mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
de295b3a77
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"
This reverts commit 670c8c62f5
.
We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).
* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
41 lines
1.4 KiB
Bash
41 lines
1.4 KiB
Bash
# shellcheck shell=bash
|
|
# run-shellcheck
|
|
test_audit() {
|
|
describe Running on blank host
|
|
register_test retvalshouldbe 0
|
|
register_test contain "There is no password in /etc/shadow"
|
|
dismiss_count_for_test
|
|
# shellcheck disable=2154
|
|
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
cp -a /etc/shadow /tmp/shadow.bak
|
|
sed -i 's/secaudit:!/secaudit:mypassword/' /etc/shadow
|
|
describe Fail: Found unsecure password
|
|
register_test retvalshouldbe 1
|
|
register_test contain "User secaudit has a password that is not"
|
|
run unsecpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
|
|
describe Fail: Found disabled password
|
|
register_test retvalshouldbe 0
|
|
register_test contain "User secaudit has a disabled password"
|
|
run lockedpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
mv /tmp/shadow.bak /etc/shadow
|
|
chpasswd -c SHA512 <<EOF
|
|
secaudit:mypassword
|
|
EOF
|
|
describe Pass: Found properly hashed password
|
|
register_test retvalshouldbe 0
|
|
register_test contain "User secaudit has suitable"
|
|
run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
chpasswd -c SHA512 -s 1000 <<EOF
|
|
secaudit:mypassword
|
|
EOF
|
|
describe Pass: Found properly hashed password with custom round number
|
|
register_test retvalshouldbe 0
|
|
register_test contain "User secaudit has suitable"
|
|
run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
}
|