Compare commits

..

2 Commits

Author SHA1 Message Date
796a561fe5 enh: add test for 4.2.1.6 2023-12-27 09:19:54 +00:00
58f4ca0392 syslog-ng : fix remote host test and enhance Regex
fixes #124
2023-12-27 08:40:37 +00:00
5 changed files with 8 additions and 146 deletions

View File

@ -22,13 +22,13 @@ FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode
audit() {
OPTIONS=("AllowUsers='$ALLOWED_USERS'" "AllowGroups='$ALLOWED_GROUPS'" "DenyUsers='$DENIED_USERS'" "DenyGroups='$DENIED_GROUPS'")
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in "${OPTIONS[@]}"; do
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001
@ -53,7 +53,7 @@ apply() {
crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE"
fi
for SSH_OPTION in "${OPTIONS[@]}"; do
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001

View File

@ -26,7 +26,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
ALLOWED_IPS=""
USERS_TO_CHECK=""
EXCEPTION_USERS=""
EXCEPTION_USER=""
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
@ -137,10 +137,7 @@ audit() {
continue
else
info "User $user has a valid shell ($shell)."
if grep -qw "$user" <<<"$EXCEPTION_USERS"; then
info "User $user is named in EXEPTION_USERS and is thus skipped from check."
continue
elif [ "$user" = "root" ]; then
if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
check_dir /root
continue
elif $SUDO_CMD [ ! -d /home/"$user" ]; then
@ -167,7 +164,7 @@ status=audit
# Put authorized IPs you want to allow in "from" field of authorized_keys
ALLOWED_IPS=""
USERS_TO_CHECK=""
EXCEPTION_USERS=""
EXCEPTION_USER=""
EOF
}

11
debian/changelog vendored
View File

@ -1,14 +1,3 @@
cis-hardening (4.1-4) unstable; urgency=medium
* allow multiple users in 5.2.18 (#228)
* Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
* Syslog-ng fixes and enhancements (#226)
* fix: Allow --only option to be called multiple times (#225)
* fix: update Readme to clarify project usage (#223)
* fix: typo in README. Update example of --audit usage (#222)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Thu, 18 Jan 2024 09:13:15 +0000
cis-hardening (4.1-3) unstable; urgency=medium
* Adapt all scripts to yescrypt (#216)

View File

@ -22,109 +22,4 @@ test_audit() {
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Check and report mismatch for allowed user
useradd -s /bin/bash johnallow
sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply allowed user
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
describe Check and report mismatch for multiple allowed users
useradd -s /bin/bash janeallow
sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply multiple allowed users
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
tail -n 5 /etc/ssh/sshd_config
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# reset allowed users to default before continuing
sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
describe Check and report mismatch for denied user
useradd -s /bin/bash peterdeny
sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply denied user
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
describe Check and report mismatch for multiple denied users
useradd -s /bin/bash marrydeny
sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply multiple denied users
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# reset to prevent other test from possibly failing in the future
sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
userdel johnallow
userdel janeallow
userdel peterdeny
userdel marrydeny
}

View File

@ -2,7 +2,7 @@
# run-shellcheck
test_audit() {
# shellcheck disable=2154
echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
skip_tests
# shellcheck disable=2154
@ -12,29 +12,12 @@ test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
register_test contain "[INFO] User root has a valid shell"
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
register_test contain "[INFO] User jeantestuser has a valid shell"
register_test contain "[INFO] User jeantestuser has no home directory"
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
mkdir -p /root/.ssh
ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
describe Check /root is used for root user instead of home by placing key without from field
register_test retvalshouldbe 1
run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
useradd -s /bin/bash exceptiontestuser
describe Check multiple exception users are skipped
register_test retvalshouldbe 0
register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
# shellcheck disable=2154
run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
mkdir -p /home/secaudit/.ssh
touch /home/secaudit/.ssh/authorized_keys2
describe empty authorized keys file
@ -91,9 +74,7 @@ test_audit() {
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
userdel exceptiontestuser
userdel jeantestuser
userdel -r jeantest2
rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
rm -rf /root/.ssh
rm -f /tmp/key1 /tmp/key1.pub
}