mirror of
https://github.com/ovh/debian-cis.git
synced 2025-07-16 22:02:17 +02:00
Compare commits
2 Commits
v4.1-4
...
dev/thibau
Author | SHA1 | Date | |
---|---|---|---|
796a561fe5 | |||
58f4ca0392 |
@ -22,13 +22,13 @@ FILE='/etc/ssh/sshd_config'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
OPTIONS=("AllowUsers='$ALLOWED_USERS'" "AllowGroups='$ALLOWED_GROUPS'" "DenyUsers='$DENIED_USERS'" "DenyGroups='$DENIED_GROUPS'")
|
||||
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SSH_OPTION in "${OPTIONS[@]}"; do
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
||||
# shellcheck disable=SC2001
|
||||
@ -53,7 +53,7 @@ apply() {
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
for SSH_OPTION in "${OPTIONS[@]}"; do
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
||||
# shellcheck disable=SC2001
|
||||
|
@ -26,7 +26,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
|
||||
|
||||
ALLOWED_IPS=""
|
||||
USERS_TO_CHECK=""
|
||||
EXCEPTION_USERS=""
|
||||
EXCEPTION_USER=""
|
||||
|
||||
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
|
||||
|
||||
@ -137,10 +137,7 @@ audit() {
|
||||
continue
|
||||
else
|
||||
info "User $user has a valid shell ($shell)."
|
||||
if grep -qw "$user" <<<"$EXCEPTION_USERS"; then
|
||||
info "User $user is named in EXEPTION_USERS and is thus skipped from check."
|
||||
continue
|
||||
elif [ "$user" = "root" ]; then
|
||||
if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
|
||||
check_dir /root
|
||||
continue
|
||||
elif $SUDO_CMD [ ! -d /home/"$user" ]; then
|
||||
@ -167,7 +164,7 @@ status=audit
|
||||
# Put authorized IPs you want to allow in "from" field of authorized_keys
|
||||
ALLOWED_IPS=""
|
||||
USERS_TO_CHECK=""
|
||||
EXCEPTION_USERS=""
|
||||
EXCEPTION_USER=""
|
||||
EOF
|
||||
}
|
||||
|
||||
|
11
debian/changelog
vendored
11
debian/changelog
vendored
@ -1,14 +1,3 @@
|
||||
cis-hardening (4.1-4) unstable; urgency=medium
|
||||
|
||||
* allow multiple users in 5.2.18 (#228)
|
||||
* Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
|
||||
* Syslog-ng fixes and enhancements (#226)
|
||||
* fix: Allow --only option to be called multiple times (#225)
|
||||
* fix: update Readme to clarify project usage (#223)
|
||||
* fix: typo in README. Update example of --audit usage (#222)
|
||||
|
||||
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Thu, 18 Jan 2024 09:13:15 +0000
|
||||
|
||||
cis-hardening (4.1-3) unstable; urgency=medium
|
||||
|
||||
* Adapt all scripts to yescrypt (#216)
|
||||
|
@ -22,109 +22,4 @@ test_audit() {
|
||||
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Check and report mismatch for allowed user
|
||||
useradd -s /bin/bash johnallow
|
||||
sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Correctly apply allowed user
|
||||
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
||||
# and check again that the fix was correctly applied
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
|
||||
|
||||
describe Check and report mismatch for multiple allowed users
|
||||
useradd -s /bin/bash janeallow
|
||||
sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Correctly apply multiple allowed users
|
||||
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
||||
# and check again that the fix was correctly applied
|
||||
tail -n 5 /etc/ssh/sshd_config
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# reset allowed users to default before continuing
|
||||
sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
|
||||
describe Check and report mismatch for denied user
|
||||
useradd -s /bin/bash peterdeny
|
||||
sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Correctly apply denied user
|
||||
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
||||
# and check again that the fix was correctly applied
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
|
||||
|
||||
describe Check and report mismatch for multiple denied users
|
||||
useradd -s /bin/bash marrydeny
|
||||
sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
describe Correctly apply multiple denied users
|
||||
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
||||
# and check again that the fix was correctly applied
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# reset to prevent other test from possibly failing in the future
|
||||
sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
||||
run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# Cleanup
|
||||
userdel johnallow
|
||||
userdel janeallow
|
||||
userdel peterdeny
|
||||
userdel marrydeny
|
||||
}
|
||||
|
@ -2,7 +2,7 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
# shellcheck disable=2154
|
||||
echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
|
||||
skip_tests
|
||||
# shellcheck disable=2154
|
||||
@ -12,29 +12,12 @@ test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test contain "[INFO] User root has a valid shell"
|
||||
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
|
||||
register_test contain "[INFO] User jeantestuser has a valid shell"
|
||||
register_test contain "[INFO] User jeantestuser has no home directory"
|
||||
# shellcheck disable=2154
|
||||
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
mkdir -p /root/.ssh
|
||||
ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
|
||||
cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
|
||||
describe Check /root is used for root user instead of home by placing key without from field
|
||||
register_test retvalshouldbe 1
|
||||
run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
||||
useradd -s /bin/bash exceptiontestuser
|
||||
describe Check multiple exception users are skipped
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
|
||||
register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
|
||||
# shellcheck disable=2154
|
||||
run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
mkdir -p /home/secaudit/.ssh
|
||||
touch /home/secaudit/.ssh/authorized_keys2
|
||||
describe empty authorized keys file
|
||||
@ -91,9 +74,7 @@ test_audit() {
|
||||
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
||||
|
||||
# Cleanup
|
||||
userdel exceptiontestuser
|
||||
userdel jeantestuser
|
||||
userdel -r jeantest2
|
||||
rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
|
||||
rm -rf /root/.ssh
|
||||
rm -f /tmp/key1 /tmp/key1.pub
|
||||
}
|
||||
|
Reference in New Issue
Block a user