From b33ab3d9bfba7cd06b7c461c8c36f7043af3f79d Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Tue, 27 Oct 2020 16:16:23 +0100 Subject: [PATCH] IMP(5.1.2-5.1.7): add purposely failing tests --- .../hardening/5.1.2_crontab_perm_ownership.sh | 33 ++++++++++++++++++- .../5.1.3_cron_hourly_perm_ownership.sh | 33 ++++++++++++++++++- .../5.1.4_cron_daily_perm_ownership.sh | 33 ++++++++++++++++++- .../5.1.5_cron_weekly_perm_ownership.sh | 33 ++++++++++++++++++- .../5.1.6_cron_monthly_perm_ownership.sh | 33 ++++++++++++++++++- .../hardening/5.1.7_cron_d_perm_ownership.sh | 33 ++++++++++++++++++- 6 files changed, 192 insertions(+), 6 deletions(-) diff --git a/tests/hardening/5.1.2_crontab_perm_ownership.sh b/tests/hardening/5.1.2_crontab_perm_ownership.sh index b333419..63b2fb2 100644 --- a/tests/hardening/5.1.2_crontab_perm_ownership.sh +++ b/tests/hardening/5.1.2_crontab_perm_ownership.sh @@ -6,5 +6,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testcrontabduser" + local test_file="/etc/crontab" + + describe Tests purposely failing + chmod 777 $test_file + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd $test_user + chown $test_user:$test_user $test_file + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel $test_user } diff --git a/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh b/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh index b333419..be6edf8 100644 --- a/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh +++ b/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh @@ -6,5 +6,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testcrontabuser" + local test_file="/etc/cron.hourly" + + describe Tests purposely failing + chmod 777 $test_file + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd $test_user + chown $test_user:$test_user $test_file + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel $test_user } diff --git a/tests/hardening/5.1.4_cron_daily_perm_ownership.sh b/tests/hardening/5.1.4_cron_daily_perm_ownership.sh index b333419..57b66e2 100644 --- a/tests/hardening/5.1.4_cron_daily_perm_ownership.sh +++ b/tests/hardening/5.1.4_cron_daily_perm_ownership.sh @@ -6,5 +6,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testcrontabuser" + local test_file="/etc/cron.daily" + + describe Tests purposely failing + chmod 777 $test_file + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd $test_user + chown $test_user:$test_user $test_file + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel $test_user } diff --git a/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh b/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh index b333419..72fa18a 100644 --- a/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh +++ b/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh @@ -6,5 +6,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testcrontabuser" + local test_file="/etc/cron.weekly" + + describe Tests purposely failing + chmod 777 $test_file + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd $test_user + chown $test_user:$test_user $test_file + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel $test_user } diff --git a/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh b/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh index b333419..f0baafd 100644 --- a/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh +++ b/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh @@ -6,5 +6,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testcrontabuser" + local test_file="/etc/cron.monthly" + + describe Tests purposely failing + chmod 777 $test_file + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd $test_user + chown $test_user:$test_user $test_file + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel $test_user } diff --git a/tests/hardening/5.1.7_cron_d_perm_ownership.sh b/tests/hardening/5.1.7_cron_d_perm_ownership.sh index b333419..7228a72 100644 --- a/tests/hardening/5.1.7_cron_d_perm_ownership.sh +++ b/tests/hardening/5.1.7_cron_d_perm_ownership.sh @@ -6,5 +6,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testcrontabuser" + local test_file="/etc/cron.d" + + describe Tests purposely failing + chmod 777 $test_file + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd $test_user + chown $test_user:$test_user $test_file + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel $test_user }