IMP(test): Add feature to run functional tests in docker instance

Add usecase in basename
Add test files for checks with find command
Always show logs
FIX: run void script to generate config and avoid sed failure
Update README with functional test description
Add skeleton for functional test
Add argument to launch only specific test suite
Add support for debian8 and compulsory mention of debian version at
launch
Improve README
Simplify test file syntax to avoid copy/paste mistake
Add script that runs tests on all debian targets
Improve run_all_target script with nowait and nodel options
Add dockerfile for Buster pre-version
Chore: Use getopt for options and reviewed code by shellcheck
Add trap to ensure cleanup on exit/interrupt
Remove quotes that lead to `less` misinterpretation of the filenames
Set `local` for variables inside `test_audit` func
Move functional assertion functions to dedicated file
Add cleanup for logs and containers
Improve cleanup, and now exits
Apply shellcheck recommendations
FIX: allow script to be run from anywhere (dirname $0)

 Changes to be committed:
	modified:   README.md
	new file:   src/skel.test
	new file:   tests/docker/Dockerfile.debian10_20181226
	new file:   tests/docker/Dockerfile.debian8
	new file:   tests/docker/Dockerfile.debian9
	new file:   tests/docker_build_and_run_tests.sh
	new file:   tests/hardening/12.10_find_suid_files.sh
	new file:   tests/hardening/12.11_find_sgid_files.sh
	new file:   tests/hardening/12.7_find_world_writable_file.sh
	new file:   tests/hardening/12.8_find_unowned_files.sh
	new file:   tests/hardening/12.9_find_ungrouped_files.sh
	new file:   tests/hardening/2.17_sticky_bit_world_writable_folder.sh
	new file:   tests/launch_tests.sh
	new file:   tests/lib.sh
	new file:   tests/run_all_targets.sh
This commit is contained in:
Charles Herlin
2018-12-24 14:12:59 +01:00
parent 4fc79c133f
commit 863adc9c84
15 changed files with 673 additions and 0 deletions

View File

@ -0,0 +1,29 @@
test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No unknown suid files found"
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
local targetfile="/home/secaudit/suid_file"
touch $targetfile
chmod 4700 $targetfile
register_test retvalshouldbe 1
register_test contain "Some suid files are present"
register_test contain "$targetfile"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
chmod 700 $targetfile
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No unknown suid files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -0,0 +1,25 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No unknown sgid files found"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
local targetfile="/home/secaudit/sgid_file"
touch $targetfile
chmod 2700 $targetfile
register_test retvalshouldbe 1
register_test contain "Some sgid files are present"
register_test contain "$targetfile"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
chmod 700 $targetfile
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No unknown sgid files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -0,0 +1,25 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No world writable files found"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
local targetfile="/home/secaudit/worldwritable"
touch $targetfile
chmod 777 $targetfile
register_test retvalshouldbe 1
register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -0,0 +1,25 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No unowned files found"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
local targetfile="/home/secaudit/unowned"
touch $targetfile
chown 1200 $targetfile
register_test retvalshouldbe 1
register_test contain "Some unowned files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No unowned files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -0,0 +1,25 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "No ungrouped files found"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
local targetfile="/home/secaudit/ungrouped"
touch $targetfile
chown 1200:1200 $targetfile
register_test retvalshouldbe 1
register_test contain "Some ungrouped files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No ungrouped files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -0,0 +1,24 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing
local targetdir="/home/secaudit/world_writable_folder"
mkdir $targetdir || true
chmod 777 $targetdir
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}