mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-24 14:31:24 +01:00
a2adf0f15c
Renamed some checks, add new checks that check permissions and ownership on /etc/passwd, /etc/shadow, ... Add new function in utils that checks that check that the file ownership is one of the authrized ownership. renamed: bin/hardening/6.1.5_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh new file: bin/hardening/6.1.3_etc_gshadow-_permissions.sh renamed: bin/hardening/6.1.6_etc_shadow_permissions.sh -> bin/hardening/6.1.4_etc_shadow_permissions.sh renamed: bin/hardening/6.1.7_etc_group_permissions.sh -> bin/hardening/6.1.5_etc_group_permissions.sh new file: bin/hardening/6.1.6_etc_passwd-_permissions.sh new file: bin/hardening/6.1.7_etc_shadow-_permissions.sh new file: bin/hardening/6.1.8_etc_group-_permissions.sh new file: bin/hardening/6.1.9_etc_gshadow_permissions.sh modified: lib/utils.sh renamed: tests/hardening/6.1.5_etc_passwd_permissions.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh new file: tests/hardening/6.1.3_etc_gshadow-_permissions.sh renamed: tests/hardening/6.1.6_etc_shadow_permissions.sh -> tests/hardening/6.1.4_etc_shadow_permissions.sh renamed: tests/hardening/6.1.7_etc_group_permissions.sh -> tests/hardening/6.1.5_etc_group_permissions.sh new file: tests/hardening/6.1.6_etc_passwd-_permissions.sh new file: tests/hardening/6.1.7_etc_shadow-_permissions.sh new file: tests/hardening/6.1.8_etc_group-_permissions.sh new file: tests/hardening/6.1.9_etc_gshadow_permissions.sh
43 lines
1.4 KiB
Bash
43 lines
1.4 KiB
Bash
# shellcheck shell=bash
|
|
# run-shellcheck
|
|
test_audit() {
|
|
describe Running on blank host
|
|
register_test retvalshouldbe 0
|
|
dismiss_count_for_test
|
|
# shellcheck disable=2154
|
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
|
|
local test_user="testetcgroupuser"
|
|
local test_file="/etc/group"
|
|
|
|
describe Tests purposely failing
|
|
chmod 777 "$test_file"
|
|
register_test retvalshouldbe 1
|
|
register_test contain "permissions were not set to"
|
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
|
|
describe correcting situation
|
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
|
|
|
describe Tests purposely failing
|
|
useradd "$test_user"
|
|
chown "$test_user":"$test_user" "$test_file"
|
|
register_test retvalshouldbe 1
|
|
register_test contain "ownership was not set to"
|
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
|
|
describe correcting situation
|
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
|
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
|
|
|
describe Checking resolved state
|
|
register_test retvalshouldbe 0
|
|
register_test contain "has correct permissions"
|
|
register_test contain "has correct ownership"
|
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
|
|
# Cleanup
|
|
userdel "$test_user"
|
|
}
|