mirror of
https://github.com/ovh/debian-cis.git
synced 2025-03-14 15:45:27 +01:00
de295b3a77
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)" This reverts commit 670c8c62f512afa562f6f77279341910a7f59181. We still want to verify the preexisting hashes in /etc/shadow, even if the PAM configuration is correct for new passwords (5.3.4). * Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
39 lines
1.4 KiB
Bash
39 lines
1.4 KiB
Bash
# shellcheck shell=bash
|
|
# run-shellcheck
|
|
test_audit() {
|
|
describe Running on blank host
|
|
register_test retvalshouldbe 0
|
|
register_test contain "is present in /etc/login.defs"
|
|
# shellcheck disable=2154
|
|
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
cp /etc/login.defs /tmp/login.defs.bak
|
|
describe Line as comment
|
|
sed -i 's/\(ENCRYPT_METHOD SHA512\)/# \1/' /etc/login.defs
|
|
register_test retvalshouldbe 1
|
|
register_test contain "is not present in /etc/login.defs"
|
|
run commented "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
rm /etc/login.defs
|
|
describe Fail: missing conf file
|
|
register_test retvalshouldbe 1
|
|
register_test contain "/etc/login.defs is not readable"
|
|
run missconffile "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
cp /tmp/login.defs.bak /etc/login.defs
|
|
sed -ir 's/ENCRYPT_METHOD[[:space:]]\+SHA512/ENCRYPT_METHOD MD5/' /etc/login.defs
|
|
describe Fail: wrong hash function configuration
|
|
register_test retvalshouldbe 1
|
|
register_test contain "is not present in /etc/login.defs"
|
|
run wrongconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe Correcting situation
|
|
sed -i 's/disabled/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
|
|
|
describe Checking resolved state
|
|
mv /tmp/login.defs.bak /etc/login.defs
|
|
register_test retvalshouldbe 0
|
|
run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
}
|