debian-cis/tests/hardening/99.5.2.4_ssh_keys_from.sh

# shellcheck shell=bash
# run-shellcheck
test_audit() {
    # shellcheck disable=2154
    echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"

    skip_tests
    # shellcheck disable=2154
    run genconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    useradd -s /bin/bash jeantestuser
    describe Running on blank host
    register_test retvalshouldbe 0
    dismiss_count_for_test
    register_test contain "[INFO] User root has a valid shell"
    register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
    register_test contain "[INFO] User jeantestuser has a valid shell"
    register_test contain "[INFO] User jeantestuser has no home directory"
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    mkdir -p /root/.ssh
    ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
    cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
    describe Check /root is used for root user instead of home by placing key without from field
    register_test retvalshouldbe 1
    run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
    useradd -s /bin/bash exceptiontestuser
    describe Check multiple exception users are skipped
    register_test retvalshouldbe 0
    register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
    register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
    # shellcheck disable=2154
    run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    mkdir -p /home/secaudit/.ssh
    touch /home/secaudit/.ssh/authorized_keys2
    describe empty authorized keys file
    register_test retvalshouldbe 0
    run emptyauthkey "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    ssh-keygen -N "" -t ed25519 -f /tmp/key1
    cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
    describe Key without from field
    register_test retvalshouldbe 1
    run keynofrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    {
        echo -n 'from="127.0.0.1" '
        cat /tmp/key1.pub
    } >/home/secaudit/.ssh/authorized_keys2
    describe Key with from, no ip check
    register_test retvalshouldbe 0
    run keyfrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # shellcheck disable=2016
    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
    {
        echo -n 'from="10.0.1.2" '
        cat /tmp/key1.pub
    } >>/home/secaudit/.ssh/authorized_keys2
    describe Key with from, filled allowed IPs, one bad ip
    register_test retvalshouldbe 1
    run badfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # shellcheck disable=2016
    echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
    describe Key with from, filled allowed IPs, all IPs allowed
    register_test retvalshouldbe 0
    run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # shellcheck disable=2016
    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
    {
        echo -n 'from="10.0.1.2",command="echo bla" '
        cat /tmp/key1.pub
        echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
        cat /tmp/key1.pub
    } >>/home/secaudit/.ssh/authorized_keys2
    describe Key with from and command options
    register_test retvalshouldbe 0
    run keyfromcommand "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    useradd -s /bin/bash -m jeantest2
    # shellcheck disable=2016
    echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
    describe Check only specified user
    register_test retvalshouldbe 0
    run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # Cleanup
    userdel exceptiontestuser
    userdel jeantestuser
    userdel -r jeantest2
    rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
    rm -rf /root/.ssh
}