From a0796af547f85719f8216b96490fa0eac2bbdc72 Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Mon, 26 Oct 2020 11:48:02 +0100
Subject: [PATCH] IMP(6.1.2,6.1.3,6.1.4): add purposely failing tests

---
 .../hardening/6.1.2_etc_passwd_permissions.sh | 33 ++++++++++++++++++-
 .../hardening/6.1.3_etc_shadow_permissions.sh | 33 ++++++++++++++++++-
 .../hardening/6.1.4_etc_group_permissions.sh  | 33 ++++++++++++++++++-
 3 files changed, 96 insertions(+), 3 deletions(-)

diff --git a/tests/hardening/6.1.2_etc_passwd_permissions.sh b/tests/hardening/6.1.2_etc_passwd_permissions.sh
index b333419..743950b 100644
--- a/tests/hardening/6.1.2_etc_passwd_permissions.sh
+++ b/tests/hardening/6.1.2_etc_passwd_permissions.sh
@@ -6,5 +6,36 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcpasswduser"
+    local test_file="/etc/passwd"
+
+    describe Tests purposely failing
+    chmod 777 $test_file
+    register_test retvalshouldbe 1
+    register_test contain "permissions were not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Tests purposely failing
+    useradd $test_user
+    chown $test_user:$test_user $test_file
+    register_test retvalshouldbe 1
+    register_test contain "ownership was not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    register_test contain "has correct ownership"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # Cleanup
+    userdel $test_user
 }
diff --git a/tests/hardening/6.1.3_etc_shadow_permissions.sh b/tests/hardening/6.1.3_etc_shadow_permissions.sh
index b333419..6df1fd7 100644
--- a/tests/hardening/6.1.3_etc_shadow_permissions.sh
+++ b/tests/hardening/6.1.3_etc_shadow_permissions.sh
@@ -6,5 +6,36 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcshadowuser"
+    local test_file="/etc/shadow"
+
+    describe Tests purposely failing
+    chmod 777 $test_file
+    register_test retvalshouldbe 1
+    register_test contain "permissions were not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Tests purposely failing
+    useradd $test_user
+    chown $test_user:$test_user $test_file
+    register_test retvalshouldbe 1
+    register_test contain "ownership was not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    register_test contain "has correct ownership"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # Cleanup
+    userdel $test_user
 }
diff --git a/tests/hardening/6.1.4_etc_group_permissions.sh b/tests/hardening/6.1.4_etc_group_permissions.sh
index b333419..9f4306d 100644
--- a/tests/hardening/6.1.4_etc_group_permissions.sh
+++ b/tests/hardening/6.1.4_etc_group_permissions.sh
@@ -6,5 +6,36 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcgroupuser"
+    local test_file="/etc/group"
+
+    describe Tests purposely failing
+    chmod 777 $test_file
+    register_test retvalshouldbe 1
+    register_test contain "permissions were not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Tests purposely failing
+    useradd $test_user
+    chown $test_user:$test_user $test_file
+    register_test retvalshouldbe 1
+    register_test contain "ownership was not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    register_test contain "has correct ownership"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # Cleanup
+    userdel $test_user
 }