IMP(5.3.1): add test and config function for check

bin/hardening/5.3.1_enable_pwquality.sh

@@ -16,11 +16,11 @@ DESCRIPTION="Set password creation requirement parameters using pam.cracklib."
 
 PACKAGE='libpam-pwquality'
 
-PATTERN_COMMON="pam_pwquality.so"
+PATTERN_COMMON='pam_pwquality.so'
-FILE_COMMON="/etc/pam.d/common-password"
+FILE_COMMON='/etc/pam.d/common-password'
 
-PATTERNS_QUALITY=""
+OPTIONS=''
-FILE_QUALITY="/etc/security/pwquality.conf"
+FILE_QUALITY='/etc/security/pwquality.conf'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -35,11 +35,12 @@ audit () {
         else
             crit "$PATTERN_COMMON is not present in $FILE_COMMON"
         fi
-        for PATTERN in $PATTERNS_QUALITY; do
+        for PW_OPT in $OPTIONS; do
-            OPTION=$(cut -d = -f 1 <<< $PATTERN)
+            PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
-            PARAM=$(cut -d = -f 2 <<< $PATTERN)
+            PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
-            PATTERN="$OPTION *= *$PARAM"
+            PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
-            does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+            does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
+
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE_QUALITY"
             else
@@ -58,13 +59,32 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
     if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_COMMON is present in $FILE_COMMON"
     else
-        crit "$PATTERN is not present in $FILE"
+        warn "$PATTERN_COMMON is not present in $FILE_COMMON"
-        add_line_file_before_pattern $FILE "password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
+        add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
     fi 
+    
+    for PW_OPT in $OPTIONS; do
+        PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+        PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+        PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
+        does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN is present in $FILE_QUALITY"
+        else
+            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
+            does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM"
+            if [ $FNRET != 0 ]; then
+                add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE"
+            fi
+        fi
+    done
 }
 
 # This function will create the config file for this check with default values
@@ -72,7 +92,7 @@ create_config() {
     cat <<EOF
 status=audit
 # Put your custom configuration here
-PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1"
+OPTIONS="minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
 EOF
 }
 

tests/hardening/5.3.1_enable_pwquality.sh

@@ -5,10 +5,22 @@ test_audit() {
     apt-get install -y libpam-pwquality
 
     describe Running on blank host
-    register_test retvalshouldbe 0
+    register_test retvalshouldbe 1
-    dismiss_count_for_test
+    register_test contain "libpam-pwquality is installed"
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] pam_pwquality.so is present in /etc/pam.d/common-password"
+    register_test contain "[ OK ] ^minlen[[:space:]]+=[[:space:]]+14 is present in /etc/security/pwquality.conf"
+    register_test contain "[ OK ] ^dcredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf"
+    register_test contain "[ OK ] ^ucredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf"
+    register_test contain "[ OK ] ^ocredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf"
+    register_test contain "[ OK ] ^lcredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.con"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }