mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-23 05:55:38 +01:00
497e1d2095
Tests are stored in a bash indexed array. Bash on debian8 does not support arrays declaration and if there was no registered tests, the array variable was seen as undefined. With this way of completely dismissing the test suite, the problem is fixed
97 lines
2.5 KiB
Bash
97 lines
2.5 KiB
Bash
# shellcheck shell=bash
|
|
# run-shellcheck
|
|
###########################################
|
|
# Assertion functions for funcional tests #
|
|
###########################################
|
|
|
|
# sugar to add a decription of the test suite
|
|
# describe <STRING>
|
|
describe() {
|
|
# shellcheck disable=2154
|
|
printf "\033[4;36mxxx %s::%s \033[0m\n" "$name" "$*"
|
|
}
|
|
|
|
# Register an assertion on an audit before running it
|
|
# May be used several times
|
|
# See below assertion functions
|
|
# register_test <TEST_STRING>
|
|
register_test() {
|
|
export numtest=0
|
|
if [[ "notempty" == "${REGISTERED_TESTS[*]:+notempty}" ]]; then
|
|
numtest=${#REGISTERED_TESTS[@]}
|
|
fi
|
|
REGISTERED_TESTS[numtest]="$*"
|
|
}
|
|
|
|
# retvalshouldbe checks that the audit return value equals the one passed as parameter
|
|
# retvalshoudbe <NUMBER>
|
|
retvalshouldbe()
|
|
{
|
|
# shellcheck disable=2154
|
|
retfile=$outdir/${usecase_name}.retval
|
|
shouldbe=$1
|
|
got=$(< "$retfile")
|
|
if [ "$got" = "$shouldbe" ] ; then
|
|
ok "RETURN VALUE" "($shouldbe)"
|
|
else
|
|
if [ 0 -eq "$dismiss_count" ]; then
|
|
nbfailedret=$(( nbfailedret + 1 ))
|
|
listfailedret="$listfailedret $usecase_name"
|
|
fi
|
|
fail "RETURN VALUE" "(got $got instead of $shouldbe)"
|
|
fi
|
|
}
|
|
|
|
# contain looks for a string in audit logfile
|
|
# contain [REGEX] <STRING|regexSTRING>
|
|
contain()
|
|
{
|
|
local specialoption=''
|
|
if [ "$1" != "REGEX" ] ; then
|
|
specialoption='-F'
|
|
else
|
|
specialoption='-E'
|
|
shift
|
|
fi
|
|
file=$outdir/${usecase_name}.log
|
|
pattern=$*
|
|
if grep -q $specialoption -- "$pattern" "$file"; then
|
|
ok "MUST CONTAIN" "($pattern)"
|
|
else
|
|
if [ 0 -eq "$dismiss_count" ]; then
|
|
nbfailedgrep=$(( nbfailedgrep + 1 ))
|
|
listfailedgrep="$listfailedgrep $usecase_name"
|
|
fi
|
|
fail "MUST CONTAIN" "($pattern)"
|
|
fi
|
|
}
|
|
|
|
dismiss_test() {
|
|
dismiss_test=1
|
|
}
|
|
|
|
# test is expected to fail (for instance on blank system)
|
|
# then the test wont be taken into account for test suite success
|
|
dismiss_count_for_test() {
|
|
dismiss_count=1
|
|
}
|
|
|
|
# Run the audit script in both root and sudo mode and plays assertion tests and
|
|
# sudo/root consistency tests
|
|
# run <USECASE> <AUDIT_SCRIPT>
|
|
run() {
|
|
usecase=$1
|
|
shift
|
|
usecase_name_root=$(make_usecase_name "$usecase" "root")
|
|
_run "$usecase_name_root" "$@"
|
|
play_registered_tests "$usecase_name_root"
|
|
|
|
usecase_name_sudo=$(make_usecase_name "$usecase" "sudo")
|
|
_run "$usecase_name_sudo" "sudo -u secaudit" "$@" "--sudo"
|
|
play_registered_tests "$usecase_name_sudo"
|
|
|
|
play_consistency_tests
|
|
clear_registered_tests
|
|
}
|
|
|