feat: add basic pre commit

Ensure a check has a corresponding test

.github/workflows/pre-release.yml

@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v1.0.1
+        uses: dev-drprasad/delete-tag-and-release@v1.1
         with:
           delete_release: true
           tag_name: latest
@@ -34,7 +34,7 @@ jobs:
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v4.2.0
+        uses: metcalfc/changelog-generator@v4.3.1
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/tagged-release.yml

@@ -33,7 +33,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v1.0.1
+        uses: dev-drprasad/delete-tag-and-release@v1.1
         with:
           delete_release: true
           tag_name: latest

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: check_has_test
+        name: check_has_test.sh
+        description: Ensure a check has a corresponding test
+        entry: hooks/check_has_test.sh
+        language: script
+        pass_filenames: true
+        files: "^bin/hardening/"

bin/hardening/5.3.4_acc_pam_sha512.sh

@@ -49,7 +49,7 @@ apply() {
             ok "$CONF_LINE is present in $CONF_FILE"
         else
             warn "$CONF_LINE is not present in $CONF_FILE"
-            if [ "$DEB_MAJ_VER" -ge "11" ]; then
+            if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
                 add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
             else
                 add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
@@ -67,12 +67,11 @@ check_config() {
 # We need to call this in the subs called by main.sh when it is sourced, otherwise it would
 # either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    if [ "$DEB_MAJ_VER" -ge "11" ]; then
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
         CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
     else
         CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
     fi
-    unset -f _set_vars_jit
 }
 
 # Source Root Dir Parameter

bin/hardening/99.1.1.23_disable_usb_devices.sh

@@ -26,6 +26,8 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     SEARCH_RES=0
+    # if SC2086 is fixed (double quotes) instead of skipped, then shellcheck will complain that double quotes will prevent the loop (SC2066)
+    # shellcheck disable=SC2086
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
         if [ "$SEARCH_RES" = 1 ]; then break; fi
         if $SUDO_CMD test -d "$FILE_SEARCHED"; then

bin/hardening/99.5.2.4_ssh_keys_from.sh

@@ -19,7 +19,7 @@ DESCRIPTION="Check <from> field in ssh authorized keys files for users with logi
 
 # Regex looking for empty, hash starting lines, or 'from="127.127.127,127.127.127" ssh'
 # shellcheck disable=2089
-REGEX_FROM_IP="from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3}))+(?:'|\")"
+REGEX_FROM_IP="from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3})(\/\d{1,2})?)+(?:'|\")"
 REGEX_OK_LINES="(^(#|$)|($REGEX_FROM_IP))"
 AUTHKEYFILE_PATTERN=""
 AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"

bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

@@ -48,7 +48,7 @@ apply() {
         if [ "$FNRET" != 0 ]; then
             add_end_of_file "$CONF_FILE" "$CONF_LINE"
         else
-            info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+            info "Parameter $CONF_LINE is present but with the wrong value -- Fixing"
             replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
         fi
     fi
@@ -63,14 +63,13 @@ check_config() {
 # We need to call this in the subs called by main.sh when it is sourced, otherwise it would
 # either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    if [ "$DEB_MAJ_VER" -ge "11" ]; then
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
         CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
         CONF_LINE="ENCRYPT_METHOD YESCRYPT"
     else
         CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
         CONF_LINE="ENCRYPT_METHOD SHA512"
     fi
-    unset -f _set_vars_jit
 }
 
 # Source Root Dir Parameter

hooks/check_has_test.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+test_path="tests/hardening"
+failure=0
+failed_checks=""
+
+for check in "$@"; do
+    base_name=$(basename "$check")
+    if [ ! -f $test_path/"$base_name" ]; then
+        failure=1
+        failed_checks="$failed_checks $base_name"
+    fi
+done
+
+if [ $failure -ne 0 ]; then
+    for check in $failed_checks; do
+        echo "missing file $test_path/$check"
+    done
+fi
+
+exit $failure

lib/common.sh

@@ -148,5 +148,5 @@ div() {
     fi
     local _r=$(($1$_n / $2))
     _r=${_r:0:-$_d}.${_r: -$_d}
-    echo $_r
+    echo "$_r"
 }

lib/utils.sh

@@ -11,6 +11,7 @@ has_sysctl_param_expected_result() {
     local SYSCTL_PARAM=$1
     local EXP_RESULT=$2
 
+    # shellcheck disable=SC2319
     if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
         FNRET=0
     elif [ "$?" = 255 ]; then
@@ -35,6 +36,7 @@ set_sysctl_param() {
     local SYSCTL_PARAM=$1
     local VALUE=$2
     debug "Setting $SYSCTL_PARAM to $VALUE"
+    # shellcheck disable=SC2319
     if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
         FNRET=0
     elif [ $? = 255 ]; then

shellcheck/launch_shellcheck.sh

@@ -14,7 +14,8 @@ fi
 for f in $files; do
     if head "$f" | grep -qE "^# run-shellcheck$"; then
         printf "\e[1;36mRunning shellcheck on: %s  \e[0m\n" "$f"
-        if ! /usr/bin/shellcheck --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
+        # SC2317: command unreachable, sometimes has a hard time reaching the command in a function
+        if ! /usr/bin/shellcheck --exclude=SC2317 --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
             retval=$((retval + 1))
         fi
     fi

tests/hardening/2.1.2_disable_bsd_inetd.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/5.3.4_acc_pam_sha512.sh

@@ -6,4 +6,50 @@ test_audit() {
     register_test contain "is present in /etc/pam.d/common-password"
     # shellcheck disable=2154
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Tests purposely failing
+    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
+    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
+    register_test retvalshouldbe 1
+    register_test contain "is not present"
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "is present in /etc/pam.d/common-password"
+    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # DEB_MAJ_VER cannot be overwritten here;
+    # therefore we need to trick get_debian_major_version
+    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
+    echo "sid" >/etc/debian_version
+
+    describe Running on blank host as sid
+    register_test retvalshouldbe 0
+    register_test contain "(sha512|yescrypt)"
+    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Tests purposely failing as sid
+    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
+    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
+    register_test retvalshouldbe 1
+    register_test contain "is not present"
+    run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation as sid
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state as sid
+    register_test retvalshouldbe 0
+    register_test contain "is present in /etc/pam.d/common-password"
+    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
+    unset ORIGINAL_DEB_VER
 }

tests/hardening/99.5.2.4_ssh_keys_from.sh

@@ -72,11 +72,11 @@ test_audit() {
     run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     # shellcheck disable=2016
-    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1/8"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
     {
         echo -n 'from="10.0.1.2",command="echo bla" '
         cat /tmp/key1.pub
-        echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
+        echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1/8"" '
         cat /tmp/key1.pub
     } >>/home/secaudit/.ssh/authorized_keys2
     describe Key with from and command options

tests/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

@@ -28,11 +28,43 @@ test_audit() {
     run wrongconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     describe Correcting situation
-    sed -i 's/disabled/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
     "${CIS_CHECKS_DIR}/${script}.sh" || true
 
     describe Checking resolved state
-    mv /tmp/login.defs.bak /etc/login.defs
     register_test retvalshouldbe 0
+    register_test contain "is present in /etc/login.defs"
     run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # DEB_MAJ_VER cannot be overwritten here;
+    # therefore we need to trick get_debian_major_version
+    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
+    echo "sid" >/etc/debian_version
+
+    describe Running on blank host as sid
+    register_test retvalshouldbe 0
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    # shellcheck disable=2154
+    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    cp /etc/login.defs /tmp/login.defs.bak
+    sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs
+
+    describe Fail: wrong hash function configuration as sid
+    register_test retvalshouldbe 1
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation as sid
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Checking resolved state as sid
+    register_test retvalshouldbe 0
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
+    unset ORIGINAL_DEB_VER
 }

tests/launch_tests.sh

@@ -13,7 +13,7 @@ cleanup_and_exit() {
     if [ "$totalerrors" -eq 255 ]; then
         fatal "RUNTIME ERROR"
     fi
-    exit $totalerrors
+    exit "$totalerrors"
 }
 trap "cleanup_and_exit" EXIT HUP INT
 
@@ -125,7 +125,7 @@ play_consistency_tests() {
         ok "$name logs are identical"
     fi
 
-    if [ 1 -eq $consist_test ]; then
+    if [ 1 -eq "$consist_test" ]; then
         nbfailedconsist=$((nbfailedconsist + 1))
         listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
     fi