diff --git a/bin/hardening/chrony_with_chrony_user.sh b/bin/hardening/chrony_with_chrony_user.sh new file mode 100755 index 0000000..53650a4 --- /dev/null +++ b/bin/hardening/chrony_with_chrony_user.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure chrony is running as user _chrony (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure chrony is running as user _chrony" +FILE='/etc/chrony/chrony.conf' +CHRONY_USER="_chrony" +USER_PATTERN="^user" + +# This function will be called if the script status is on enabled / audit mode +audit() { + CHRONY_USER_VALID=0 + + local running_user="" + running_user=$($SUDO_CMD ps -ef | awk '/[c]hronyd/ { print $1 }') + if [ -z "$running_user" ]; then + CHRONY_USER_VALID=1 + crit "chrony is not running" + elif [[ "$running_user" != "$CHRONY_USER" ]]; then + CHRONY_USER_VALID=1 + crit "chrony is running as root" + else + ok "chrony is running as $CHRONY_USER" + fi + +} + +# This function will be called if the script status is on enabled mode +apply() { + audit + + if [ "$CHRONY_USER_VALID" -ne 0 ]; then + does_pattern_exist_in_file "$FILE" "$USER_PATTERN" + if [ "$FNRET" -eq 0 ]; then + sed -i '/'$USER_PATTERN'/d' "$FILE" + fi + + add_end_of_file "$FILE" "user $CHRONY_USER" + info "$FILE modified, please restart the service" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/disable_nfs_rpc.sh b/bin/hardening/disable_nfs_rpc.sh index 84ee4e2..18cad94 100755 --- a/bin/hardening/disable_nfs_rpc.sh +++ b/bin/hardening/disable_nfs_rpc.sh @@ -19,7 +19,7 @@ DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled." # shellcheck disable=2034 HARDENING_EXCEPTION=nfs -PACKAGES='rpcbind nfs-kernel-server' +PACKAGES='nfs-kernel-server' # This function will be called if the script status is on enabled / audit mode audit() { diff --git a/bin/hardening/ftp_client_not_installed.sh b/bin/hardening/ftp_client_not_installed.sh new file mode 100755 index 0000000..034c8db --- /dev/null +++ b/bin/hardening/ftp_client_not_installed.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure ftp client is not installed (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure ftp client is not installed" +PACKAGE='ftp' + +# This function will be called if the script status is on enabled / audit mode +audit() { + # 0 means true in bash + PACKAGE_INSTALLED=1 + + is_pkg_installed "$PACKAGE" + if [ "$FNRET" -eq 0 ]; then + # var will be reused in 'apply' + PACKAGE_INSTALLED=0 + crit "$PACKAGE is installed" + else + ok "$PACKAGE is not installed" + fi + +} + +# This function will be called if the script status is on enabled mode +apply() { + audit + if [ "$PACKAGE_INSTALLED" -eq 0 ]; then + apt remove -y "$PACKAGE" + apt purge -y "$PACKAGE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/ipv6_is_enabled.sh b/bin/hardening/ipv6_is_enabled.sh new file mode 100755 index 0000000..6557e9b --- /dev/null +++ b/bin/hardening/ipv6_is_enabled.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure IPv6 status is identified (Manual) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure IPv6 status is identified" + +# This function will be called if the script status is on enabled / audit mode +audit() { + is_ipv6_enabled + if [ "$FNRET" -eq 0 ]; then + ok "ipv6 is enabled" + else + crit "ipv6 is disabled" + fi + +} + +# This function will be called if the script status is on enabled mode +apply() { + info "Enable or disable manually IPv6 in accordance with system requirements and local site policy" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/network_services_listening.sh b/bin/hardening/network_services_listening.sh index 061270e..78c6d0f 100755 --- a/bin/hardening/network_services_listening.sh +++ b/bin/hardening/network_services_listening.sh @@ -24,20 +24,22 @@ EXCEPTIONS="" # This function will be called if the script status is on enabled / audit mode audit() { - local is_valid=0 + # shellcheck disable=2162 while read i; do socket=$(echo "$i" | awk '{print $5}') proc=$(echo "$i" | awk '{print $7}' | awk -F ',' '{print $1}' | sed 's/users:((//') - [ -n "$socket" ] && info -e "$proc listening on \t$socket" + if [ -n "$socket" ]; then + info -e "$proc listening on \t$socket" - # output example : - # "ntpd" listening on 127.0.0.1:123 - # "ntpd" listening on 0.0.0.0:123 + # output example : + # "ntpd" listening on 127.0.0.1:123 + # "ntpd" listening on 0.0.0.0:123 - if grep -w "$socket" <<<"$EXCEPTIONS" >/dev/null; then - debug "$socket" is an exception - else - crit "$socket" is not an exception + if grep -w "$socket" <<<"$EXCEPTIONS" >/dev/null; then + debug "$socket" is an exception + else + crit "$socket" is not an exception + fi fi done <<<"$($SUDO_CMD ss -plntuH)" diff --git a/bin/hardening/rpcbind_is_disabled.sh b/bin/hardening/rpcbind_is_disabled.sh new file mode 100755 index 0000000..dad7edf --- /dev/null +++ b/bin/hardening/rpcbind_is_disabled.sh @@ -0,0 +1,106 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure rpcbind services are not in use (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure rpcbind services are not in use." +PACKAGE='rpcbind' +SERVICE="rpcbind.service" +SOCKET="rpcbind.socket" + +# 2 scenario here: +# - rcpbind is a dependency for another package -> disable the service, disable the socket +# - rpcbind is not a dependency for another package -> remove the package + +# This function will be called if the script status is on enabled / audit mode +audit() { + # 0 means true in bash + PACKAGE_INSTALLED=1 + PACKAGE_IS_DEPENDENCY=1 + SERVICE_ENABLED=1 + SOCKET_ENABLED=1 + + is_pkg_installed "$PACKAGE" + [ "$FNRET" = 0 ] && PACKAGE_INSTALLED=0 # 0 means true in bash + + is_pkg_a_dependency "$PACKAGE" + # dnsmasq is installed with dnsmasq-base, which + [ "$FNRET" = 0 ] && PACKAGE_IS_DEPENDENCY=0 + + is_service_enabled "$SERVICE" + [ "$FNRET" = 0 ] && SERVICE_ENABLED=0 + + is_socket_enabled "$SOCKET" + [ "$FNRET" = 0 ] && SOCKET_ENABLED=0 + + if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then + crit "$PACKAGE is installed and not a dependency" + + elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ]; then + local active=1 + [ "$SERVICE_ENABLED" -eq 0 ] && active=0 && crit "$SERVICE is enabled" && active=0 + [ "$SOCKET_ENABLED" -eq 0 ] && active=0 && crit "$SOCKET_ENABLED is enabled" + + [ "$active" -eq 1 ] && ok "$PACKAGE is not used" + + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + audit + if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then + crit "$PACKAGE is installed and not a dependency, removing it" + apt_remove "$PACKAGE" -y + apt-get autoremove -y + elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ]; then + if [ "$SERVICE_ENABLED" -eq 0 ]; then + info "Stopping and masking $SERVICE" + systemctl stop "$SERVICE" + systemctl mask "$SERVICE" + fi + + if [ "$SOCKET_ENABLED" -eq 0 ]; then + info "Stopping and masking $SOCKET" + systemctl stop "$SOCKET" + systemctl mask "$SOCKET" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/systemd_timesyncd_is_enabled_and_running.sh b/bin/hardening/systemd_timesyncd_is_enabled_and_running.sh new file mode 100755 index 0000000..4025050 --- /dev/null +++ b/bin/hardening/systemd_timesyncd_is_enabled_and_running.sh @@ -0,0 +1,91 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure chrony is enabled and running (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure chrony is enabled and running." +PACKAGE="systemd-timesyncd" +SERVICE="systemd-timesyncd.service" + +# This function will be called if the script status is on enabled / audit mode +audit() { + TIMESYNCD_INSTALLED=0 + TIMESYNCD_ENABLED=0 + TIMESYNCD_RUNNING=0 + + is_pkg_installed "$PACKAGE" + if [ "$FNRET" -ne 0 ]; then + TIMESYNCD_INSTALLED=1 + crit "$PACKAGE is not installed" + fi + # no package, no need to check further + return + + is_service_enabled "$SERVICE" + if [ "$FNRET" -ne 0 ]; then + TIMESYNCD_ENABLED=1 + crit "$SERVICE is not enabled" + fi + + is_service_active "$SERVICE" + if [ "$FNRET" -ne 0 ]; then + TIMESYNCD_RUNNING=1 + crit "$SERVICE is not running" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + audit + if [ "$TIMESYNCD_INSTALLED" -eq 1 ]; then + warn "Please install $PACKAGE manually to ensure only one time synchronization system is installed" + fi + + if [ "$TIMESYNCD_ENABLED" -eq 1 ]; then + info "Enabling $SERVICE service" + manage_service "enable" "$SERVICE" + fi + + if [ "$TIMESYNCD_RUNNING" -eq 1 ]; then + info "Starting $SERVICE service" + manage_service "start" "$SERVICE" + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/use_time_sync.sh b/bin/hardening/use_time_sync.sh index d6ab24c..73ec920 100755 --- a/bin/hardening/use_time_sync.sh +++ b/bin/hardening/use_time_sync.sh @@ -25,7 +25,7 @@ audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" -eq 0 ]; then - let count=$((count + 1)) + count=$(("$count" + 1)) fi done if [ "$count" -eq 0 ]; then diff --git a/cisharden.sudoers b/cisharden.sudoers index d606d78..bcc95c9 100644 --- a/cisharden.sudoers +++ b/cisharden.sudoers @@ -25,6 +25,8 @@ Cmnd_Alias SCL_CMD = /bin/grep ,\ /sbin/modprobe,\ /usr/sbin/modprobe -n -v*,\ /usr/sbin/apparmor_status,\ - /usr/bin/ss * + /usr/bin/ss *,\ + /bin/ss *,\ + /usr/bin/ps * cisharden ALL = (root) NOPASSWD: SCL_CMD diff --git a/debian/control b/debian/control index 1388ba0..2505d0b 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/ Package: cis-hardening Architecture: all -Depends: ${misc:Depends}, patch, coreutils, iproute2 +Depends: ${misc:Depends}, patch, coreutils, iproute2, procps Description: Suite of configurable scripts to audit or harden a Debian. Modular Debian security hardening scripts based on cisecurity.org ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to diff --git a/lib/utils.sh b/lib/utils.sh index 8c1feaf..cd9c2d3 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -326,6 +326,27 @@ is_service_enabled() { fi } +is_socket_enabled() { + local SOCKET=$1 + + # if running in a container, it does not make much sense to test for systemd / service + # the var "IS_CONTAINER" defined in lib/constant may not be enough, in case we are using systemd slices + # currently, did not find a unified way to manage all cases, so we check this only for systemctl usage + is_using_sbin_init + if [ "$FNRET" -eq 1 ]; then + debug "host was not started using '/sbin/init', systemd should not be available" + FNRET=1 + return + fi + if $SUDO_CMD systemctl -t socket is-enabled "$SOCKET" >/dev/null; then + debug "Socket $SOCKET is enabled" + FNRET=0 + else + debug "Socket $SOCKET is disabled" + FNRET=1 + fi +} + # # Kernel Options checks # diff --git a/tests/docker/Dockerfile.debian11 b/tests/docker/Dockerfile.debian11 index 87a71ea..92c4d1f 100644 --- a/tests/docker/Dockerfile.debian11 +++ b/tests/docker/Dockerfile.debian11 @@ -7,7 +7,7 @@ LABEL description="This image is used to run tests" RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 procps COPY --chown=500:500 . /opt/debian-cis/ diff --git a/tests/docker/Dockerfile.debian12 b/tests/docker/Dockerfile.debian12 index 76e388e..c0391b5 100644 --- a/tests/docker/Dockerfile.debian12 +++ b/tests/docker/Dockerfile.debian12 @@ -7,7 +7,7 @@ LABEL description="This image is used to run tests" RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 procps COPY --chown=500:500 . /opt/debian-cis/ diff --git a/tests/hardening/chrony_is_enabled_and_running.sh b/tests/hardening/chrony_is_enabled_and_running.sh index b42b002..70596bd 100644 --- a/tests/hardening/chrony_is_enabled_and_running.sh +++ b/tests/hardening/chrony_is_enabled_and_running.sh @@ -11,6 +11,7 @@ test_audit() { # not much to test here, we are running in a container, we wont check service state describe Checking blank host register_test retvalshouldbe 0 + # shellcheck disable=2154 run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all apt remove -y chrony diff --git a/tests/hardening/chrony_with_chrony_user.sh b/tests/hardening/chrony_with_chrony_user.sh new file mode 100644 index 0000000..9f1c8e8 --- /dev/null +++ b/tests/hardening/chrony_with_chrony_user.sh @@ -0,0 +1,29 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + + describe prepare failing test + apt install -y chrony + echo "user root" >>/etc/chrony/chrony.conf + /usr/sbin/chronyd -Ux + + describe On purpose failing test + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" + "${CIS_CHECKS_DIR}/${script}.sh" --apply || true + + pkill chronyd + /usr/sbin/chronyd -Ux + + describe resolved test + register_test retvalshouldbe 0 + run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + pkill chronyd + apt remove chrony -y + +} diff --git a/tests/hardening/ftp_client_not_installed.sh b/tests/hardening/ftp_client_not_installed.sh new file mode 100644 index 0000000..8228089 --- /dev/null +++ b/tests/hardening/ftp_client_not_installed.sh @@ -0,0 +1,21 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + + describe Prepare on purpose failed test + apt install -y ftp + + describe Running on purpose failed test + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" + "${CIS_CHECKS_DIR}/${script}.sh" --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + +} diff --git a/tests/hardening/ipv6_is_enabled.sh b/tests/hardening/ipv6_is_enabled.sh new file mode 100644 index 0000000..73a147e --- /dev/null +++ b/tests/hardening/ipv6_is_enabled.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + +} diff --git a/tests/hardening/rpcbind_is_disabled.sh b/tests/hardening/rpcbind_is_disabled.sh new file mode 100644 index 0000000..321ef20 --- /dev/null +++ b/tests/hardening/rpcbind_is_disabled.sh @@ -0,0 +1,36 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + + describe Prepare on purpose failed test + apt install -y rpcbind + # running on a container, will can only test the package installation, not the service management + + describe Running on purpose failed test + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" + "${CIS_CHECKS_DIR}/${script}.sh" --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe Prepare test package dependencies + # try to install a package that depends on 'rpcbind' + apt install -y rstatd + # running on a container, we can only test the package installation, not the service management + + describe Running successfull test + register_test retvalshouldbe 0 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe clean installation + apt remove -y rpcbind rstatd + apt autoremove -y + +} diff --git a/tests/hardening/systemd_timesyncd_is_enabled_and_running.sh b/tests/hardening/systemd_timesyncd_is_enabled_and_running.sh new file mode 100644 index 0000000..2c4f39b --- /dev/null +++ b/tests/hardening/systemd_timesyncd_is_enabled_and_running.sh @@ -0,0 +1,20 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + + describe Ensure package is installed + + # install dependencies + apt update + apt install -y systemd-timesyncd + + # not much to test here, we are running in a container, we wont check service state + describe Checking blank host + register_test retvalshouldbe 0 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + apt remove -y systemd-timesyncd + apt autoremove -y + +}