Damcava35/deb12 scripts 10 (#294)

* fix ssh related tests As letting sshd active will mess with others scripts later * feat: add debian12 scripts - nftables_loopback_is_configured.sh -> 4.2.6 - nftables_established_connections.sh -> 4.2.7 - iptables_flushed_with_nftables.sh -> 4.2.3 - ufw_loopback_is_configured.sh -> 4.1.4 - ufw_outbound_connection.sh -> 4.1.5 - ufw_default_deny.sh -> 4.1.7 - ufw_rules_them_all.sh -> 4.1.6 --------- Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-09-03 13:18:21 +02:00 · 2025-09-02 13:57:12 +02:00
parent f0075600e1
commit 9bd170438c
40 changed files with 839 additions and 1 deletions
--- a/tests/hardening/configure_ssh_max_startups.sh
+++ b/tests/hardening/configure_ssh_max_startups.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^maxstartups[[:space:]]*10:30:60 is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/disable_root_login.sh
+++ b/tests/hardening/disable_root_login.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^PermitRootLogin[[:space:]]*no is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/disable_ssh_allow_tcp_forwarding.sh
+++ b/tests/hardening/disable_ssh_allow_tcp_forwarding.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^AllowTCPForwarding[[:space:]]*no is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/disable_sshd_hostbasedauthentication.sh
+++ b/tests/hardening/disable_sshd_hostbasedauthentication.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^HostbasedAuthentication[[:space:]]*no is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/disable_sshd_permitemptypasswords.sh
+++ b/tests/hardening/disable_sshd_permitemptypasswords.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^PermitEmptyPasswords[[:space:]]*no is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/disable_sshd_setenv.sh
+++ b/tests/hardening/disable_sshd_setenv.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^PermitUserEnvironment[[:space:]]*no is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/disable_x11_forwarding.sh
+++ b/tests/hardening/disable_x11_forwarding.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^X11Forwarding[[:space:]]*no is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/enable_ssh_pam.sh
+++ b/tests/hardening/enable_ssh_pam.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^usepam[[:space:]]*yes is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/enable_sshd_ignorerhosts.sh
+++ b/tests/hardening/enable_sshd_ignorerhosts.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/iptables_flushed_with_nftables.sh
+++ b/tests/hardening/iptables_flushed_with_nftables.sh
@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables iptables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables iptables
+
+}
--- a/tests/hardening/limit_ssh_max_sessions.sh
+++ b/tests/hardening/limit_ssh_max_sessions.sh
@@ -35,4 +35,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^maxsessions[[:space:]]*10 is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/nftables_established_connections.sh
+++ b/tests/hardening/nftables_established_connections.sh
@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables
+
+}
--- a/tests/hardening/nftables_loopback_is_configured.sh
+++ b/tests/hardening/nftables_loopback_is_configured.sh
@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables
+
+}
--- a/tests/hardening/ssh_auth_pubk_only.sh
+++ b/tests/hardening/ssh_auth_pubk_only.sh
@@ -26,4 +26,6 @@ test_audit() {
    register_test contain "[ OK ] ^GSSAPIAuthentication[[:space:]]+no is present in /etc/ssh/sshd_config"
    register_test contain "[ OK ] ^GSSAPIKeyExchange[[:space:]]+no is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/ssh_banner.sh
+++ b/tests/hardening/ssh_banner.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^Banner[[:space:]]* is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/ssh_cry_kex.sh
+++ b/tests/hardening/ssh_cry_kex.sh
@@ -26,4 +26,6 @@ test_audit() {
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/ssh_cry_mac.sh
+++ b/tests/hardening/ssh_cry_mac.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^MACs[[:space:]]*hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/ssh_cry_rekey.sh
+++ b/tests/hardening/ssh_cry_rekey.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^RekeyLimit[[:space:]]*512M\s+6h is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/ssh_disable_features.sh
+++ b/tests/hardening/ssh_disable_features.sh
@@ -25,4 +25,6 @@ test_audit() {
    register_test contain "[ OK ] ^PermitUserRC[[:space:]]*no is present in /etc/ssh/sshd_config"
    register_test contain "[ OK ] ^GatewayPorts[[:space:]]*no is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/ssh_strict_modes.sh
+++ b/tests/hardening/ssh_strict_modes.sh
@@ -20,4 +20,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^StrictModes[[:space:]]*yes is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/ssh_sys_accept_env.sh
+++ b/tests/hardening/ssh_sys_accept_env.sh
@@ -26,4 +26,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^\s*AcceptEnv\s+LANG LC_\* is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/sshd_ciphers.sh
+++ b/tests/hardening/sshd_ciphers.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^Ciphers[[:space:]]*chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/sshd_idle_timeout.sh
+++ b/tests/hardening/sshd_idle_timeout.sh
@@ -20,4 +20,6 @@ test_audit() {
    register_test contain "[ OK ] ^ClientAliveInterval[[:space:]]*300 is present in /etc/ssh/sshd_config"
    register_test contain "[ OK ] ^ClientAliveCountMax[[:space:]]*0 is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/sshd_limit_access.sh
+++ b/tests/hardening/sshd_limit_access.sh
@@ -127,4 +127,6 @@ test_audit() {
    userdel janeallow
    userdel peterdeny
    userdel marrydeny
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/sshd_login_grace_time.sh
+++ b/tests/hardening/sshd_login_grace_time.sh
@@ -19,4 +19,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^LoginGraceTime[[:space:]]*60 is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/sshd_loglevel.sh
+++ b/tests/hardening/sshd_loglevel.sh
@@ -25,4 +25,6 @@ test_audit() {
    describe Checking custom conf
    register_test retvalshouldbe 0
    run customconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/sshd_maxauthtries.sh
+++ b/tests/hardening/sshd_maxauthtries.sh
@@ -35,4 +35,6 @@ test_audit() {
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^MaxAuthTries[[:space:]]*4 is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    describe Clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/sshd_protocol.sh
+++ b/tests/hardening/sshd_protocol.sh
@@ -20,4 +20,6 @@ test_audit() {
    register_test contain "[ OK ] ^Protocol[[:space:]]*2 is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

+    describe clean test
+    pkill -9 sshd
 }
--- a/tests/hardening/ufw_default_deny.sh
+++ b/tests/hardening/ufw_default_deny.sh
@@ -0,0 +1,27 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+    sed -i '/DEFAULT_INPUT_POLICY/s/=.*/="ACCEPT"/g' /etc/default/ufw
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the default file
+    describe fix the situation
+    sed -i '/DEFAULT_INPUT_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+    sed -i '/DEFAULT_OUTPUT_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+    sed -i '/DEFAULT_FORWARD_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}
--- a/tests/hardening/ufw_loopback_is_configured.sh
+++ b/tests/hardening/ufw_loopback_is_configured.sh
@@ -0,0 +1,28 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the rules file
+    describe fix the situation
+    # shellcheck disable=2129
+    echo '-A ufw-user-input -i lo -j ACCEPT' >>/etc/ufw/user.rules
+    echo '-A ufw-user-output -o lo -j ACCEPT' >>/etc/ufw/user.rules
+    echo '-A ufw-user-input -s 127.0.0.0/8 -j DROP' >>/etc/ufw/user.rules
+    echo '-A ufw-user-input -s ::1 -j DROP' >>/etc/ufw/user6.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}
--- a/tests/hardening/ufw_outbound_connection.sh
+++ b/tests/hardening/ufw_outbound_connection.sh
@@ -0,0 +1,43 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+
+    # default case: we want the outbound all rule to be present, but it is not
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the rules file
+    describe fix the situation
+    # shellcheck disable=2129
+    echo '-A ufw-user-output -o all -j ACCEPT' >>/etc/ufw/user.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reverse case: we don't want the outbound all rule to be present, but it is
+    describe prepare failed test
+    sed -i '/ALLOW_OUTBOUND_ALL/s/=.*/=1/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+    describe Running failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe fix the situation
+    # shellcheck disable=2129
+    sed -i '$d' /etc/ufw/user.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}
--- a/tests/hardening/ufw_rules_them_all.sh
+++ b/tests/hardening/ufw_rules_them_all.sh
@@ -0,0 +1,9 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    # no much to test here, unless running on a privileged container, to run ufw commands
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}