Renum 99.x files to comply with debian10 CIS

2025-06-24 03:24:34 +02:00 · 2020-12-22 16:36:35 +01:00
parent 87e242a42d
commit 9cbc3f85a9
37 changed files with 109 additions and 291 deletions
--- a/tests/hardening/99.5.2.4_ssh_keys_from.sh
+++ b/tests/hardening/99.5.2.4_ssh_keys_from.sh
@ -0,0 +1,80 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    # shellcheck disable=2154
+    echo 'EXCEPTION_USER="root"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+
+    skip_tests
+    # shellcheck disable=2154
+    run genconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    useradd -s /bin/bash jeantestuser
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
+    register_test contain "[INFO] User jeantestuser has a valid shell"
+    register_test contain "[INFO] User jeantestuser has no home directory"
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    mkdir -p /home/secaudit/.ssh
+    touch /home/secaudit/.ssh/authorized_keys2
+    describe empty authorized keys file
+    register_test retvalshouldbe 0
+    run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ssh-keygen -N "" -t ed25519 -f /tmp/key1
+    cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
+    describe Key without from field
+    register_test retvalshouldbe 1
+    run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    {
+        echo -n 'from="127.0.0.1" '
+        cat /tmp/key1.pub
+    } >/home/secaudit/.ssh/authorized_keys2
+    describe Key with from, no ip check
+    register_test retvalshouldbe 0
+    run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # shellcheck disable=2016
+    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    {
+        echo -n 'from="10.0.1.2" '
+        cat /tmp/key1.pub
+    } >>/home/secaudit/.ssh/authorized_keys2
+    describe Key with from, filled allowed IPs, one bad ip
+    register_test retvalshouldbe 1
+    run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # shellcheck disable=2016
+    echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Key with from, filled allowed IPs, all IPs allowed
+    register_test retvalshouldbe 0
+    run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # shellcheck disable=2016
+    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    {
+        echo -n 'from="10.0.1.2",command="echo bla" '
+        cat /tmp/key1.pub
+        echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
+        cat /tmp/key1.pub
+    } >>/home/secaudit/.ssh/authorized_keys2
+    describe Key with from and command options
+    register_test retvalshouldbe 0
+    run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    useradd -s /bin/bash -m jeantest2
+    # shellcheck disable=2016
+    echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Check only specified user
+    register_test retvalshouldbe 0
+    run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # Cleanup
+    userdel jeantestuser
+    userdel -r jeantest2
+    rm -f /tmp/key1 /tmp/key1.pub
+}