From ed1baa724edbfca616424d27fb92ddf6cfc6bb28 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Thu, 21 Jan 2021 11:21:18 +0100 Subject: [PATCH] IMP: mark some checks as useless --- bin/hardening/2.2.17_disable_nis.sh | 22 +++++++++++++++++-- tests/hardening/1.1.15_run_shm_nodev.sh | 7 +++++- tests/hardening/1.1.16_run_shm_nosuid.sh | 7 +++++- tests/hardening/1.1.17_run_shm_noexec.sh | 7 +++++- tests/hardening/1.1.23_disable_usb_storage.sh | 15 ++++++++----- tests/hardening/2.1.1_disable_xinetd.sh | 7 +++++- tests/hardening/2.2.17_disable_nis.sh | 7 +++++- .../hardening/2.3.4_disable_telnet_client.sh | 7 +++++- tests/hardening/2.3.5_disable_ldap_client.sh | 7 +++++- .../hardening/99.2.2_disable_telnet_server.sh | 7 +++++- 10 files changed, 77 insertions(+), 16 deletions(-) diff --git a/bin/hardening/2.2.17_disable_nis.sh b/bin/hardening/2.2.17_disable_nis.sh index d45ed1d..438f3aa 100755 --- a/bin/hardening/2.2.17_disable_nis.sh +++ b/bin/hardening/2.2.17_disable_nis.sh @@ -17,14 +17,32 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Disable NIS Server." +PACKAGES='nis' + # This function will be called if the script status is on enabled / audit mode audit() { - : + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + crit "$PACKAGE is installed!" + else + ok "$PACKAGE is absent" + fi + done } # This function will be called if the script status is on enabled mode apply() { - : + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge "$PACKAGE" -y + apt-get autoremove -y + else + ok "$PACKAGE is absent" + fi + done } # This function will check config parameters required diff --git a/tests/hardening/1.1.15_run_shm_nodev.sh b/tests/hardening/1.1.15_run_shm_nodev.sh index a9dafd8..e348207 100644 --- a/tests/hardening/1.1.15_run_shm_nodev.sh +++ b/tests/hardening/1.1.15_run_shm_nodev.sh @@ -16,5 +16,10 @@ test_audit() { # Cleanup rm /run/shm - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/1.1.16_run_shm_nosuid.sh b/tests/hardening/1.1.16_run_shm_nosuid.sh index dd9e258..695b564 100644 --- a/tests/hardening/1.1.16_run_shm_nosuid.sh +++ b/tests/hardening/1.1.16_run_shm_nosuid.sh @@ -16,5 +16,10 @@ test_audit() { # Cleanup rm /run/shm - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/1.1.17_run_shm_noexec.sh b/tests/hardening/1.1.17_run_shm_noexec.sh index dd9e258..695b564 100644 --- a/tests/hardening/1.1.17_run_shm_noexec.sh +++ b/tests/hardening/1.1.17_run_shm_noexec.sh @@ -16,5 +16,10 @@ test_audit() { # Cleanup rm /run/shm - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/1.1.23_disable_usb_storage.sh b/tests/hardening/1.1.23_disable_usb_storage.sh index a5243cb..a576fcb 100644 --- a/tests/hardening/1.1.23_disable_usb_storage.sh +++ b/tests/hardening/1.1.23_disable_usb_storage.sh @@ -1,12 +1,15 @@ # shellcheck shell=bash # run-shellcheck test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - + if [ -f "/.dockerenv" ]; then + skip "SKIPPED on docker" + else + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + fi ################################################################## # For this test, we only check that it runs properly on a blank # # host, and we check root/sudo consistency. But, we don't test # diff --git a/tests/hardening/2.1.1_disable_xinetd.sh b/tests/hardening/2.1.1_disable_xinetd.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/2.1.1_disable_xinetd.sh +++ b/tests/hardening/2.1.1_disable_xinetd.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/2.2.17_disable_nis.sh b/tests/hardening/2.2.17_disable_nis.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/2.2.17_disable_nis.sh +++ b/tests/hardening/2.2.17_disable_nis.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/2.3.4_disable_telnet_client.sh b/tests/hardening/2.3.4_disable_telnet_client.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/2.3.4_disable_telnet_client.sh +++ b/tests/hardening/2.3.4_disable_telnet_client.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/2.3.5_disable_ldap_client.sh b/tests/hardening/2.3.5_disable_ldap_client.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/2.3.5_disable_ldap_client.sh +++ b/tests/hardening/2.3.5_disable_ldap_client.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/99.2.2_disable_telnet_server.sh b/tests/hardening/99.2.2_disable_telnet_server.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/99.2.2_disable_telnet_server.sh +++ b/tests/hardening/99.2.2_disable_telnet_server.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## }