From c51513e0831e3de84579d666c698c627233fb606 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Thu, 21 Jan 2021 10:59:26 +0100 Subject: [PATCH] IMP(1.8.1.4-6): add comprehensive tests --- tests/hardening/1.4.1_install_tripwire.sh | 7 +++- tests/hardening/1.6.3_disable_prelink.sh | 7 +++- tests/hardening/1.8.1.4_motd_perms.sh | 33 ++++++++++++++++++- tests/hardening/1.8.1.5_etc_issue_perms.sh | 33 ++++++++++++++++++- .../hardening/1.8.1.6_etc_issue_net_perms.sh | 33 ++++++++++++++++++- tests/hardening/4.2.1.1_install_syslog-ng.sh | 7 +++- tests/hardening/4.2.1.2_enable_syslog-ng.sh | 7 +++- 7 files changed, 120 insertions(+), 7 deletions(-) diff --git a/tests/hardening/1.4.1_install_tripwire.sh b/tests/hardening/1.4.1_install_tripwire.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/1.4.1_install_tripwire.sh +++ b/tests/hardening/1.4.1_install_tripwire.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/1.6.3_disable_prelink.sh b/tests/hardening/1.6.3_disable_prelink.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/1.6.3_disable_prelink.sh +++ b/tests/hardening/1.6.3_disable_prelink.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/1.8.1.4_motd_perms.sh b/tests/hardening/1.8.1.4_motd_perms.sh index f85b20d..7b0cf63 100644 --- a/tests/hardening/1.8.1.4_motd_perms.sh +++ b/tests/hardening/1.8.1.4_motd_perms.sh @@ -7,5 +7,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="motd-user" + local test_file="/etc/motd" + + describe Tests purposely failing + chmod 777 "$test_file" + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd "$test_user" + chown "$test_user":"$test_user" "$test_file" + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel "$test_user" } diff --git a/tests/hardening/1.8.1.5_etc_issue_perms.sh b/tests/hardening/1.8.1.5_etc_issue_perms.sh index f85b20d..4ad468c 100644 --- a/tests/hardening/1.8.1.5_etc_issue_perms.sh +++ b/tests/hardening/1.8.1.5_etc_issue_perms.sh @@ -7,5 +7,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="issue-user" + local test_file="/etc/issue" + + describe Tests purposely failing + chmod 777 "$test_file" + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd "$test_user" + chown "$test_user":"$test_user" "$test_file" + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel "$test_user" } diff --git a/tests/hardening/1.8.1.6_etc_issue_net_perms.sh b/tests/hardening/1.8.1.6_etc_issue_net_perms.sh index f85b20d..d1e0c6f 100644 --- a/tests/hardening/1.8.1.6_etc_issue_net_perms.sh +++ b/tests/hardening/1.8.1.6_etc_issue_net_perms.sh @@ -7,5 +7,36 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="issue-net-user" + local test_file="/etc/issue.net" + + describe Tests purposely failing + chmod 777 "$test_file" + register_test retvalshouldbe 1 + register_test contain "permissions were not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Tests purposely failing + useradd "$test_user" + chown "$test_user":"$test_user" "$test_file" + register_test retvalshouldbe 1 + register_test contain "ownership was not set to" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "has correct permissions" + register_test contain "has correct ownership" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel "$test_user" } diff --git a/tests/hardening/4.2.1.1_install_syslog-ng.sh b/tests/hardening/4.2.1.1_install_syslog-ng.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/4.2.1.1_install_syslog-ng.sh +++ b/tests/hardening/4.2.1.1_install_syslog-ng.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/4.2.1.2_enable_syslog-ng.sh b/tests/hardening/4.2.1.2_enable_syslog-ng.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/4.2.1.2_enable_syslog-ng.sh +++ b/tests/hardening/4.2.1.2_enable_syslog-ng.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## }