debian-cis/tests/launch_tests.sh
Charles Herlin d2bbf754ac Migrate generic checks from secaudit to cis-hardening
new file:   99.3.1_acc_shadow_sha512.sh
new file:   99.3.2_acc_sudoers_no_all.sh
new file:   99.4_net_fw_default_policy_drop.sh
new file:   99.5.1_ssh_auth_pubk_only.sh
new file:   99.5.2.1_ssh_cry_kex.sh
new file:   99.5.2.2_ssh_cry_mac.sh
new file:   99.5.2.3_ssh_cry_rekey.sh
new file:   99.5.3_ssh_disable_features.sh
new file:   99.5.4_ssh_keys_from.sh
new file:   99.5.5_ssh_strict_modes.sh
new file:   99.5.6_ssh_sys_accept_env.sh
new file:   99.5.7_ssh_sys_no_legacy.sh
new file:   99.5.8_ssh_sys_sandbox.sh
new file:   99.5.9_ssh_log_level.sh

Fix descriptions in comment section for 99.* secaudit checks

Remove duplicated legacy services that are already taken care of by vanilla cis

Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii

Disable shellcheck test for external source 1091

As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091

Refactor password policy check with one check by feature

Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords

FIX: merge chained sed and fix regex

FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply

Also add tests to ensure that commented lines are not detected as valid
configuration

CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
2019-02-11 18:05:03 +01:00

210 lines
5.6 KiB
Bash
Executable File

#!/bin/bash
# run-shellcheck
# stop on any error
set -e
# stop on undefined variable
set -u
mytmpdir=$(mktemp -d -t debian-cis-test.XXXXXX)
totalerrors=255
cleanup_and_exit() {
rm -rf "$mytmpdir"
if [ "$totalerrors" -eq 255 ]; then
fatal "RUNTIME ERROR"
fi
exit $totalerrors
}
trap "cleanup_and_exit" EXIT HUP INT
outdir="$mytmpdir/out"
mkdir -p "$outdir" || exit 1
tests_list=""
testno=0
testcount=0
dismiss_test=0
dismiss_count=0
nbfailedret=0
nbfailedgrep=0
nbfailedconsist=0
listfailedret=""
listfailedgrep=""
listfailedconsist=""
usecase=""
usecase_name=""
usecase_name_root=""
usecase_name_sudo=""
declare -a REGISTERED_TESTS
#####################
# Utility functions #
#####################
# in case a fatal event occurs, fatal logs and exits with return code 1
fatal() {
printf "\033[1;91m###### \033[0m\n" >&2
printf "%b %b\n" "\033[1;91mFATAL\033[0m" "$*" >&2
printf "%b \n" "\033[1;91mEXIT TEST SUITE WITH FAILURE\033[0m" >&2
trap - EXIT
exit 255
}
# prints that a test failed
fail() {
printf "%b %b\n" "\033[1;30m\033[41m[FAIL]\033[0m" "$*" >&2
}
# prints that a test succeded
ok() {
printf "%b %b\n" "\033[30m\033[42m[ OK ]\033[0m" "$*" >&2
}
# retrieves audit script logfile
get_stdout()
{
cat "$outdir"/"$usecase_name".log
}
# Reset the list of test assertions
clear_registered_tests() {
unset REGISTERED_TESTS
declare -a REGISTERED_TESTS
dismiss_count=0
dismiss_test=0
}
# Generates a formated test name
make_usecase_name() {
usecase=$1
shift
role=$1
usecase_name=$(printf '%03d-%s-%s-%s' "$testno" "$name" "$usecase" "$role" | sed -re "s=/=_=g")
echo -n "$usecase_name"
}
# Plays the registered test suite
play_registered_tests() {
if [ "$dismiss_test" -eq 1 ]; then
return
fi
usecase_name=$1
if [[ "${REGISTERED_TESTS[*]}" ]]; then
export numtest=${#REGISTERED_TESTS[@]}
for t in "${!REGISTERED_TESTS[@]}"; do
${REGISTERED_TESTS[$t]}
done
fi
}
# Plays comparison tests to ensure that root and sudo exection have the same output
play_consistency_tests() {
consist_test=0
printf "\033[34m*** [%03d] %s::%s Root/Sudo Consistency Tests\033[0m\n" "$testno" "$test_file" "$usecase"
retfile_root=$outdir/${usecase_name_root}.retval
retfile_sudo=$outdir/${usecase_name_sudo}.retval
ret=$(eval cmp "$retfile_root" "$retfile_sudo")
if [[ ! 0 -eq $ret ]] ; then
fail "$name" return values differ
diff "$retfile_root" "$retfile_sudo"
consist_test=1
else
ok "$name return values are equal"
fi
retfile_root=$outdir/${usecase_name_root}.log
retfile_sudo=$outdir/${usecase_name_sudo}.log
cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1
if [[ ! 0 -eq $ret ]] ; then
fail "$name" logs differ
diff "$retfile_root" "$retfile_sudo" || true
consist_test=1
else
ok "$name logs are identical"
fi
if [ 1 -eq $consist_test ]; then
if [ 0 -eq $dismiss_count ]; then
nbfailedconsist=$(( nbfailedconsist + 1 ))
listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
fi
fi
}
# Actually runs one signel audit script
_run()
{
usecase_name=$1
shift
printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
bash -c "$*" >"$outdir/$usecase_name.log" && true; echo $? > "$outdir/$usecase_name.retval"
ret=$(< "$outdir"/"$usecase_name".retval)
get_stdout
}
# Load assertion functions for functionnal tests
if [ ! -f "$(dirname "$0")"/lib.sh ]; then
fatal "Cannot locate lib.sh"
fi
# shellcheck source=/opt/debian-cis/tests/lib.sh
. "$(dirname "$0")"/lib.sh
###################
# Execution start #
###################
printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing"
# if no scripts were passed as arguments, list all available test scenarii to be played
if [ $# -eq 0 ]; then
tests_list=$(ls -v "$(dirname "$0")"/hardening/)
testcount=$(wc -l <<< "$tests_list")
else
tests_list="$*"
testcount=$#
fi
for test_file in $tests_list; do
test_file_path=$(dirname "$0")/hardening/"$test_file"
if [ ! -f "$test_file_path" ]; then
fatal "Test file \"$test_file\" does not exist"
fi
# script var is used inside test files
# shellcheck disable=2034
script="$(basename "$test_file" .sh)"
# source test scenario file to add `test_audit` func
# shellcheck disable=1090
. "$test_file_path"
testno=$(( testno + 1 ))
# shellcheck disable=2001
name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//' )"
printf "\033[1;36m### [%03d/%03d] %s \033[0m\n" "$testno" "$testcount" "$test_file"
# test_audit is the function defined in $test_file, that carries the actual functional tests for this script
test_audit
# reset var names
usecase_name=""
usecase_name_root=""
usecase_name_sudo=""
unset -f test_audit
echo ""
done
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist )) -eq 0 ] ; then
echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
else
(
echo -e "\033[41mOne or more tests failed :(\033[0m"
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
) | tee "$outdir"/summary
fi
echo
set +e
set +u
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist ))
# leave `exit 255` for runtime errors
[ $totalerrors -ge 255 ] && totalerrors=254
exit $totalerrors