diff --git a/bin/hardening/6.1.5_etc_passwd_permissions.sh b/bin/hardening/6.1.2_etc_passwd_permissions.sh similarity index 100% rename from bin/hardening/6.1.5_etc_passwd_permissions.sh rename to bin/hardening/6.1.2_etc_passwd_permissions.sh diff --git a/bin/hardening/6.1.3_etc_gshadow-_permissions.sh b/bin/hardening/6.1.3_etc_gshadow-_permissions.sh new file mode 100755 index 0000000..528c579 --- /dev/null +++ b/bin/hardening/6.1.3_etc_gshadow-_permissions.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 6.1.3 Ensure permissions on /etc/gshadow- are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=1 +# shellcheck disable=2034 +DESCRIPTION="Check 640 permissions and root:root ownership on /etc/gshadow-" + +FILE='/etc/gshadow-' +PERMISSIONS='640' +USER='root' +GROUP='root' +GROUPSOK='root shadow' + +# This function will be called if the script status is on enabled / audit mode +audit() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUPSOK" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi + has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/6.1.6_etc_shadow_permissions.sh b/bin/hardening/6.1.4_etc_shadow_permissions.sh similarity index 94% rename from bin/hardening/6.1.6_etc_shadow_permissions.sh rename to bin/hardening/6.1.4_etc_shadow_permissions.sh index cdad8be..34e0a7a 100755 --- a/bin/hardening/6.1.6_etc_shadow_permissions.sh +++ b/bin/hardening/6.1.4_etc_shadow_permissions.sh @@ -6,7 +6,7 @@ # # -# 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) +# 6.1.4 Ensure permissions on /etc/shadow are configured (Scored) # set -e # One error, it's over @@ -15,7 +15,7 @@ set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=1 # shellcheck disable=2034 -DESCRIPTION="Check 644 permissions and root:root ownership on /etc/shadow" +DESCRIPTION="Check 640 permissions and root:root ownership on /etc/shadow" FILE='/etc/shadow' PERMISSIONS='640' diff --git a/bin/hardening/6.1.7_etc_group_permissions.sh b/bin/hardening/6.1.5_etc_group_permissions.sh similarity index 97% rename from bin/hardening/6.1.7_etc_group_permissions.sh rename to bin/hardening/6.1.5_etc_group_permissions.sh index 05aa1ca..b7f0731 100755 --- a/bin/hardening/6.1.7_etc_group_permissions.sh +++ b/bin/hardening/6.1.5_etc_group_permissions.sh @@ -6,7 +6,7 @@ # # -# 6.1.4 Ensure permissions on /etc/group are configured (Scored) +# 6.1.5 Ensure permissions on /etc/group are configured (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.1.6_etc_passwd-_permissions.sh b/bin/hardening/6.1.6_etc_passwd-_permissions.sh new file mode 100755 index 0000000..39fc7b7 --- /dev/null +++ b/bin/hardening/6.1.6_etc_passwd-_permissions.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=1 +# shellcheck disable=2034 +DESCRIPTION="Check 600 permissions and root:root ownership on /etc/passwd-" + +FILE='/etc/passwd-' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/6.1.7_etc_shadow-_permissions.sh b/bin/hardening/6.1.7_etc_shadow-_permissions.sh new file mode 100755 index 0000000..35c8995 --- /dev/null +++ b/bin/hardening/6.1.7_etc_shadow-_permissions.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=1 +# shellcheck disable=2034 +DESCRIPTION="Check 600 permissions and root:shadow ownership on /etc/shadow-" + +FILE='/etc/shadow-' +PERMISSIONS='600' +USER='root' +GROUP='shadow' + +# This function will be called if the script status is on enabled / audit mode +audit() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/6.1.8_etc_group-_permissions.sh b/bin/hardening/6.1.8_etc_group-_permissions.sh new file mode 100755 index 0000000..6de4f7c --- /dev/null +++ b/bin/hardening/6.1.8_etc_group-_permissions.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 6.1.2 Ensure permissions on /etc/group- are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=1 +# shellcheck disable=2034 +DESCRIPTION="Check 600 permissions and root:root ownership on /etc/group-" + +FILE='/etc/group-' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/6.1.9_etc_gshadow_permissions.sh b/bin/hardening/6.1.9_etc_gshadow_permissions.sh new file mode 100755 index 0000000..e6b49f5 --- /dev/null +++ b/bin/hardening/6.1.9_etc_gshadow_permissions.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=1 +# shellcheck disable=2034 +DESCRIPTION="Check 640 permissions and root:root ownership on /etc/gshadow" + +FILE='/etc/gshadow' +PERMISSIONS='640' +USER='root' +GROUP='shadow' + +# This function will be called if the script status is on enabled / audit mode +audit() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/lib/utils.sh b/lib/utils.sh index b6844c4..4ef7666 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -88,6 +88,37 @@ has_file_correct_ownership() { fi } +has_file_one_of_ownership() { + local FILE=$1 + local USERS_OK=$2 + local GROUPS_OK=$3 + + local USEROK=1 + local GROUPOK=1 + + for USER in $USERS_OK; do + local USERID + USERID=$(id -u "$USER") + if [ "$($SUDO_CMD stat -c "%u" "$FILE")" = "$USERID" ]; then + USEROK=0 + fi + done + + for GROUP in $GROUPS_OK; do + local GROUPID + GROUPID=$(getent group "$GROUP" | cut -d: -f3) + if [ "$($SUDO_CMD stat -c "%g" "$FILE")" = "$GROUPID" ]; then + GROUPOK=0 + fi + done + + if [[ "$GROUPOK" = 0 ]] && [[ "$USEROK" = 0 ]]; then + FNRET=0 + else + FNRET=1 + fi +} + has_file_correct_permissions() { local FILE=$1 local PERMISSIONS=$2 diff --git a/tests/hardening/6.1.5_etc_passwd_permissions.sh b/tests/hardening/6.1.2_etc_passwd_permissions.sh similarity index 100% rename from tests/hardening/6.1.5_etc_passwd_permissions.sh rename to tests/hardening/6.1.2_etc_passwd_permissions.sh diff --git a/tests/hardening/6.1.3_etc_gshadow-_permissions.sh b/tests/hardening/6.1.3_etc_gshadow-_permissions.sh new file mode 100755 index 0000000..e7ccfee --- /dev/null +++ b/tests/hardening/6.1.3_etc_gshadow-_permissions.sh @@ -0,0 +1,42 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + local test_user="testetcgshadow-user" + local test_file="/etc/gshadow-" + + describe Tests purposely failing + chmod 777 "$test_file" + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd "$test_user" + chown "$test_user":"$test_user" "$test_file" + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel "$test_user" +} diff --git a/tests/hardening/6.1.6_etc_shadow_permissions.sh b/tests/hardening/6.1.4_etc_shadow_permissions.sh similarity index 100% rename from tests/hardening/6.1.6_etc_shadow_permissions.sh rename to tests/hardening/6.1.4_etc_shadow_permissions.sh diff --git a/tests/hardening/6.1.7_etc_group_permissions.sh b/tests/hardening/6.1.5_etc_group_permissions.sh similarity index 100% rename from tests/hardening/6.1.7_etc_group_permissions.sh rename to tests/hardening/6.1.5_etc_group_permissions.sh diff --git a/tests/hardening/6.1.6_etc_passwd-_permissions.sh b/tests/hardening/6.1.6_etc_passwd-_permissions.sh new file mode 100755 index 0000000..455b2a6 --- /dev/null +++ b/tests/hardening/6.1.6_etc_passwd-_permissions.sh @@ -0,0 +1,42 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + local test_user="testetcpasswd-user" + local test_file="/etc/passwd-" + + describe Tests purposely failing + chmod 777 "$test_file" + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd "$test_user" + chown "$test_user":"$test_user" "$test_file" + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel "$test_user" +} diff --git a/tests/hardening/6.1.7_etc_shadow-_permissions.sh b/tests/hardening/6.1.7_etc_shadow-_permissions.sh new file mode 100755 index 0000000..80b062f --- /dev/null +++ b/tests/hardening/6.1.7_etc_shadow-_permissions.sh @@ -0,0 +1,42 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + local test_user="testetcshadow-user" + local test_file="/etc/shadow-" + + describe Tests purposely failing + chmod 777 "$test_file" + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd "$test_user" + chown "$test_user":"$test_user" "$test_file" + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel "$test_user" +} diff --git a/tests/hardening/6.1.8_etc_group-_permissions.sh b/tests/hardening/6.1.8_etc_group-_permissions.sh new file mode 100755 index 0000000..a1884e8 --- /dev/null +++ b/tests/hardening/6.1.8_etc_group-_permissions.sh @@ -0,0 +1,42 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + local test_user="testetcgroup--user" + local test_file="/etc/group-" + + describe Tests purposely failing + chmod 777 "$test_file" + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd "$test_user" + chown "$test_user":"$test_user" "$test_file" + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel "$test_user" +} diff --git a/tests/hardening/6.1.9_etc_gshadow_permissions.sh b/tests/hardening/6.1.9_etc_gshadow_permissions.sh new file mode 100755 index 0000000..9abc6d9 --- /dev/null +++ b/tests/hardening/6.1.9_etc_gshadow_permissions.sh @@ -0,0 +1,42 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + local test_user="testetcgshadowuser" + local test_file="/etc/gshadow" + + describe Tests purposely failing + chmod 777 "$test_file" + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd "$test_user" + chown "$test_user":"$test_user" "$test_file" + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel "$test_user" +}