Merge pull request #84 from awailly/section-13-coverage

Section 13 coverage
awailly · Mar 3, 2016 · cf833a0 · cf833a0
2 parents 6d86479 + 185720e
commit cf833a0
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 4 deletions.
diff --git a/tasks/section_13_level1.yml b/tasks/section_13_level1.yml
@@ -4,7 +4,7 @@
     command: awk -F':' '($2 == "" ) { print $1 }' /etc/shadow
     register: awk_empty_shadow
     changed_when: False
-    failed_when: awk_empty_shadow.stdout != '' and not lock_shadow_accounts
+    failed_when: awk_empty_shadow.stdout != '' and lock_shadow_accounts == False
     tags:
       - section13
       - section13.1
@@ -13,7 +13,7 @@
     command: passwd -l '{{ item }}'
     with_items:
         awk_empty_shadow.stdout_lines
-    when: lock_shadow_accounts
+    when: lock_shadow_accounts == True
     tags:
       - section13
       - section13.1
@@ -73,7 +73,8 @@
       - section13.6
 
   - name: 13.6.3 Ensure root PATH Integrity (dot in path) (Scored)
-    shell: "echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
+    shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
+    become: yes
     register: dot_in_path
     changed_when: False
     failed_when: '"." in dot_in_path.stdout_lines'
@@ -84,6 +85,7 @@
   - name: 13.6.4 Ensure root PATH Integrity (Scored)
     file: >
         path='{{ item }}'
+        follow=yes
         state=directory
         owner=root
         mode='o-w,g-w'

diff --git a/tests/callbacks/log_plays.py b/tests/callbacks/log_plays.py
@@ -121,7 +121,9 @@ def __init__(self, name):
             self.isalwaysok = teststat
 
     def update(self, status):
-        self.status = status
+        # We cannot go back to OK after CHANGED
+        if not (self.status == 'CHANGED' and status == 'OK'):
+            self.status = status
 
 class CallbackModule(object):
     """

diff --git a/tests/setup-tests.sh b/tests/setup-tests.sh
@@ -45,3 +45,24 @@ sudo chmod 777 /etc/hosts.deny
 
 #Prepare section 08
 sudo chmod 777 /etc/rsyslog.conf
+
+#Prepare section 13
+#section13.1
+sudo adduser --system --shell /bin/bash --disabled-password --home /home/git nopassuser
+sudo passwd -d nopassuser
+#section13.6
+mkdir /tmp/wordwritabledir
+chmod 777 /tmp/wordwritabledir
+sudo sed -ri 's;^PATH="(.*)";PATH="\1:/tmp/wordwritabledir";' /etc/environment
+echo "export PATH=/tmp/wordwritabledir:\$PATH" >> ~/.bashrc
+echo "export PATH=/tmp/wordwritabledir:\$PATH" > /tmp/hackpath
+sudo cat /root/.bashrc /tmp/hackpath > /tmp/finalpath
+sudo cp /tmp/finalpath /root/.bashrc
+sudo sed -i.bak '/secure_path/d' /etc/sudoers
+#section13.8.2
+mkdir ~/.dotpermissive
+echo 'secr3t' > ~/.dotpermissive/secr3t
+chmod 777 ~/.dotpermissive
+#section13.10
+mkdir ~/.rhosts
+mkdir ~/.forward
diff --git a/tests/travis_defaults.yml b/tests/travis_defaults.yml
@@ -1,3 +1,6 @@
+# Better coverage with automatic account locking
+lock_shadow_accounts: True
+
 # Set this flag to use AppArmor. It is useful to disable it when the system does not support the kernel module.
 use_apparmor: False