feat: add basic pre commit

Ensure a check has a corresponding test

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: check_has_test
+        name: check_has_test.sh
+        description: Ensure a check has a corresponding test
+        entry: hooks/check_has_test.sh
+        language: script
+        pass_filenames: true
+        files: "^bin/hardening/"

bin/hardening/1.6.5_restrict_ptrace_scope.sh

@@ -1,71 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.6.2 Ensure ptrace_scope is restricted
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Ensure ptrace_scope is restricted."
-
-SYSCTL_PARAM='kernel.yama.ptrace_scope'
-SYSCTL_EXP_RESULT=2
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ "$FNRET" != 0 ]; then
-        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ "$FNRET" = 255 ]; then
-        warn "$SYSCTL_PARAM does not exist -- Typo?"
-    else
-        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ "$FNRET" != 0 ]; then
-        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    elif [ "$FNRET" = 255 ]; then
-        warn "$SYSCTL_PARAM does not exist -- Typo?"
-    else
-        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_LIB_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_LIB_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "${CIS_LIB_DIR}"/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/2.2.13_disable_http_proxy.sh

@@ -19,7 +19,7 @@ DESCRIPTION="Ensure HTTP-proxy is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=http
 
-PACKAGES='squid3 squid tinyproxy'
+PACKAGES='squid3 squid'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/2.2.17_disable_nis.sh

@@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable NIS Server."
 
-PACKAGES='nis ypserv'
+PACKAGES='nis'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/2.2.18_disable_tftp.sh

@@ -1,73 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 2.2.18 Ensure TFTP server is not enabled  (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Ensure Trivial File Transfer Protocol server is not enabled."
-# shellcheck disable=2034
-HARDENING_EXCEPTION=tftp
-
-PACKAGES='tftpd tftpd-hpa'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    for PACKAGE in $PACKAGES; do
-        is_pkg_installed "$PACKAGE"
-        if [ "$FNRET" = 0 ]; then
-            crit "$PACKAGE is installed!"
-        else
-            ok "$PACKAGE is absent"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    for PACKAGE in $PACKAGES; do
-        is_pkg_installed "$PACKAGE"
-        if [ "$FNRET" = 0 ]; then
-            crit "$PACKAGE is installed, purging it"
-            apt-get purge "$PACKAGE" -y
-            apt-get autoremove -y
-        else
-            ok "$PACKAGE is absent"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_LIB_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_LIB_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "${CIS_LIB_DIR}"/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/2.2.8_disable_dns_server.sh

@@ -19,7 +19,7 @@ DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=dns
 
-PACKAGES='bind9 unbound dnsmasq'
+PACKAGES='bind9 unbound'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/2.3.1_disable_nis.sh

@@ -17,23 +17,21 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
 
-PACKAGES='nis ypbind-mt'
+PACKAGE='nis'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    for PACKAGE in $PACKAGES; do
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed!"
     else
         ok "$PACKAGE is absent"
     fi
-    done
+    :
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    for PACKAGE in $PACKAGES; do
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed, purging it"
@@ -42,7 +40,6 @@ apply() {
     else
         ok "$PACKAGE is absent"
     fi
-    done
 }
 
 # This function will check config parameters required

bin/hardening/99.1.1.23_disable_usb_devices.sh

@@ -26,6 +26,8 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     SEARCH_RES=0
+    # if SC2086 is fixed (double quotes) instead of skipped, then shellcheck will complain that double quotes will prevent the loop (SC2066)
+    # shellcheck disable=SC2086
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
         if [ "$SEARCH_RES" = 1 ]; then break; fi
         if $SUDO_CMD test -d "$FILE_SEARCHED"; then

hooks/check_has_test.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+test_path="tests/hardening"
+failure=0
+failed_checks=""
+
+for check in "$@"; do
+    base_name=$(basename "$check")
+    if [ ! -f $test_path/"$base_name" ]; then
+        failure=1
+        failed_checks="$failed_checks $base_name"
+    fi
+done
+
+if [ $failure -ne 0 ]; then
+    for check in $failed_checks; do
+        echo "missing file $test_path/$check"
+    done
+fi
+
+exit $failure

lib/common.sh

@@ -148,5 +148,5 @@ div() {
     fi
     local _r=$(($1$_n / $2))
     _r=${_r:0:-$_d}.${_r: -$_d}
-    echo $_r
+    echo "$_r"
 }

lib/utils.sh

@@ -11,6 +11,7 @@ has_sysctl_param_expected_result() {
     local SYSCTL_PARAM=$1
     local EXP_RESULT=$2
 
+    # shellcheck disable=SC2319
     if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
         FNRET=0
     elif [ "$?" = 255 ]; then
@@ -35,6 +36,7 @@ set_sysctl_param() {
     local SYSCTL_PARAM=$1
     local VALUE=$2
     debug "Setting $SYSCTL_PARAM to $VALUE"
+    # shellcheck disable=SC2319
     if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
         FNRET=0
     elif [ $? = 255 ]; then

shellcheck/launch_shellcheck.sh

@@ -14,7 +14,8 @@ fi
 for f in $files; do
     if head "$f" | grep -qE "^# run-shellcheck$"; then
         printf "\e[1;36mRunning shellcheck on: %s  \e[0m\n" "$f"
-        if ! /usr/bin/shellcheck --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
+        # SC2317: command unreachable, sometimes has a hard time reaching the command in a function
+        if ! /usr/bin/shellcheck --exclude=SC2317 --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
             retval=$((retval + 1))
         fi
     fi

tests/hardening/2.2.18_disable_tftp.sh

@@ -1,16 +0,0 @@
-# shellcheck shell=bash
-# run-shellcheck
-test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
-    # shellcheck disable=2154
-    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    ##################################################################
-    # For this test, we only check that it runs properly on a blank  #
-    # host, and we check root/sudo consistency. But, we don't test   #
-    # the apply function because it can't be automated or it is very #
-    # long to test and not very useful.                              #
-    ##################################################################
-}

tests/launch_tests.sh

@@ -13,7 +13,7 @@ cleanup_and_exit() {
     if [ "$totalerrors" -eq 255 ]; then
         fatal "RUNTIME ERROR"
     fi
-    exit $totalerrors
+    exit "$totalerrors"
 }
 trap "cleanup_and_exit" EXIT HUP INT
 
@@ -125,7 +125,7 @@ play_consistency_tests() {
         ok "$name logs are identical"
     fi
 
-    if [ 1 -eq $consist_test ]; then
+    if [ 1 -eq "$consist_test" ]; then
         nbfailedconsist=$((nbfailedconsist + 1))
         listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
     fi