diff --git a/test b/test new file mode 100755 index 0000000..1ddb052 --- /dev/null +++ b/test @@ -0,0 +1,178 @@ +#!/bin/bash + +ssh_clean () +{ + ssh-keygen -R "[127.0.0.1]:4242" >/dev/null 2>&1 +} + +ssh_exec () +{ + port=${1-4242} + shift + login=${1-marvin} + shift + pass=${1-Born2beWild} + shift + export SSHPASS="${pass}" + ./ssh.exp -p ${port} ${login}@127.0.0.1 $@ 2>&1 \ + | grep -v -i -e '^Warning: Permanently added' -e ' password:' -e '^spawn ssh' +} + +ssh_sudo () +{ + port=${1-4242} + shift + login=${1-marvin} + shift + pass=${1-Born2beWild} + shift + export SSHPASS="${pass}" + ./ssh_sudo.exp -p ${port} ${login}@127.0.0.1 sudo $@ 2>&1 \ + | grep -v -i -e '^Warning: Permanently added' -e 'password' -e '^spawn ssh' -e 'Connection to' +} + +main () +{ + port=${1-4242} + echo -n "Username: " + read -r login + if [ "${login}" == "" ] + then + login=$(git config user.name || echo $USER) + fi + echo -n "Password: " + read -s pass + if [ "${pass}" == "" ] + then + pass="Born2beWild" + fi + echo "" + + ssh_clean + + if ssh_exec ${port} ${login} ${pass} hostname -s | grep -q "^${login}42" + then + echo "OK: Hostname is ${login}42" + else + echo "KO: Unexpected hostname (should be ${login}42)" + fi + + if ssh_exec ${port} ${login} ${pass} cat /etc/os-release | grep -q -i -E "(CentOS|Debian)" + then + echo "OK: Debian or CentOS installed" + else + echo "KO: Unknown Linux distribution" + fi + + if ssh_exec ${port} ${login} ${pass} cat /etc/os-release | grep -q -i -E '(bullseye|"8")' + then + echo "OK: Using stable distro" + else + echo "KO: Not using stable distro" + fi + + if ssh_exec ${port} ${login} ${pass} /usr/sbin/aa-status | grep -q -i -E "apparmor module is loaded" \ + || ssh_exec ${port} ${login} ${pass} sestatus | grep -q -i -E "SELinux status:[^e]*enabled" + then + echo "OK: AppArmor or SELinux is active" + else + echo "KO: No AppArmor or SELinux is active" + fi + + if ssh_exec ${port} ${login} ${pass} lspci | grep -q -i -E "(VirtualBox|QEMU)" + then + echo "OK: VirtualBox or UTM QEMU" + else + echo "KO: Unexpected Virtual Machine" + fi + + if ssh_exec ${port} ${login} ${pass} dpkg -l | grep -q -i -E "(xserver|xorg)" \ + || ssh_exec ${port} ${login} ${pass} rpm -qa | grep -q -i -E "(xserver|xorg)" + then + echo "KO: X server is present" + else + echo "OK: No X server" + fi + + if ssh_exec ${port} ${login} ${pass} lsblk | grep -q -i -E "_crypt" + then + echo "OK: Disk is encrypted" + else + echo "KO: Disk is not encrypted" + fi + + if ssh_exec ${port} ${login} ${pass} lsblk | grep -c "lvm" | grep -q -E '^[2-9]' + then + echo "OK: Two or more partitions use LVM" + else + echo "KO: Less than two or no partitions use LVM" + fi + + if ssh_exec ${port} ${login} ${pass} cat /etc/ssh/sshd_config | grep -q -i -E '^Port 4242' \ + && ssh_exec ${port} ${login} ${pass} cat /etc/ssh/sshd_config | grep -q -i -E '^PermitRootLogin no' + then + echo "OK: SSH config is correctly setup" + else + echo "KO: SSH config is not correctly setup" + fi + + if ssh_exec ${port} ${login} ${pass} groups ${login} | grep -q -E "( user42.* sudo| sudo.* user42)" + then + echo "OK: ${login} is member of both user42 and sudo groups" + else + echo "KO: ${login} is not member of both user42 and sudo groups" + fi + + if ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Maximum number of days between password change.*\: 30' \ + && ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Minimum number of days between password change.*\: 2' \ + && ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Number of days of warning before password expires.*\: 7' + then + echo "OK: Password expiration for ${login} is correct" + else + echo "KO: Password expiration for ${login} is wrong" + fi + + if ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Maximum number of days between password change.*\: 31' \ + && ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Minimum number of days between password change.*\: 2' \ + && ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Number of days of warning before password expires.*\: 7' + then + echo "OK: Password expiration for root is correct" + else + echo "KO: Password expiration for root is wrong" + fi + + if ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_MAX_DAYS.*\t30' \ + && ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_MIN_DAYS.*\t2' \ + && ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_WARN_AGE.*\t7' + then + echo "OK: Password expiration policy is correct" + else + echo "KO: Password expiration policy is wrong" + fi + + if ssh_exec ${port} ${login} ${pass} ss -tunlpe | grep -q -E "LISTEN.*:4242.*ssh" + then + echo "OK: ssh running on 4242" + else + echo "KO: ssh not running on 4242" + fi + + if ssh_sudo ${port} ${login} ${pass} /usr/sbin/ufw status | grep -q -E "Status: active" + then + echo "OK: Firewall ufw is active" + else + echo "KO: No firewall ufw is active" + fi + + if ssh_sudo ${port} ${login} ${pass} /usr/sbin/ufw status | grep -q -E "4242.*ALLOW.*Anywhere" + then + echo "OK: Firewall allow port 4242 from anywhere" + else + echo "KO: Firewall does not allow port 4242 from anywhere" + fi +} + +main $@ +exit $? + +#42