mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-23 14:35:26 +01:00
d2bbf754ac
new file: 99.3.1_acc_shadow_sha512.sh new file: 99.3.2_acc_sudoers_no_all.sh new file: 99.4_net_fw_default_policy_drop.sh new file: 99.5.1_ssh_auth_pubk_only.sh new file: 99.5.2.1_ssh_cry_kex.sh new file: 99.5.2.2_ssh_cry_mac.sh new file: 99.5.2.3_ssh_cry_rekey.sh new file: 99.5.3_ssh_disable_features.sh new file: 99.5.4_ssh_keys_from.sh new file: 99.5.5_ssh_strict_modes.sh new file: 99.5.6_ssh_sys_accept_env.sh new file: 99.5.7_ssh_sys_no_legacy.sh new file: 99.5.8_ssh_sys_sandbox.sh new file: 99.5.9_ssh_log_level.sh Fix descriptions in comment section for 99.* secaudit checks Remove duplicated legacy services that are already taken care of by vanilla cis Enable custom configuration of checks in config-file, no more hard coded conf Add test to disable check if debian version is too old Add excused IPs while checking "from" field of authorized_keys Escaping dots in IPs Manage Kex for different debian versions Add tests for generic checks and add apply for ssh config Apply shellcheck recommendations on audit/hardening scripts Update script to check for allowed IPs only, remove bastion related Fill `apply` func for ssh config related scripts Add and update tests scenarii Disable shellcheck test for external source 1091 As of today, the entire project is not shellcheck compliant, I prefer disabling the test that warns about not finding external source (that arent compliant). I will enable it again when the project library will be shellchecked https://github.com/koalaman/shellcheck/wiki/SC1091 Refactor password policy check with one check by feature Previous file will now only look for bad passwords in /etc/shadow I added two checks that look for the compliant configuration lines in conf files /etc/logins.defs and /etc/pam.d/common-passwords FIX: merge chained sed and fix regex FIX: update regex to capture more output FIX: fix pattern to ignore commented lines, add apply Also add tests to ensure that commented lines are not detected as valid configuration CHORE: cleanup test situation with file and users removal IMP: add case insensitive option when looking for patterns in files CHORE: removed duplicated line in test file
210 lines
5.6 KiB
Bash
Executable File
210 lines
5.6 KiB
Bash
Executable File
#!/bin/bash
|
|
# run-shellcheck
|
|
# stop on any error
|
|
set -e
|
|
# stop on undefined variable
|
|
set -u
|
|
|
|
mytmpdir=$(mktemp -d -t debian-cis-test.XXXXXX)
|
|
totalerrors=255
|
|
|
|
cleanup_and_exit() {
|
|
rm -rf "$mytmpdir"
|
|
if [ "$totalerrors" -eq 255 ]; then
|
|
fatal "RUNTIME ERROR"
|
|
fi
|
|
exit $totalerrors
|
|
}
|
|
trap "cleanup_and_exit" EXIT HUP INT
|
|
|
|
outdir="$mytmpdir/out"
|
|
mkdir -p "$outdir" || exit 1
|
|
|
|
tests_list=""
|
|
testno=0
|
|
testcount=0
|
|
|
|
dismiss_test=0
|
|
dismiss_count=0
|
|
nbfailedret=0
|
|
nbfailedgrep=0
|
|
nbfailedconsist=0
|
|
listfailedret=""
|
|
listfailedgrep=""
|
|
listfailedconsist=""
|
|
|
|
usecase=""
|
|
usecase_name=""
|
|
usecase_name_root=""
|
|
usecase_name_sudo=""
|
|
declare -a REGISTERED_TESTS
|
|
|
|
#####################
|
|
# Utility functions #
|
|
#####################
|
|
# in case a fatal event occurs, fatal logs and exits with return code 1
|
|
fatal() {
|
|
printf "\033[1;91m###### \033[0m\n" >&2
|
|
printf "%b %b\n" "\033[1;91mFATAL\033[0m" "$*" >&2
|
|
printf "%b \n" "\033[1;91mEXIT TEST SUITE WITH FAILURE\033[0m" >&2
|
|
trap - EXIT
|
|
exit 255
|
|
}
|
|
# prints that a test failed
|
|
fail() {
|
|
printf "%b %b\n" "\033[1;30m\033[41m[FAIL]\033[0m" "$*" >&2
|
|
}
|
|
# prints that a test succeded
|
|
ok() {
|
|
printf "%b %b\n" "\033[30m\033[42m[ OK ]\033[0m" "$*" >&2
|
|
}
|
|
|
|
# retrieves audit script logfile
|
|
get_stdout()
|
|
{
|
|
cat "$outdir"/"$usecase_name".log
|
|
}
|
|
|
|
# Reset the list of test assertions
|
|
clear_registered_tests() {
|
|
unset REGISTERED_TESTS
|
|
declare -a REGISTERED_TESTS
|
|
dismiss_count=0
|
|
dismiss_test=0
|
|
}
|
|
|
|
# Generates a formated test name
|
|
make_usecase_name() {
|
|
usecase=$1
|
|
shift
|
|
role=$1
|
|
usecase_name=$(printf '%03d-%s-%s-%s' "$testno" "$name" "$usecase" "$role" | sed -re "s=/=_=g")
|
|
echo -n "$usecase_name"
|
|
}
|
|
|
|
# Plays the registered test suite
|
|
play_registered_tests() {
|
|
if [ "$dismiss_test" -eq 1 ]; then
|
|
return
|
|
fi
|
|
usecase_name=$1
|
|
if [[ "${REGISTERED_TESTS[*]}" ]]; then
|
|
export numtest=${#REGISTERED_TESTS[@]}
|
|
for t in "${!REGISTERED_TESTS[@]}"; do
|
|
${REGISTERED_TESTS[$t]}
|
|
done
|
|
fi
|
|
}
|
|
|
|
# Plays comparison tests to ensure that root and sudo exection have the same output
|
|
play_consistency_tests() {
|
|
consist_test=0
|
|
printf "\033[34m*** [%03d] %s::%s Root/Sudo Consistency Tests\033[0m\n" "$testno" "$test_file" "$usecase"
|
|
retfile_root=$outdir/${usecase_name_root}.retval
|
|
retfile_sudo=$outdir/${usecase_name_sudo}.retval
|
|
ret=$(eval cmp "$retfile_root" "$retfile_sudo")
|
|
if [[ ! 0 -eq $ret ]] ; then
|
|
fail "$name" return values differ
|
|
diff "$retfile_root" "$retfile_sudo"
|
|
consist_test=1
|
|
else
|
|
ok "$name return values are equal"
|
|
|
|
fi
|
|
retfile_root=$outdir/${usecase_name_root}.log
|
|
retfile_sudo=$outdir/${usecase_name_sudo}.log
|
|
cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1
|
|
if [[ ! 0 -eq $ret ]] ; then
|
|
fail "$name" logs differ
|
|
diff "$retfile_root" "$retfile_sudo" || true
|
|
consist_test=1
|
|
else
|
|
ok "$name logs are identical"
|
|
fi
|
|
|
|
if [ 1 -eq $consist_test ]; then
|
|
if [ 0 -eq $dismiss_count ]; then
|
|
nbfailedconsist=$(( nbfailedconsist + 1 ))
|
|
listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# Actually runs one signel audit script
|
|
_run()
|
|
{
|
|
usecase_name=$1
|
|
shift
|
|
printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
|
|
bash -c "$*" >"$outdir/$usecase_name.log" && true; echo $? > "$outdir/$usecase_name.retval"
|
|
ret=$(< "$outdir"/"$usecase_name".retval)
|
|
get_stdout
|
|
}
|
|
|
|
# Load assertion functions for functionnal tests
|
|
if [ ! -f "$(dirname "$0")"/lib.sh ]; then
|
|
fatal "Cannot locate lib.sh"
|
|
fi
|
|
# shellcheck source=/opt/debian-cis/tests/lib.sh
|
|
. "$(dirname "$0")"/lib.sh
|
|
|
|
###################
|
|
# Execution start #
|
|
###################
|
|
printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing"
|
|
|
|
# if no scripts were passed as arguments, list all available test scenarii to be played
|
|
if [ $# -eq 0 ]; then
|
|
tests_list=$(ls -v "$(dirname "$0")"/hardening/)
|
|
testcount=$(wc -l <<< "$tests_list")
|
|
else
|
|
tests_list="$*"
|
|
testcount=$#
|
|
fi
|
|
|
|
|
|
for test_file in $tests_list; do
|
|
test_file_path=$(dirname "$0")/hardening/"$test_file"
|
|
if [ ! -f "$test_file_path" ]; then
|
|
fatal "Test file \"$test_file\" does not exist"
|
|
fi
|
|
# script var is used inside test files
|
|
# shellcheck disable=2034
|
|
script="$(basename "$test_file" .sh)"
|
|
# source test scenario file to add `test_audit` func
|
|
# shellcheck disable=1090
|
|
. "$test_file_path"
|
|
testno=$(( testno + 1 ))
|
|
# shellcheck disable=2001
|
|
name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//' )"
|
|
printf "\033[1;36m### [%03d/%03d] %s \033[0m\n" "$testno" "$testcount" "$test_file"
|
|
# test_audit is the function defined in $test_file, that carries the actual functional tests for this script
|
|
test_audit
|
|
# reset var names
|
|
usecase_name=""
|
|
usecase_name_root=""
|
|
usecase_name_sudo=""
|
|
unset -f test_audit
|
|
echo ""
|
|
done
|
|
|
|
printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
|
|
if [ $((nbfailedret + nbfailedgrep + nbfailedconsist )) -eq 0 ] ; then
|
|
echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
|
|
else
|
|
(
|
|
echo -e "\033[41mOne or more tests failed :(\033[0m"
|
|
echo -e "- $nbfailedret unexpected return values ${listfailedret}"
|
|
echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
|
|
echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
|
|
) | tee "$outdir"/summary
|
|
fi
|
|
echo
|
|
|
|
set +e
|
|
set +u
|
|
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist ))
|
|
# leave `exit 255` for runtime errors
|
|
[ $totalerrors -ge 255 ] && totalerrors=254
|
|
exit $totalerrors
|