From d18f5edfba93391a1ba98336fb01463a85b570c5 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Fri, 15 Feb 2019 16:56:54 +0100 Subject: [PATCH] FIX(99.2): add missing $SUDO_CMD --- bin/hardening/99.2_disable_usb_devices.sh | 4 ++-- tests/hardening/99.2_disable_usb_devices.sh | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 tests/hardening/99.2_disable_usb_devices.sh diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 4b193d5..bd9a04d 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -23,9 +23,9 @@ audit () { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ $SEARCH_RES = 1 ]; then break; fi - if test -d $FILE_SEARCHED; then + if $SUDO_CMD test -d $FILE_SEARCHED; then debug "$FILE_SEARCHED is a directory" - for file_in_dir in $(ls $FILE_SEARCHED); do + for file_in_dir in $( $SUDO_CMD ls $FILE_SEARCHED); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" if [ $FNRET != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" diff --git a/tests/hardening/99.2_disable_usb_devices.sh b/tests/hardening/99.2_disable_usb_devices.sh new file mode 100644 index 0000000..dbeda10 --- /dev/null +++ b/tests/hardening/99.2_disable_usb_devices.sh @@ -0,0 +1,20 @@ +# run-shellcheck +test_audit() { + + mkdir /etc/udev/rules.d + chmod -R 700 /etc/udev + + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' > /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh + + describe compliant + register_test retvalshouldbe 0 + run compliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +}