Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow multiple users in 5.2.18 #228

Merged
merged 9 commits into from
Jan 10, 2024
Merged

allow multiple users in 5.2.18 #228

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ed0c71c
allow multiple exception users for 99.5.2.4
lgaida Dec 20, 2023
f8a3a12
move clean up part of previous commit
lgaida Dec 20, 2023
5370c7c
split clean up part of previous commit
lgaida Dec 20, 2023
11f9ae7
Merge branch 'master' into master
ThibaultDewailly Dec 27, 2023
aeb669a
add tests for multiple allowed and denied ssh users
lgaida Jan 3, 2024
a1b0366
fix script to correctly set multiple allowed and denied ssh users
lgaida Jan 3, 2024
486115c
add cleanup resolved check to 5.2.18
lgaida Jan 3, 2024
6f821da
Merge branch 'ovh:master' into master
lgaida Jan 3, 2024
8d45435
apply shellfmt to 5.2.18
lgaida Jan 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions bin/hardening/5.2.18_sshd_limit_access.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@ FILE='/etc/ssh/sshd_config'

# This function will be called if the script status is on enabled / audit mode
audit() {
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
OPTIONS=("AllowUsers='$ALLOWED_USERS'" "AllowGroups='$ALLOWED_GROUPS'" "DenyUsers='$DENIED_USERS'" "DenyGroups='$DENIED_GROUPS'")
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
for SSH_OPTION in "${OPTIONS[@]}"; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001
Expand All @@ -53,7 +53,7 @@ apply() {
crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE"
fi
for SSH_OPTION in $OPTIONS; do
for SSH_OPTION in "${OPTIONS[@]}"; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001
Expand Down
105 changes: 105 additions & 0 deletions tests/hardening/5.2.18_sshd_limit_access.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,109 @@ test_audit() {
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

describe Check and report mismatch for allowed user
useradd -s /bin/bash johnallow
sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

describe Correctly apply allowed user
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all

describe Check and report mismatch for multiple allowed users
useradd -s /bin/bash janeallow
sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

describe Correctly apply multiple allowed users
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
tail -n 5 /etc/ssh/sshd_config
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

# reset allowed users to default before continuing
sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"

describe Check and report mismatch for denied user
useradd -s /bin/bash peterdeny
sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

describe Correctly apply denied user
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all

describe Check and report mismatch for multiple denied users
useradd -s /bin/bash marrydeny
sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

describe Correctly apply multiple denied users
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

# reset to prevent other test from possibly failing in the future
sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

# Cleanup
userdel johnallow
userdel janeallow
userdel peterdeny
userdel marrydeny
}