enh: add test for 4.2.1.6

fixes #124

README.md

@@ -16,6 +16,9 @@
 Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
+NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
+in production at OVHcloud on Debian 12 Operating Systems.
+
 ```console
 $ bin/hardening.sh --audit-all
 [...]
@@ -40,12 +43,11 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
-$ sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" etc/default/cis-hardening
+$ sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" /etc/default/cis-hardening
-$ sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" etc/default/cis-hardening
+$ sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" /etc/default/cis-hardening
-$ sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" etc/default/cis-hardening
+$ sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" /etc/default/cis-hardening
-$ sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" etc/default/cis-hardening
+$ sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" /etc/default/cis-hardening
-$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
+$ ./bin/hardening/1.1.1.1_disable_freevxfs.sh --audit
-hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
 1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
 1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
 1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
@@ -244,6 +246,20 @@ built a secure environment. While we use it at OVHcloud to harden our PCI-DSS co
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
 
+A word about numbering, implementation and sustainability over time of this repository:
+This project is born with the Debian 7 distribution in 2016. Over time, CIS Benchmark PDF
+has evolved, changing it's numbering, deleting obsolete checks.
+In order to keep retro-compatiblity with the last maintained Debian, the numbering
+has not been changed along with the PDF, because the configuration scripts are named after it.
+Changing the numbering might break automation for admins using it for years, and handling
+this issue without breaking anything would require a huge refactoring.
+As a consequence, please do not worry about numbering, the checks are there,
+but the numbering accross PDFs might differ.
+Please also note that all the check inside CIS Benchmark PDF might not be implemented
+in this set of scripts.
+We did choose the most relevant to us at OVHcloud, do not hesitate to make a
+Pull Request in order to add the missing script you might find relevant for you.
+
 Additionally, quoting the License:
 
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
@@ -257,6 +273,7 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+
 ## :satellite: Reference
 
 - **Center for Internet Security**: https://www.cisecurity.org/

bin/hardening.sh

@@ -299,7 +299,7 @@ for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
         SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
         # shellcheck disable=SC2001
         SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
-        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
+        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi

bin/hardening/4.2.1.5_syslog-ng_remote_host.sh

@@ -16,10 +16,9 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
-
 PACKAGE='syslog-ng'
-
+SYSLOG_BASEDIR='/etc/syslog-ng'
-PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
+PATTERN='destination[[:alnum:][:space:]*_*{]+(tcp|network|udp)[[:space:]]*\([[:space:]]*\"?[[:alnum:]\-.]+\"?.'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh

@@ -18,9 +18,9 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
 
 PACKAGE='syslog-ng'
-
+SYSLOG_BASEDIR='/etc/syslog-ng'
 REMOTE_HOST=""
-PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
+PATTERN='source[[:alnum:][:space:]*_*{]+(tcp|network|udp)[[:space:]]*\([[:space:]]*\"?[[:alnum:]\-.]+\"?.'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -37,7 +37,7 @@ audit() {
             fi
         done
 
-        if [[ "$REMOTE_HOST" ]]; then
+        if [[ "$REMOTE_HOST" ]] && [[ "$REMOTE_HOST" != 'false' ]]; then
             info "This is the remote host, checking that it only accepts logs from specified zone"
             if [ "$FOUND" = 1 ]; then
                 ok "$PATTERN is present in $FILES"
@@ -70,7 +70,7 @@ apply() {
             fi
         done
 
-        if [[ "$REMOTE_HOST" ]]; then
+        if [[ "$REMOTE_HOST" ]] && [[ "$REMOTE_HOST" != 'false' ]]; then
             info "This is the remote host, checking that it only accepts logs from specified zone"
             if [ "$FOUND" = 1 ]; then
                 ok "$PATTERN is present in $FILES"

tests/hardening/4.2.1.5_syslog-ng_remote_host.sh

@@ -38,6 +38,6 @@ EOF
     run subfile "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     # Cleanup
-    rm /etc/syslog-ng/conf.d/1_tcp_destination
+    rm -f /etc/syslog-ng/conf.d/1_tcp_destination
 
 }

tests/hardening/4.2.1.6_remote_syslog-ng_acl.sh

@@ -2,10 +2,37 @@
 # run-shellcheck
 test_audit() {
     describe Running on blank host
-    register_test retvalshouldbe 0
+    register_test retvalshouldbe 1
-    dismiss_count_for_test
     # shellcheck disable=2154
+    echo 'REMOTE_HOST="true"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
-    # TODO fill comprehensive tests
+    cp -a /etc/syslog-ng/syslog-ng.conf /tmp/syslog-ng.conf.bak
+    echo "source mySyslog tcp (\"127.0.0.1\")" >>/etc/syslog-ng/syslog-ng.conf
+
+    describe Checking one line conf
+    register_test retvalshouldbe 0
+    run oneline "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
+    cat >>/etc/syslog-ng/syslog-ng.conf <<EOF
+    source mySyslog {
+    tcp ("127.0.0.1"),
+    port(1234),
+EOF
+
+    describe Checking mutliline conf
+    register_test retvalshouldbe 0
+    run multiline "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    mv /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
+    echo "source mySyslog tcp (\"127.0.0.1\")" >>/etc/syslog-ng/conf.d/1_tcp_source
+    cat /etc/syslog-ng/conf.d/1_tcp_source
+
+    describe Checking file in subdirectory
+    register_test retvalshouldbe 0
+    run subfile "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    rm -f /etc/syslog-ng/conf.d/1_tcp_source
+
 }