From ee4b2417c20cbb373a750853b9953b8792b982e8 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Mon, 2 Nov 2020 15:47:27 +0100 Subject: [PATCH] IMP(4.1.x): add tests for each checks --- bin/hardening/4.1.1.1_audit_log_storage.sh | 1 + bin/hardening/4.1.1.2_halt_when_audit_log_full.sh | 1 + bin/hardening/4.1.1.3_keep_all_audit_logs.sh | 1 + bin/hardening/4.1.4_record_date_time_edit.sh | 2 +- tests/hardening/4.1.1.1_audit_log_storage.sh | 11 ++++++++++- .../hardening/4.1.1.2_halt_when_audit_log_full.sh | 13 ++++++++++++- tests/hardening/4.1.1.3_keep_all_audit_logs.sh | 11 ++++++++++- tests/hardening/4.1.10_record_dac_edit.sh | 14 +++++++++++++- .../hardening/4.1.11_record_failed_access_file.sh | 15 ++++++++++++++- .../4.1.12_record_privileged_commands.sh | 9 ++++++++- tests/hardening/4.1.13_record_successful_mount.sh | 10 +++++++++- tests/hardening/4.1.14_record_file_deletions.sh | 10 +++++++++- tests/hardening/4.1.15_record_sudoers_edit.sh | 10 +++++++++- tests/hardening/4.1.16_record_sudo_usage.sh | 9 ++++++++- tests/hardening/4.1.17_record_kernel_modules.sh | 11 ++++++++++- tests/hardening/4.1.18_freeze_auditd_conf.sh | 9 ++++++++- tests/hardening/4.1.2_enable_auditd.sh | 9 ++++++++- tests/hardening/4.1.4_record_date_time_edit.sh | 13 ++++++++++++- tests/hardening/4.1.5_record_user_group_edit.sh | 13 ++++++++++++- tests/hardening/4.1.6_record_network_edit.sh | 15 ++++++++++++++- tests/hardening/4.1.7_record_mac_edit.sh | 9 ++++++++- tests/hardening/4.1.8_record_login_logout.sh | 12 +++++++++++- tests/hardening/4.1.9_record_session_init.sh | 11 ++++++++++- 23 files changed, 199 insertions(+), 20 deletions(-) diff --git a/bin/hardening/4.1.1.1_audit_log_storage.sh b/bin/hardening/4.1.1.1_audit_log_storage.sh index 072a833..08fc071 100755 --- a/bin/hardening/4.1.1.1_audit_log_storage.sh +++ b/bin/hardening/4.1.1.1_audit_log_storage.sh @@ -39,6 +39,7 @@ apply () { does_file_exist $FILE if [ $FNRET != 0 ]; then warn "$FILE does not exist, creating it" + mkdir -p /etc/audit touch $FILE else ok "$FILE exists" diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh index ecbe7b8..dd3468c 100755 --- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -44,6 +44,7 @@ apply () { does_file_exist $FILE if [ $FNRET != 0 ]; then warn "$FILE does not exist, creating it" + mkdir -p /etc/audit/auditd.conf touch $FILE else ok "$FILE exists" diff --git a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh index dcb3f59..40f2c3c 100755 --- a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh @@ -44,6 +44,7 @@ apply () { does_file_exist $FILE if [ $FNRET != 0 ]; then warn "$FILE does not exist, creating it" + mkdir -p /etc/audit touch $FILE else ok "$FILE exists" diff --git a/bin/hardening/4.1.4_record_date_time_edit.sh b/bin/hardening/4.1.4_record_date_time_edit.sh index 3a33ced..2b158f8 100755 --- a/bin/hardening/4.1.4_record_date_time_edit.sh +++ b/bin/hardening/4.1.4_record_date_time_edit.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -DESCRIPTION="Record events taht modify date and time information." +DESCRIPTION="Record events that modify date and time information." AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change diff --git a/tests/hardening/4.1.1.1_audit_log_storage.sh b/tests/hardening/4.1.1.1_audit_log_storage.sh index b333419..2966a59 100644 --- a/tests/hardening/4.1.1.1_audit_log_storage.sh +++ b/tests/hardening/4.1.1.1_audit_log_storage.sh @@ -4,7 +4,16 @@ test_audit() { register_test retvalshouldbe 0 dismiss_count_for_test # shellcheck disable=2154 + mkdir -p /etc/audit + touch /etc/audit/auditd.conf run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] max_log_file is present in /etc/audit/auditd.conf" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh b/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh index b333419..60c1a0d 100644 --- a/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -4,7 +4,18 @@ test_audit() { register_test retvalshouldbe 0 dismiss_count_for_test # shellcheck disable=2154 + mkdir -p /etc/audit + touch /etc/audit/auditd.conf run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^space_left_action[[:space:]]*=[[:space:]]*email is present in /etc/audit/auditd.conf" + register_test contain "[ OK ] ^action_mail_acct[[:space:]]*=[[:space:]]*root is present in /etc/audit/auditd.conf" + register_test contain "[ OK ] ^admin_space_left_action[[:space:]]*=[[:space:]]*halt is present in /etc/audit/auditd.conf" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.1.3_keep_all_audit_logs.sh b/tests/hardening/4.1.1.3_keep_all_audit_logs.sh index b333419..17cef7c 100644 --- a/tests/hardening/4.1.1.3_keep_all_audit_logs.sh +++ b/tests/hardening/4.1.1.3_keep_all_audit_logs.sh @@ -4,7 +4,16 @@ test_audit() { register_test retvalshouldbe 0 dismiss_count_for_test # shellcheck disable=2154 + mkdir -p /etc/audit + touch /etc/audit/auditd.conf run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs is present in /etc/audit/auditd.conf" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.10_record_dac_edit.sh b/tests/hardening/4.1.10_record_dac_edit.sh index b333419..3df1636 100644 --- a/tests/hardening/4.1.10_record_dac_edit.sh +++ b/tests/hardening/4.1.10_record_dac_edit.sh @@ -6,5 +6,17 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.11_record_failed_access_file.sh b/tests/hardening/4.1.11_record_failed_access_file.sh index b333419..d0b91a6 100644 --- a/tests/hardening/4.1.11_record_failed_access_file.sh +++ b/tests/hardening/4.1.11_record_failed_access_file.sh @@ -6,5 +6,18 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" + + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } + diff --git a/tests/hardening/4.1.12_record_privileged_commands.sh b/tests/hardening/4.1.12_record_privileged_commands.sh index b333419..e5d43a4 100644 --- a/tests/hardening/4.1.12_record_privileged_commands.sh +++ b/tests/hardening/4.1.12_record_privileged_commands.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.13_record_successful_mount.sh b/tests/hardening/4.1.13_record_successful_mount.sh index b333419..9ed4a97 100644 --- a/tests/hardening/4.1.13_record_successful_mount.sh +++ b/tests/hardening/4.1.13_record_successful_mount.sh @@ -6,5 +6,13 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.14_record_file_deletions.sh b/tests/hardening/4.1.14_record_file_deletions.sh index b333419..f8af37a 100644 --- a/tests/hardening/4.1.14_record_file_deletions.sh +++ b/tests/hardening/4.1.14_record_file_deletions.sh @@ -6,5 +6,13 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.15_record_sudoers_edit.sh b/tests/hardening/4.1.15_record_sudoers_edit.sh index b333419..5045bd2 100644 --- a/tests/hardening/4.1.15_record_sudoers_edit.sh +++ b/tests/hardening/4.1.15_record_sudoers_edit.sh @@ -6,5 +6,13 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.16_record_sudo_usage.sh b/tests/hardening/4.1.16_record_sudo_usage.sh index b333419..f00f69c 100644 --- a/tests/hardening/4.1.16_record_sudo_usage.sh +++ b/tests/hardening/4.1.16_record_sudo_usage.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.17_record_kernel_modules.sh b/tests/hardening/4.1.17_record_kernel_modules.sh index b333419..4d2be30 100644 --- a/tests/hardening/4.1.17_record_kernel_modules.sh +++ b/tests/hardening/4.1.17_record_kernel_modules.sh @@ -6,5 +6,14 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.18_freeze_auditd_conf.sh b/tests/hardening/4.1.18_freeze_auditd_conf.sh index b333419..330369b 100644 --- a/tests/hardening/4.1.18_freeze_auditd_conf.sh +++ b/tests/hardening/4.1.18_freeze_auditd_conf.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -e 2 is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.2_enable_auditd.sh b/tests/hardening/4.1.2_enable_auditd.sh index b333419..f0130b5 100644 --- a/tests/hardening/4.1.2_enable_auditd.sh +++ b/tests/hardening/4.1.2_enable_auditd.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] auditd is enabled" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.4_record_date_time_edit.sh b/tests/hardening/4.1.4_record_date_time_edit.sh index b333419..ae9f01a 100644 --- a/tests/hardening/4.1.4_record_date_time_edit.sh +++ b/tests/hardening/4.1.4_record_date_time_edit.sh @@ -6,5 +6,16 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.5_record_user_group_edit.sh b/tests/hardening/4.1.5_record_user_group_edit.sh index b333419..09b8551 100644 --- a/tests/hardening/4.1.5_record_user_group_edit.sh +++ b/tests/hardening/4.1.5_record_user_group_edit.sh @@ -6,5 +6,16 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.6_record_network_edit.sh b/tests/hardening/4.1.6_record_network_edit.sh index b333419..c4625c0 100644 --- a/tests/hardening/4.1.6_record_network_edit.sh +++ b/tests/hardening/4.1.6_record_network_edit.sh @@ -6,5 +6,18 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + } diff --git a/tests/hardening/4.1.7_record_mac_edit.sh b/tests/hardening/4.1.7_record_mac_edit.sh index b333419..d230ebf 100644 --- a/tests/hardening/4.1.7_record_mac_edit.sh +++ b/tests/hardening/4.1.7_record_mac_edit.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.8_record_login_logout.sh b/tests/hardening/4.1.8_record_login_logout.sh index b333419..fb126df 100644 --- a/tests/hardening/4.1.8_record_login_logout.sh +++ b/tests/hardening/4.1.8_record_login_logout.sh @@ -6,5 +6,15 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.9_record_session_init.sh b/tests/hardening/4.1.9_record_session_init.sh index b333419..18c6e7b 100644 --- a/tests/hardening/4.1.9_record_session_init.sh +++ b/tests/hardening/4.1.9_record_session_init.sh @@ -6,5 +6,14 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/audit.rules" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }