diff --git a/.github/workflows/functionnal-tests.yml b/.github/workflows/functionnal-tests.yml index aaa5e5f..fc479f4 100644 --- a/.github/workflows/functionnal-tests.yml +++ b/.github/workflows/functionnal-tests.yml @@ -18,3 +18,10 @@ jobs: uses: actions/checkout@v5 - name: Run the tests debian12 run: ./tests/docker_build_and_run_tests.sh debian12 + functionnal-tests-docker-debian13: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v5 + - name: Run the tests debian13 + run: ./tests/docker_build_and_run_tests.sh debian13 diff --git a/tests/docker/Dockerfile.debian13 b/tests/docker/Dockerfile.debian13 new file mode 100644 index 0000000..3ce6a1e --- /dev/null +++ b/tests/docker/Dockerfile.debian13 @@ -0,0 +1,21 @@ +FROM debian:trixie + +LABEL vendor="OVH" +LABEL project="debian-cis" +LABEL url="https://github.com/ovh/debian-cis" +LABEL description="This image is used to run tests" + +RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit + +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 procps + +COPY --chown=500:500 . /opt/debian-cis/ + +COPY debian/default /etc/default/cis-hardening +RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening + +COPY cisharden.sudoers /etc/sudoers.d/secaudit +RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit + + +ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"] diff --git a/tests/hardening/acc_logindefs_sha512.sh b/tests/hardening/acc_logindefs_sha512.sh index f22ed03..bcfc7e0 100644 --- a/tests/hardening/acc_logindefs_sha512.sh +++ b/tests/hardening/acc_logindefs_sha512.sh @@ -10,6 +10,7 @@ test_audit() { cp /etc/login.defs /tmp/login.defs.bak describe Line as comment sed -i 's/\(ENCRYPT_METHOD SHA512\)/# \1/' /etc/login.defs + sed -i 's/\(ENCRYPT_METHOD YESCRYPT\)/# \1/' /etc/login.defs register_test retvalshouldbe 1 register_test contain "is not present in /etc/login.defs" run commented "${CIS_CHECKS_DIR}/${script}.sh" --audit-all @@ -22,6 +23,7 @@ test_audit() { cp /tmp/login.defs.bak /etc/login.defs sed -ir 's/ENCRYPT_METHOD[[:space:]]\+SHA512/ENCRYPT_METHOD MD5/' /etc/login.defs + sed -ir 's/ENCRYPT_METHOD[[:space:]]\+YESCRYPT/ENCRYPT_METHOD MD5/' /etc/login.defs describe Fail: wrong hash function configuration register_test retvalshouldbe 1 register_test contain "is not present in /etc/login.defs" diff --git a/tests/hardening/check_user_dot_file_perm.sh b/tests/hardening/check_user_dot_file_perm.sh index a27361a..b47791c 100644 --- a/tests/hardening/check_user_dot_file_perm.sh +++ b/tests/hardening/check_user_dot_file_perm.sh @@ -13,6 +13,7 @@ test_audit() { describe Tests purposely failing useradd --create-home "$test_user" touch "/home/$test_user/$test_file" + chmod o+rx "/home/$test_user" chmod 777 "/home/$test_user/$test_file" register_test retvalshouldbe 1 register_test contain "Group Write permission set on FILE" diff --git a/tests/hardening/find_user_forward_files.sh b/tests/hardening/find_user_forward_files.sh index cf95893..de6e089 100644 --- a/tests/hardening/find_user_forward_files.sh +++ b/tests/hardening/find_user_forward_files.sh @@ -12,6 +12,7 @@ test_audit() { describe Tests purposely failing useradd --create-home "$test_user" + chmod o+rx "/home/$test_user/" touch "/home/$test_user/$test_file" register_test retvalshouldbe 1 register_test contain "$test_file present" diff --git a/tests/hardening/find_user_netrc_files.sh b/tests/hardening/find_user_netrc_files.sh index 07b3ed1..68c1523 100644 --- a/tests/hardening/find_user_netrc_files.sh +++ b/tests/hardening/find_user_netrc_files.sh @@ -12,6 +12,7 @@ test_audit() { describe Tests purposely failing useradd --create-home "$test_user" + chmod o+rx "/home/$test_user/" touch "/home/$test_user/$test_file" register_test retvalshouldbe 1 register_test contain "$test_file present" diff --git a/tests/hardening/find_user_rhosts_files.sh b/tests/hardening/find_user_rhosts_files.sh index c1ee40e..db91162 100644 --- a/tests/hardening/find_user_rhosts_files.sh +++ b/tests/hardening/find_user_rhosts_files.sh @@ -12,6 +12,7 @@ test_audit() { describe Tests purposely failing useradd --create-home "$test_user" + chmod o+rx "/home/$test_user" touch "/home/$test_user/$test_file" register_test retvalshouldbe 1 register_test contain "$test_file present" diff --git a/tests/hardening/ip6tables_outbound_established.sh b/tests/hardening/ip6tables_outbound_established.sh index 024fb86..38ed1b8 100644 --- a/tests/hardening/ip6tables_outbound_established.sh +++ b/tests/hardening/ip6tables_outbound_established.sh @@ -7,7 +7,7 @@ test_audit() { tests_is_ipv6_enabled tests_get_debian_major_version - if [ "$CURRENT_IPV6_ENABLED" -eq 0 ] && [ "$DEB_MAJ_VER" -gt 11 ]; then + if [ "$CURRENT_IPV6_ENABLED" -eq 0 ] && [ "$DEB_MAJ_VER" -eq 12 ]; then # not much to test here, unless working on a privileged container describe Running on blank host @@ -15,7 +15,7 @@ test_audit() { # shellcheck disable=2154 run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - elif [ "$CURRENT_IPV6_ENABLED" -ne 0 ] && [ "$DEB_MAJ_VER" -gt 11 ]; then + elif [ "$CURRENT_IPV6_ENABLED" -ne 0 ] && [ "$DEB_MAJ_VER" -eq 12 ]; then # not much to test here, unless working on a privileged container describe Running on blank host diff --git a/tests/hardening/ip6tables_rules_them_all.sh b/tests/hardening/ip6tables_rules_them_all.sh index 94674a6..acc2c59 100644 --- a/tests/hardening/ip6tables_rules_them_all.sh +++ b/tests/hardening/ip6tables_rules_them_all.sh @@ -6,7 +6,7 @@ test_audit() { tests_is_ipv6_enabled tests_get_debian_major_version - if [ "$CURRENT_IPV6_ENABLED" -eq 0 ] && [ "$DEB_MAJ_VER" -gt 11 ]; then + if [ "$CURRENT_IPV6_ENABLED" -eq 0 ] && [ "$DEB_MAJ_VER" -eq 12 ]; then describe Prepare test # shellcheck disable=2216 @@ -24,7 +24,7 @@ test_audit() { fi - if [ "$DEB_MAJ_VER" -gt 11 ]; then + if [ "$DEB_MAJ_VER" -eq 12 ]; then describe Running success register_test retvalshouldbe 0 diff --git a/tests/hardening/set_perm_on_user_netrc.sh b/tests/hardening/set_perm_on_user_netrc.sh index bf428b2..311941f 100644 --- a/tests/hardening/set_perm_on_user_netrc.sh +++ b/tests/hardening/set_perm_on_user_netrc.sh @@ -12,6 +12,7 @@ test_audit() { describe Tests purposely failing useradd --create-home "$test_user" + chmod o+rx "/home/$test_user/" touch "/home/$test_user/$test_file" chmod 777 "/home/$test_user/$test_file" register_test retvalshouldbe 1 diff --git a/tests/hardening/ssh_sys_accept_env.sh b/tests/hardening/ssh_sys_accept_env.sh index 0ded261..437ab81 100644 --- a/tests/hardening/ssh_sys_accept_env.sh +++ b/tests/hardening/ssh_sys_accept_env.sh @@ -9,7 +9,8 @@ test_audit() { # Proceed to operation that will end up to a non compliant system describe Tests purposely failing - sed -ri 's/^\s*AcceptEnv\s+LANG LC_\*//' /etc/ssh/sshd_config + # remove the whole line, or sshd wont start (trixie) + sed -ri 's/^\s*AcceptEnv\s+LANG LC_\*.*$//' /etc/ssh/sshd_config register_test retvalshouldbe 1 register_test contain "[ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config" run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all diff --git a/tests/hardening/tftp_is_disabled.sh b/tests/hardening/tftp_is_disabled.sh index 33fe314..fcf8f94 100644 --- a/tests/hardening/tftp_is_disabled.sh +++ b/tests/hardening/tftp_is_disabled.sh @@ -19,18 +19,26 @@ test_audit() { register_test retvalshouldbe 0 run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - describe Prepare test package dependencies - # try to install a package that depends on 'tftpd-hpa' - apt install -y tftp-hpa-dbg - # running on a container, we can only test the package installation, not the service management + # trixie: apt-cache rdepends tfptd-hpa -> # E: No packages found + tests_get_debian_major_version + if [ "$DEB_MAJ_VER" -lt 13 ]; then - describe Running successfull test - register_test retvalshouldbe 0 - # shellcheck disable=2154 - run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + describe Prepare test package dependencies + # try to install a package that depends on 'tftpd-hpa' + apt install -y tftp-hpa-dbg + # running on a container, we can only test the package installation, not the service management + + describe Running successfull test + register_test retvalshouldbe 0 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + apt remove -y tftp-hpa-dbg + + fi describe clean installation - apt remove -y tftp-hpa-dbg tftpd-hpa + apt remove -y tftpd-hpa apt autoremove -y } diff --git a/tests/hardening/use_time_sync.sh b/tests/hardening/use_time_sync.sh index 6076ff7..94d4545 100644 --- a/tests/hardening/use_time_sync.sh +++ b/tests/hardening/use_time_sync.sh @@ -1,6 +1,9 @@ # shellcheck shell=bash # run-shellcheck test_audit() { + describe prepare test + apt remove -y systemd-timesyncd ntp chrony + describe Running on blank host register_test retvalshouldbe 1 # shellcheck disable=2154 @@ -8,7 +11,7 @@ test_audit() { describe Correcting situation apt-get update - apt-get install -y ntp + apt-get install -y chrony # Finally assess that your corrective actions end up with a compliant system describe Checking resolved state @@ -17,7 +20,7 @@ test_audit() { # we can not check the presence of multiple time synchronization from debian packages, as they are mutually exclusive describe clean installation - apt remove -y ntp + apt remove -y chrony apt autoremove -y }