baco/born2beroot
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
57a6be7d833497cfc3a14da51dfb88639fa24c23
born2beroot/test
gbaconni 57a6be7d83 2022-01-25 11:52:45
2022-01-25 11:52:45 +01:00

179 lines
5.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
ssh_clean ()
{
ssh-keygen -R "[127.0.0.1]:4242" >/dev/null 2>&1
}
ssh_exec ()
{
port=${1-4242}
shift
login=${1-marvin}
shift
pass=${1-Born2beWild}
shift
export SSHPASS="${pass}"
./ssh.exp -p ${port} ${login}@127.0.0.1 $@ 2>&1 \
| grep -v -i -e '^Warning: Permanently added' -e ' password:' -e '^spawn ssh'
}
ssh_sudo ()
{
port=${1-4242}
shift
login=${1-marvin}
shift
pass=${1-Born2beWild}
shift
export SSHPASS="${pass}"
./ssh_sudo.exp -p ${port} ${login}@127.0.0.1 sudo $@ 2>&1 \
| grep -v -i -e '^Warning: Permanently added' -e 'password' -e '^spawn ssh' -e 'Connection to'
}
main ()
{
port=${1-4242}
echo -n "Username: "
read -r login
if [ "${login}" == "" ]
then
login=$(git config user.name || echo $USER)
fi
echo -n "Password: "
read -s pass
if [ "${pass}" == "" ]
then
pass="Born2beWild"
fi
echo ""
ssh_clean
if ssh_exec ${port} ${login} ${pass} hostname -s | grep -q "^${login}42"
then
echo "OK: Hostname is ${login}42"
else
echo "KO: Unexpected hostname (should be ${login}42)"
fi
if ssh_exec ${port} ${login} ${pass} cat /etc/os-release | grep -q -i -E "(CentOS|Debian)"
then
echo "OK: Debian or CentOS installed"
else
echo "KO: Unknown Linux distribution"
fi
if ssh_exec ${port} ${login} ${pass} cat /etc/os-release | grep -q -i -E '(bullseye|"8")'
then
echo "OK: Using stable distro"
else
echo "KO: Not using stable distro"
fi
if ssh_exec ${port} ${login} ${pass} /usr/sbin/aa-status | grep -q -i -E "apparmor module is loaded" \
|| ssh_exec ${port} ${login} ${pass} sestatus | grep -q -i -E "SELinux status:[^e]*enabled"
then
echo "OK: AppArmor or SELinux is active"
else
echo "KO: No AppArmor or SELinux is active"
fi
if ssh_exec ${port} ${login} ${pass} lspci | grep -q -i -E "(VirtualBox|QEMU)"
then
echo "OK: VirtualBox or UTM QEMU"
else
echo "KO: Unexpected Virtual Machine"
fi
if ssh_exec ${port} ${login} ${pass} dpkg -l | grep -q -i -E "(xserver|xorg)" \
|| ssh_exec ${port} ${login} ${pass} rpm -qa | grep -q -i -E "(xserver|xorg)"
then
echo "KO: X server is present"
else
echo "OK: No X server"
fi
if ssh_exec ${port} ${login} ${pass} lsblk | grep -q -i -E "_crypt"
then
echo "OK: Disk is encrypted"
else
echo "KO: Disk is not encrypted"
fi
if ssh_exec ${port} ${login} ${pass} lsblk | grep -c "lvm" | grep -q -E '^[2-9]'
then
echo "OK: Two or more partitions use LVM"
else
echo "KO: Less than two or no partitions use LVM"
fi
if ssh_exec ${port} ${login} ${pass} cat /etc/ssh/sshd_config | grep -q -i -E '^Port 4242' \
&& ssh_exec ${port} ${login} ${pass} cat /etc/ssh/sshd_config | grep -q -i -E '^PermitRootLogin no'
then
echo "OK: SSH config is correctly setup"
else
echo "KO: SSH config is not correctly setup"
fi
if ssh_exec ${port} ${login} ${pass} groups ${login} | grep -q -E "( user42.* sudo| sudo.* user42)"
then
echo "OK: ${login} is member of both user42 and sudo groups"
else
echo "KO: ${login} is not member of both user42 and sudo groups"
fi
if ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Maximum number of days between password change.*\: 30' \
&& ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Minimum number of days between password change.*\: 2' \
&& ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Number of days of warning before password expires.*\: 7'
then
echo "OK: Password expiration for ${login} is correct"
else
echo "KO: Password expiration for ${login} is wrong"
fi
if ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Maximum number of days between password change.*\: 31' \
&& ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Minimum number of days between password change.*\: 2' \
&& ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Number of days of warning before password expires.*\: 7'
then
echo "OK: Password expiration for root is correct"
else
echo "KO: Password expiration for root is wrong"
fi
if ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_MAX_DAYS.*\t30' \
&& ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_MIN_DAYS.*\t2' \
&& ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_WARN_AGE.*\t7'
then
echo "OK: Password expiration policy is correct"
else
echo "KO: Password expiration policy is wrong"
fi
if ssh_exec ${port} ${login} ${pass} ss -tunlpe | grep -q -E "LISTEN.*:4242.*ssh"
then
echo "OK: ssh running on 4242"
else
echo "KO: ssh not running on 4242"
fi
if ssh_sudo ${port} ${login} ${pass} /usr/sbin/ufw status | grep -q -E "Status: active"
then
echo "OK: Firewall ufw is active"
else
echo "KO: No firewall ufw is active"
fi
if ssh_sudo ${port} ${login} ${pass} /usr/sbin/ufw status | grep -q -E "4242.*ALLOW.*Anywhere"
then
echo "OK: Firewall allow port 4242 from anywhere"
else
echo "KO: Firewall does not allow port 4242 from anywhere"
fi
}
main $@
exit $?
#42
Reference in New Issue View Git Blame Copy Permalink