forked from konstruktoid/hardening
-
Notifications
You must be signed in to change notification settings - Fork 0
/
runTests.sh
148 lines (120 loc) · 4.03 KB
/
runTests.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/bin/bash
set -u -o pipefail
if ! command -v shellcheck; then
exit 1
fi
if ! shellcheck -x -s bash -f gcc tests/*.bash tests/*.sh scripts/* misc/*.sh ./*.sh; then
exit 1
fi
if ! command -v vagrant; then
exit 1
fi
if ! vagrant validate Vagrantfile; then
exit 1
fi
find ./ -name '*.log' -exec rm {} \;
vagrant box update --insecure
vagrant destroy --force
for d in $(grep config.vm.define Vagrantfile | grep -o '".*"' | tr -d '"');
do rm -v "/tmp/${d}_disk01.vdi"
done
grep config.vm.define Vagrantfile | grep -v '^#' | grep -o '".*"' | tr -d '"' |\
while read -r v; do
vagrant up "${v}"
done
wait
grep config.vm.define Vagrantfile | grep -v '^#' | grep -o '".*"' | tr -d '"' |\
while read -r v; do
vagrant reload "${v}"
done
wait
for VM in $(vagrant status | grep -iE 'running.*virtualbox' | awk '{print $1}'); do
vagrant ssh "${VM}" -c 'cp /vagrant/checkScore.sh ~/'
vagrant ssh "${VM}" -c 'cp /vagrant/misc/genOSCAPreport.sh ~/'
vagrant ssh "${VM}" -c 'sudo apt-get -y update && sudo apt-get -y install bats net-tools shellcheck --no-install-recommends'
vagrant ssh "${VM}" -c 'cp -R /vagrant ~/hardening && sed -i.bak -e "s/^AUTOFILL=.*/AUTOFILL='\''Y'\''/" -e "s/^CHANGEME=.*/CHANGEME='\''changed'\''/" ~/hardening/ubuntu.cfg && cd ~/hardening && sudo bash ubuntu.sh && sudo reboot'
done
wait
for VM in $(vagrant status | grep -iE 'running.*virtualbox' | awk '{print $1}'); do
while ! vagrant ssh "$VM" -c 'id'; do
echo "Waiting for $VM."
sleep 10
done
vagrant ssh "${VM}" -c 'bash ~/genOSCAPreport.sh'
vagrant ssh "${VM}" -c 'cd ~/hardening/tests && sudo bats . >> ~/bats.log'
vagrant ssh "${VM}" -c 'cat ~/bats.log' | grep 'not ok' > "hardening-$VM-$(date +%y%m%d)-bats.log"
vagrant ssh "${VM}" -c 'sh ~/checkScore.sh || exit 1 && cat ~/lynis-report.dat' > "hardening-$VM-$(date +%y%m%d)-lynis.log"
vagrant scp "${VM}:*.html" "."
done
wait
{
TESTS="$(grep -Ro '@test' tests/*.bats | wc -l)"
echo "= Vagrant Ubuntu Test results - $(LANG=C date --utc)"
echo ":icons: font"
echo "Number of tests: ${TESTS}"
echo
echo "The score is calculated using \`100-(100*FAILED_TESTS/TESTS)\`."
echo
echo "NOTE: This is a quick test script using Vagrant boxes and some functions may fail resulting in incorrect output or score. Always verify using systems similar to those used by your organization."
echo
echo "== System information"
echo "----"
vagrant --version
echo "VirtualBox $(vboxmanage --version)"
for box in $(grep 'vm.box' Vagrantfile | grep -o '".*"$' | tr -d '"'); do
vagrant box list | grep -i "${box}" | tail -n1 | sed 's/64.*(/86 \(/g'
done
echo "----"
# Modified VMs
for VM in $(vagrant status | grep -iE 'running.*virtualbox' | awk '{print $1}'); do
if [ -z "${VM}" ]; then
echo "We dont have any VMs, exiting."
exit 1
fi
echo
echo "== Ubuntu release: ${VM}"
echo "----"
while read -r f; do
if test -s "${f}"; then
FAILED_TESTS="$(grep -c '^not ok' "${f}")"
echo "Failed number of tests: ${FAILED_TESTS}"
STAGE_FAIL=0
else
echo "$f is empty, a test stage failed."
FAILED_TESTS=100
STAGE_FAIL=1
fi
done < <(find ./ -name "*${VM}*bats.log" -type f)
echo "----"
echo
echo "=== Failed tests:"
echo "----"
if [ "${STAGE_FAIL}" == 0 ]; then
grep -shE '^not ok' ./*"${VM}"*bats.log | sort -k3n | uniq
else
echo "N/A."
fi
echo "----"
echo "=== Lynis score:"
echo "----"
find ./ -name "*${VM}*lynis.log" -type f | while read -r f; do
if test -s "${f}"; then
echo
grep -E 'hardening_index|os_version' "${f}"
else
echo "$f is empty, a test stage failed."
fi
done
echo "----"
echo
echo "=== Lynis warnings and suggestions:"
echo "----"
grep -shE '^warning|^suggestion' ./*"${VM}"*lynis.log | sort -r | uniq
echo "----"
echo
echo "=== Score: $((100-(100*FAILED_TESTS/TESTS)))"
done
} > TESTRESULTS.adoc
if command -v dos2unix; then
dos2unix TESTRESULTS.adoc
fi