debian-cis/tests/hardening/99.5.2.4_ssh_keys_from.sh
P-EB 32886d3a3d
Replace CIS_ROOT_DIR by a more flexible system (#204)
* Replace CIS_ROOT_DIR by a more flexible system

* Try to adapt the logic change to the functional tests
2023-09-25 14:24:01 +02:00

81 lines
2.9 KiB
Bash

# shellcheck shell=bash
# run-shellcheck
test_audit() {
# shellcheck disable=2154
echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
skip_tests
# shellcheck disable=2154
run genconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
useradd -s /bin/bash jeantestuser
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
register_test contain "[INFO] User jeantestuser has a valid shell"
register_test contain "[INFO] User jeantestuser has no home directory"
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
mkdir -p /home/secaudit/.ssh
touch /home/secaudit/.ssh/authorized_keys2
describe empty authorized keys file
register_test retvalshouldbe 0
run emptyauthkey "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
ssh-keygen -N "" -t ed25519 -f /tmp/key1
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
describe Key without from field
register_test retvalshouldbe 1
run keynofrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
{
echo -n 'from="127.0.0.1" '
cat /tmp/key1.pub
} >/home/secaudit/.ssh/authorized_keys2
describe Key with from, no ip check
register_test retvalshouldbe 0
run keyfrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
{
echo -n 'from="10.0.1.2" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from, filled allowed IPs, one bad ip
register_test retvalshouldbe 1
run badfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
describe Key with from, filled allowed IPs, all IPs allowed
register_test retvalshouldbe 0
run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
{
echo -n 'from="10.0.1.2",command="echo bla" '
cat /tmp/key1.pub
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from and command options
register_test retvalshouldbe 0
run keyfromcommand "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
useradd -s /bin/bash -m jeantest2
# shellcheck disable=2016
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
describe Check only specified user
register_test retvalshouldbe 0
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
userdel jeantestuser
userdel -r jeantest2
rm -f /tmp/key1 /tmp/key1.pub
}