mirror of
https://github.com/ovh/debian-cis.git
synced 2025-07-14 13:02:15 +02:00
be33848d81
* feat: add "--set-version" option This feature will allow to chose a specific cis version to run, like debian 11 or debian 12 * chore: configure current repository as a version And use it as default version. To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number. Only impact is if you are used to execute scripts directly from bin/hardening. In this case, please use the "bin/hardening.sh" wrapper as intended. I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept * chore: remove CIS recommendation numbers from bin/hardening scripts * fix: some tests are failing find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times: - test repository is not cleaned - configuration is updated multiple times Those tests are also failing, because: - the sed to change the status in the configuration was also changing the test folder path. - missing /proc in EXCLUDED paths - the EXCLUDED configuration doesn't have the correct format for egrep --------- Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
131 lines
7.7 KiB
Bash
131 lines
7.7 KiB
Bash
# shellcheck shell=bash
|
|
# run-shellcheck
|
|
test_audit() {
|
|
describe Running on blank host
|
|
register_test retvalshouldbe 1
|
|
register_test contain "openssh-server is installed"
|
|
# shellcheck disable=2154
|
|
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe Correcting situation
|
|
# `apply` performs a service reload after each change in the config file
|
|
# the service needs to be started for the reload to succeed
|
|
service ssh start
|
|
# if the audit script provides "apply" option, enable and run it
|
|
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
|
|
|
describe Checking resolved state
|
|
register_test retvalshouldbe 0
|
|
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe Check and report mismatch for allowed user
|
|
useradd -s /bin/bash johnallow
|
|
sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
register_test retvalshouldbe 1
|
|
register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe Correctly apply allowed user
|
|
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
|
|
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
|
# and check again that the fix was correctly applied
|
|
register_test retvalshouldbe 0
|
|
register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
|
|
|
|
describe Check and report mismatch for multiple allowed users
|
|
useradd -s /bin/bash janeallow
|
|
sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
register_test retvalshouldbe 1
|
|
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe Correctly apply multiple allowed users
|
|
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
|
|
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
|
# and check again that the fix was correctly applied
|
|
tail -n 5 /etc/ssh/sshd_config
|
|
register_test retvalshouldbe 0
|
|
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# reset allowed users to default before continuing
|
|
sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
describe Check and report mismatch for denied user
|
|
useradd -s /bin/bash peterdeny
|
|
sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
register_test retvalshouldbe 1
|
|
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe Correctly apply denied user
|
|
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
|
|
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
|
# and check again that the fix was correctly applied
|
|
register_test retvalshouldbe 0
|
|
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
|
|
|
|
describe Check and report mismatch for multiple denied users
|
|
useradd -s /bin/bash marrydeny
|
|
sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
register_test retvalshouldbe 1
|
|
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe Correctly apply multiple denied users
|
|
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
|
|
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
|
# and check again that the fix was correctly applied
|
|
register_test retvalshouldbe 0
|
|
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# reset to prevent other test from possibly failing in the future
|
|
sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
|
describe Checking resolved state
|
|
register_test retvalshouldbe 0
|
|
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
|
|
run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# Cleanup
|
|
userdel johnallow
|
|
userdel janeallow
|
|
userdel peterdeny
|
|
userdel marrydeny
|
|
}
|