From ecd32e890444aee471e98324c64f4ca4b362e470 Mon Sep 17 00:00:00 2001 From: Damien Cavagnini Date: Wed, 25 Jun 2025 12:03:17 +0200 Subject: [PATCH] fix: some tests are failing find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times: - test repository is not cleaned - configuration is updated multiple times Those tests are also failing, because: - the sed to change the status in the configuration was also changing the test folder path. - missing /proc in EXCLUDED paths - the EXCLUDED configuration doesn't have the correct format for egrep --- tests/hardening/find_ungrouped_files.sh | 8 ++++++-- tests/hardening/find_unowned_files.sh | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/tests/hardening/find_ungrouped_files.sh b/tests/hardening/find_ungrouped_files.sh index 6747c45..7bb1d73 100644 --- a/tests/hardening/find_ungrouped_files.sh +++ b/tests/hardening/find_ungrouped_files.sh @@ -4,8 +4,9 @@ test_audit() { describe Running void to generate the conf file that will later be edited # shellcheck disable=2154 "${CIS_CHECKS_DIR}/${script}.sh" || true + sed -i '/^EXCLUDED/d' "${CIS_CONF_DIR}/conf.d/${script}.cfg" # shellcheck disable=2016 - echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.12/.*"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" + echo 'EXCLUDED="^/proc|^/home/secaudit/6.1.12/.*"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" mkdir /home/secaudit/6.1.12/ touch /home/secaudit/6.1.12/test chown 1200:1200 /home/secaudit/6.1.12/test @@ -25,17 +26,20 @@ test_audit() { run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all describe Tests failing with find ignore flag + sed -i '/^FIND_IGNORE_NOSUCHFILE_ERR/d' "${CIS_CONF_DIR}/conf.d/${script}.cfg" echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" register_test retvalshouldbe 1 register_test contain "Some ungrouped files are present" run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all describe correcting situation - sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" + sed -i '/^status/s/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" "${CIS_CHECKS_DIR}/${script}.sh" --apply || true describe Checking resolved state register_test retvalshouldbe 0 register_test contain "No ungrouped files found" run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + rm -rf /home/secaudit/6.1.12/ /home/secaudit/ungrouped } diff --git a/tests/hardening/find_unowned_files.sh b/tests/hardening/find_unowned_files.sh index 5480388..a925735 100644 --- a/tests/hardening/find_unowned_files.sh +++ b/tests/hardening/find_unowned_files.sh @@ -4,8 +4,9 @@ test_audit() { describe Running void to generate the conf file that will later be edited # shellcheck disable=2154 "${CIS_CHECKS_DIR}/${script}.sh" || true + sed -i '/^EXCLUDED/d' "${CIS_CONF_DIR}/conf.d/${script}.cfg" # shellcheck disable=2016 - echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" + echo 'EXCLUDED="/proc|^/home/secaudit/6.1.11/.*"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" mkdir /home/secaudit/6.1.11/ touch /home/secaudit/6.1.11/test chown 1200 /home/secaudit/6.1.11/test @@ -25,17 +26,20 @@ test_audit() { run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all describe Tests failing with find ignore flag + sed -i '/^FIND_IGNORE_NOSUCHFILE_ERR/d' "${CIS_CONF_DIR}/conf.d/${script}.cfg" echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" register_test retvalshouldbe 1 register_test contain "Some unowned files are present" run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all describe correcting situation - sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" + sed -i '/^status/s/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" "${CIS_CHECKS_DIR}/${script}.sh" || true describe Checking resolved state register_test retvalshouldbe 0 register_test contain "No unowned files found" run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + rm -rf /home/secaudit/6.1.11 /home/secaudit/unowned }