CHORE: change in version numbering

fix IFS bug
add test

bin/hardening/10.2_disable_system_accounts.sh

@@ -14,14 +14,18 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 DESCRIPTION="Disable system accounts, preventing them from interactive login."
 
-SHELL='/bin/false'
+ACCEPTED_SHELLS='/bin/false /usr/sbin/nologin /sbin/nologin'
+SHELL_TO_APPLY='/bin/false'
 FILE='/etc/passwd'
 RESULT=''
 
+ACCEPTED_SHELLS_GREP=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    info "Checking if admin accounts have a login shell different than $SHELL"
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    shells_to_grep_helper
+    info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS"
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true )
+    IFS_BAK=$IFS
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
@@ -36,8 +40,9 @@ audit () {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
+    IFS=$IFS_BAK
     if [ ! -z "$RESULT" ]; then
-        crit "Some admin accounts don't have $SHELL as their login shell"
+        crit "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell"
         crit "$RESULT"
     else
         ok "All admin accounts deactivated"
@@ -46,7 +51,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true )
+    IFS_BAK=$IFS
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
@@ -61,18 +67,25 @@ apply () {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
+    IFS=$IFS_BAK
     if [ ! -z "$RESULT" ]; then
-        warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
+        warn "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell -- Fixing"
         warn "$RESULT"
         for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
-            info "Setting $SHELL as $USER login shell"
-            usermod -s $SHELL $USER
+            info "Setting $SHELL_TO_APPLY as $USER login shell"
+            usermod -s "$SHELL_TO_APPLY" "$USER"
         done
     else
         ok "All admin accounts deactivated, nothing to apply"
     fi
 }
 
+shells_to_grep_helper(){
+    for shell in $ACCEPTED_SHELLS; do
+        ACCEPTED_SHELLS_GREP+=" -e $shell"
+    done
+}
+
 # This function will create the config file for this check with default values
 create_config() {
     cat <<EOF

bin/hardening/99.3.1_acc_shadow_sha512.sh

@@ -31,6 +31,9 @@ audit () {
         passwd=$(echo "$line" | cut -d ":" -f 2)
         if [[ $passwd = '!' || $passwd = '*' ]]; then
             continue
+        elif [[ $passwd =~ ^!.*$ ]]; then
+            pw_found+="$user "
+            ok "User $user has a disabled password."
         # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
         elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
             pw_found+="$user "

debian/changelog

@@ -1,3 +1,17 @@
+cis-hardening (1.3-1) unstable; urgency=medium
+
+  * Change of version numbering
+
+ -- Charles Herlin <charles.herlin@corp.ovh.com>  Wed, 28 Aug 2019 14:57:33 +0200
+
+cis-hardening (1.2-6) unstable; urgency=medium
+
+  * FIX(test/10.2): backup and restore /etc/passwd after test
+  * IMP(99.3.1): improve check with disabled passwords
+  * FIX(10.2): improve test to check multiple login shells
+
+ -- Charles Herlin <charles.herlin@corp.ovh.com>  Wed, 28 Aug 2019 12:34:52 +0200
+
 cis-hardening (1.2-5) unstable; urgency=medium
 
   * fix(99.4): do not stderr iptables warning on buster

tests/hardening/10.2_disable_system_accounts.sh

@@ -1,10 +1,19 @@
 # run-shellcheck
 test_audit() {
+    cp -a /etc/passwd /tmp/passwd.bak
+
     describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    mv /tmp/passwd.bak /etc/passwd
 }

tests/hardening/99.3.1_acc_shadow_sha512.sh

@@ -13,6 +13,12 @@ test_audit() {
     register_test contain "User secaudit has a password that is not SHA512 hashed"
     run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
+    describe Fail: Found disabled password
+    register_test retvalshouldbe 0
+    register_test contain "User secaudit has a disabled password"
+    run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     mv /tmp/shadow.bak /etc/shadow
     chpasswd << EOF
 secaudit:mypassword