ -0,0 +1,25 @@
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No ungrouped files found"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
local targetfile="/home/secaudit/ungrouped"
|
||||
touch $targetfile
|
||||
chown 1200:1200 $targetfile
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some ungrouped files are present"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No ungrouped files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
24
tests/hardening/2.17_sticky_bit_world_writable_folder.sh
Executable file
24
tests/hardening/2.17_sticky_bit_world_writable_folder.sh
Executable file
@ -0,0 +1,24 @@
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "All world writable directories have a sticky bit"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
local targetdir="/home/secaudit/world_writable_folder"
|
||||
mkdir $targetdir || true
|
||||
chmod 777 $targetdir
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some world writable directories are not on sticky bit mode"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "All world writable directories have a sticky bit"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
Reference in New Issue
Block a user