mirror of
https://github.com/ovh/debian-cis.git
synced 2025-07-14 13:02:15 +02:00
be33848d81
* feat: add "--set-version" option This feature will allow to chose a specific cis version to run, like debian 11 or debian 12 * chore: configure current repository as a version And use it as default version. To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number. Only impact is if you are used to execute scripts directly from bin/hardening. In this case, please use the "bin/hardening.sh" wrapper as intended. I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept * chore: remove CIS recommendation numbers from bin/hardening scripts * fix: some tests are failing find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times: - test repository is not cleaned - configuration is updated multiple times Those tests are also failing, because: - the sed to change the status in the configuration was also changing the test folder path. - missing /proc in EXCLUDED paths - the EXCLUDED configuration doesn't have the correct format for egrep --------- Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
100 lines
3.9 KiB
Bash
100 lines
3.9 KiB
Bash
# shellcheck shell=bash
|
|
# run-shellcheck
|
|
test_audit() {
|
|
# shellcheck disable=2154
|
|
echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
skip_tests
|
|
# shellcheck disable=2154
|
|
run genconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
useradd -s /bin/bash jeantestuser
|
|
describe Running on blank host
|
|
register_test retvalshouldbe 0
|
|
dismiss_count_for_test
|
|
register_test contain "[INFO] User root has a valid shell"
|
|
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
|
|
register_test contain "[INFO] User jeantestuser has a valid shell"
|
|
register_test contain "[INFO] User jeantestuser has no home directory"
|
|
# shellcheck disable=2154
|
|
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
mkdir -p /root/.ssh
|
|
ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
|
|
cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
|
|
describe Check /root is used for root user instead of home by placing key without from field
|
|
register_test retvalshouldbe 1
|
|
run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
useradd -s /bin/bash exceptiontestuser
|
|
describe Check multiple exception users are skipped
|
|
register_test retvalshouldbe 0
|
|
register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
|
|
register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
|
|
# shellcheck disable=2154
|
|
run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
mkdir -p /home/secaudit/.ssh
|
|
touch /home/secaudit/.ssh/authorized_keys2
|
|
describe empty authorized keys file
|
|
register_test retvalshouldbe 0
|
|
run emptyauthkey "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
ssh-keygen -N "" -t ed25519 -f /tmp/key1
|
|
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
|
|
describe Key without from field
|
|
register_test retvalshouldbe 1
|
|
run keynofrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
{
|
|
echo -n 'from="127.0.0.1" '
|
|
cat /tmp/key1.pub
|
|
} >/home/secaudit/.ssh/authorized_keys2
|
|
describe Key with from, no ip check
|
|
register_test retvalshouldbe 0
|
|
run keyfrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# shellcheck disable=2016
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
{
|
|
echo -n 'from="10.0.1.2" '
|
|
cat /tmp/key1.pub
|
|
} >>/home/secaudit/.ssh/authorized_keys2
|
|
describe Key with from, filled allowed IPs, one bad ip
|
|
register_test retvalshouldbe 1
|
|
run badfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# shellcheck disable=2016
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
describe Key with from, filled allowed IPs, all IPs allowed
|
|
register_test retvalshouldbe 0
|
|
run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# shellcheck disable=2016
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1/8"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
{
|
|
echo -n 'from="10.0.1.2",command="echo bla" '
|
|
cat /tmp/key1.pub
|
|
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1/8"" '
|
|
cat /tmp/key1.pub
|
|
} >>/home/secaudit/.ssh/authorized_keys2
|
|
describe Key with from and command options
|
|
register_test retvalshouldbe 0
|
|
run keyfromcommand "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
useradd -s /bin/bash -m jeantest2
|
|
# shellcheck disable=2016
|
|
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
describe Check only specified user
|
|
register_test retvalshouldbe 0
|
|
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# Cleanup
|
|
userdel exceptiontestuser
|
|
userdel jeantestuser
|
|
userdel -r jeantest2
|
|
rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
|
|
rm -rf /root/.ssh
|
|
}
|