Damcava35/set version (#257)

* feat: add "--set-version" option This feature will allow to chose a specific cis version to run, like debian 11 or debian 12 * chore: configure current repository as a version And use it as default version. To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number. Only impact is if you are used to execute scripts directly from bin/hardening. In this case, please use the "bin/hardening.sh" wrapper as intended. I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept * chore: remove CIS recommendation numbers from bin/hardening scripts * fix: some tests are failing find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times: - test repository is not cleaned - configuration is updated multiple times Those tests are also failing, because: - the sed to change the status in the configuration was also changing the test folder path. - missing /proc in EXCLUDED paths - the EXCLUDED configuration doesn't have the correct format for egrep --------- Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-15 05:12:17 +02:00 · 2025-07-01 08:41:55 +02:00
parent 99bc575714
commit be33848d81
734 changed files with 557 additions and 339 deletions
--- a/tests/hardening/sshd_limit_access.sh
+++ b/tests/hardening/sshd_limit_access.sh
@ -0,0 +1,130 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Check and report mismatch for allowed user
+    useradd -s /bin/bash johnallow
+    sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply allowed user
+    # the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
+
+    describe Check and report mismatch for multiple allowed users
+    useradd -s /bin/bash janeallow
+    sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply multiple allowed users
+    # the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    tail -n 5 /etc/ssh/sshd_config
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reset allowed users to default before continuing
+    sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+    describe Check and report mismatch for denied user
+    useradd -s /bin/bash peterdeny
+    sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply denied user
+    # the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
+
+    describe Check and report mismatch for multiple denied users
+    useradd -s /bin/bash marrydeny
+    sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply multiple denied users
+    # the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reset to prevent other test from possibly failing in the future
+    sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    userdel johnallow
+    userdel janeallow
+    userdel peterdeny
+    userdel marrydeny
+}