mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-24 14:31:24 +01:00
43fc23ee40
Co-authored-by: Ismaël Tanguy <ismael.tanguy@ovhcloud.com>
100 lines
3.9 KiB
Bash
100 lines
3.9 KiB
Bash
# shellcheck shell=bash
|
|
# run-shellcheck
|
|
test_audit() {
|
|
# shellcheck disable=2154
|
|
echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
skip_tests
|
|
# shellcheck disable=2154
|
|
run genconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
useradd -s /bin/bash jeantestuser
|
|
describe Running on blank host
|
|
register_test retvalshouldbe 0
|
|
dismiss_count_for_test
|
|
register_test contain "[INFO] User root has a valid shell"
|
|
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
|
|
register_test contain "[INFO] User jeantestuser has a valid shell"
|
|
register_test contain "[INFO] User jeantestuser has no home directory"
|
|
# shellcheck disable=2154
|
|
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
mkdir -p /root/.ssh
|
|
ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
|
|
cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
|
|
describe Check /root is used for root user instead of home by placing key without from field
|
|
register_test retvalshouldbe 1
|
|
run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
useradd -s /bin/bash exceptiontestuser
|
|
describe Check multiple exception users are skipped
|
|
register_test retvalshouldbe 0
|
|
register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
|
|
register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
|
|
# shellcheck disable=2154
|
|
run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
mkdir -p /home/secaudit/.ssh
|
|
touch /home/secaudit/.ssh/authorized_keys2
|
|
describe empty authorized keys file
|
|
register_test retvalshouldbe 0
|
|
run emptyauthkey "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
ssh-keygen -N "" -t ed25519 -f /tmp/key1
|
|
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
|
|
describe Key without from field
|
|
register_test retvalshouldbe 1
|
|
run keynofrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
{
|
|
echo -n 'from="127.0.0.1" '
|
|
cat /tmp/key1.pub
|
|
} >/home/secaudit/.ssh/authorized_keys2
|
|
describe Key with from, no ip check
|
|
register_test retvalshouldbe 0
|
|
run keyfrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# shellcheck disable=2016
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
{
|
|
echo -n 'from="10.0.1.2" '
|
|
cat /tmp/key1.pub
|
|
} >>/home/secaudit/.ssh/authorized_keys2
|
|
describe Key with from, filled allowed IPs, one bad ip
|
|
register_test retvalshouldbe 1
|
|
run badfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# shellcheck disable=2016
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
describe Key with from, filled allowed IPs, all IPs allowed
|
|
register_test retvalshouldbe 0
|
|
run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# shellcheck disable=2016
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1/8"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
{
|
|
echo -n 'from="10.0.1.2",command="echo bla" '
|
|
cat /tmp/key1.pub
|
|
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1/8"" '
|
|
cat /tmp/key1.pub
|
|
} >>/home/secaudit/.ssh/authorized_keys2
|
|
describe Key with from and command options
|
|
register_test retvalshouldbe 0
|
|
run keyfromcommand "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
useradd -s /bin/bash -m jeantest2
|
|
# shellcheck disable=2016
|
|
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
describe Check only specified user
|
|
register_test retvalshouldbe 0
|
|
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
# Cleanup
|
|
userdel exceptiontestuser
|
|
userdel jeantestuser
|
|
userdel -r jeantest2
|
|
rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
|
|
rm -rf /root/.ssh
|
|
}
|