Skip to content

Commit 99bc575

Browse files
damcav35Damien Cavagnini
andauthored
Damcava35/test pre commit (#256)
* chore: make linter happy for existing code * fix: add missing test 2.1.2_disable_bsd_intetd.sh * feat: add basic pre commit Ensure a check has a corresponding test --------- Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
1 parent 9a225c6 commit 99bc575

File tree

8 files changed

+56
-4
lines changed

8 files changed

+56
-4
lines changed

.pre-commit-config.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
repos:
2+
- repo: local
3+
hooks:
4+
- id: check_has_test
5+
name: check_has_test.sh
6+
description: Ensure a check has a corresponding test
7+
entry: hooks/check_has_test.sh
8+
language: script
9+
pass_filenames: true
10+
files: "^bin/hardening/"

bin/hardening/99.1.1.23_disable_usb_devices.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
2626
# This function will be called if the script status is on enabled / audit mode
2727
audit() {
2828
SEARCH_RES=0
29+
# if SC2086 is fixed (double quotes) instead of skipped, then shellcheck will complain that double quotes will prevent the loop (SC2066)
30+
# shellcheck disable=SC2086
2931
for FILE_SEARCHED in $FILES_TO_SEARCH; do
3032
if [ "$SEARCH_RES" = 1 ]; then break; fi
3133
if $SUDO_CMD test -d "$FILE_SEARCHED"; then

hooks/check_has_test.sh

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
#!/bin/bash
2+
3+
test_path="tests/hardening"
4+
failure=0
5+
failed_checks=""
6+
7+
for check in "$@"; do
8+
base_name=$(basename "$check")
9+
if [ ! -f $test_path/"$base_name" ]; then
10+
failure=1
11+
failed_checks="$failed_checks $base_name"
12+
fi
13+
done
14+
15+
if [ $failure -ne 0 ]; then
16+
for check in $failed_checks; do
17+
echo "missing file $test_path/$check"
18+
done
19+
fi
20+
21+
exit $failure

lib/common.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -148,5 +148,5 @@ div() {
148148
fi
149149
local _r=$(($1$_n / $2))
150150
_r=${_r:0:-$_d}.${_r: -$_d}
151-
echo $_r
151+
echo "$_r"
152152
}

lib/utils.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ has_sysctl_param_expected_result() {
1111
local SYSCTL_PARAM=$1
1212
local EXP_RESULT=$2
1313

14+
# shellcheck disable=SC2319
1415
if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
1516
FNRET=0
1617
elif [ "$?" = 255 ]; then
@@ -35,6 +36,7 @@ set_sysctl_param() {
3536
local SYSCTL_PARAM=$1
3637
local VALUE=$2
3738
debug "Setting $SYSCTL_PARAM to $VALUE"
39+
# shellcheck disable=SC2319
3840
if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
3941
FNRET=0
4042
elif [ $? = 255 ]; then

shellcheck/launch_shellcheck.sh

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@ fi
1414
for f in $files; do
1515
if head "$f" | grep -qE "^# run-shellcheck$"; then
1616
printf "\e[1;36mRunning shellcheck on: %s \e[0m\n" "$f"
17-
if ! /usr/bin/shellcheck --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
17+
# SC2317: command unreachable, sometimes has a hard time reaching the command in a function
18+
if ! /usr/bin/shellcheck --exclude=SC2317 --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
1819
retval=$((retval + 1))
1920
fi
2021
fi
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
# shellcheck shell=bash
2+
# run-shellcheck
3+
test_audit() {
4+
describe Running on blank host
5+
register_test retvalshouldbe 0
6+
dismiss_count_for_test
7+
# shellcheck disable=2154
8+
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
9+
10+
##################################################################
11+
# For this test, we only check that it runs properly on a blank #
12+
# host, and we check root/sudo consistency. But, we don't test #
13+
# the apply function because it can't be automated or it is very #
14+
# long to test and not very useful. #
15+
##################################################################
16+
}

tests/launch_tests.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ cleanup_and_exit() {
1313
if [ "$totalerrors" -eq 255 ]; then
1414
fatal "RUNTIME ERROR"
1515
fi
16-
exit $totalerrors
16+
exit "$totalerrors"
1717
}
1818
trap "cleanup_and_exit" EXIT HUP INT
1919

@@ -125,7 +125,7 @@ play_consistency_tests() {
125125
ok "$name logs are identical"
126126
fi
127127

128-
if [ 1 -eq $consist_test ]; then
128+
if [ 1 -eq "$consist_test" ]; then
129129
nbfailedconsist=$((nbfailedconsist + 1))
130130
listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
131131
fi

0 commit comments

Comments
 (0)