fix: some tests are failing

find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times: - test repository is not cleaned - configuration is updated multiple times Those tests are also failing, because: - the sed to change the status in the configuration was also changing the test folder path. - missing /proc in EXCLUDED paths - the EXCLUDED configuration doesn't have the correct format for egrep
chore: remove CIS recommendation numbers from bin/hardening scripts
2025-07-16 13:52:17 +02:00 · 2025-06-25 16:58:41 +02:00 · 2025-06-25 16:58:41 +02:00 · 2025-06-25 16:58:41 +02:00 · 2025-06-25 16:58:35 +02:00
5 changed files with 48 additions and 29 deletions
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -319,7 +319,10 @@ fi
 for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
    if [ "${#TEST_LIST[@]}" -gt 0 ]; then
        # --only X has been specified at least once, is this script in my list ?
-        if ! grep -qE "$(basename "$SCRIPT")" <<<"${TEST_LIST[@]}"; then
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
+        # shellcheck disable=SC2001
+        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
+        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
            # not in the list
            continue
        fi
--- a/bin/hardening/record_mac_edit.sh
+++ b/bin/hardening/record_mac_edit.sh
@ -17,48 +17,64 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."

-AUDIT_PARAMS=("-w /etc/apparmor/ -p wa -k MAC-policy" "-w /etc/apparmor.d/ -p wa -k MAC-policy")
-AUDIT_FILE='/etc/audit/audit.rules'
-ADDITIONAL_PATH="/etc/audit/rules.d"
-FILE_TO_WRITE='/etc/audit/rules.d/audit.rules'
+AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    MISSING_PARAMS=()
-    index=0
-    # use find here in order to simplify test usage with sudo using secaudit user
-    FILES_TO_SEARCH="$(sudo_wrapper find $ADDITIONAL_PATH -name '*.rules' | paste -s) $AUDIT_FILE"
-    for i in "${!AUDIT_PARAMS[@]}"; do
-        debug "${AUDIT_PARAMS[i]} should be in file $FILES_TO_SEARCH"
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-            does_pattern_exist_in_file "$FILE_SEARCHED" "${AUDIT_PARAMS[i]}"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-                debug "${AUDIT_PARAMS[i]} is not in file $FILE_SEARCHED"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
-                ok "${AUDIT_PARAMS[i]} is present in $FILE_SEARCHED"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
-            crit "${AUDIT_PARAMS[i]} is not present in $FILES_TO_SEARCH"
-            MISSING_PARAMS[i]="${AUDIT_PARAMS[i]}"
-            index=$((index + 1))
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
+    IFS=$d_IFS
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    audit
-    changes=0
-    for i in "${!MISSING_PARAMS[@]}"; do
-        info "${MISSING_PARAMS[i]} is not present in $FILES_TO_SEARCH, adding it"
-        add_end_of_file "$FILE_TO_WRITE" "${MISSING_PARAMS[i]}"
-        changes=1
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
+            if [ "$FNRET" != 0 ]; then
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
+            else
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
        done
-
-    [ "$changes" -eq 0 ] || eval "$(pkill -HUP -P 1 auditd)"
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }

 # This function will check config parameters required
--- a/debian/control
+++ b/debian/control
@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/

 Package: cis-hardening
 Architecture: all
-Depends: ${misc:Depends}, patch, coreutils
+Depends: ${misc:Depends}, patch
 Description: Suite of configurable scripts to audit or harden a Debian.
 Modular Debian security hardening scripts based on cisecurity.org
 ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to
--- a/debian/rules
+++ b/debian/rules
@ -28,7 +28,6 @@ override_dh_install:
 	# (ls | sort -V | xargs -i echo /opt/cis-hardening/etc/conf.d/{} -- without README -- with ../hardening.cfg)
 	cp -R etc $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
 	cp -R lib $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
-	cp -R versions $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
 	# cleanup git stuff if any
 	find $(CURDIR)/debian/$(PACKAGE) -type f -name .gitignore -delete

--- a/tests/hardening/record_mac_edit.sh
+++ b/tests/hardening/record_mac_edit.sh
@ -2,7 +2,8 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

@ -12,6 +13,6 @@ test_audit() {

    describe Checking resolved state
    register_test retvalshouldbe 0
-    register_test contain "[ OK ] -w /etc/apparmor/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
+    register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
Author	SHA1	Message	Date
Damien Cavagnini	ecd32e8904	fix: some tests are failing find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times: - test repository is not cleaned - configuration is updated multiple times Those tests are also failing, because: - the sed to change the status in the configuration was also changing the test folder path. - missing /proc in EXCLUDED paths - the EXCLUDED configuration doesn't have the correct format for egrep	2025-06-25 16:58:41 +02:00
Damien Cavagnini	b6965e73ec	chore: remove CIS recommendation numbers from bin/hardening scripts	2025-06-25 16:58:41 +02:00
Damien Cavagnini	aebb65889e	chore: configure current repository as a version And use it as default version. To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number. Only impact is if you are used to execute scripts directly from bin/hardening. In this case, please use the "bin/hardening.sh" wrapper as intended. I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept	2025-06-25 16:58:41 +02:00
Damien Cavagnini	300095cfa1	feat: add "--set-version" option This feature will allow to chose a specific cis version to run, like debian 11 or debian 12	2025-06-25 16:58:35 +02:00