feat: add trixie docker build

Ensure the current debian12 scripts are going to run on trixie

Author: damien cavagnini

.github/workflows/functionnal-tests.yml

@@ -18,3 +18,10 @@ jobs:
         uses: actions/checkout@v5
       - name: Run the tests debian12
         run: ./tests/docker_build_and_run_tests.sh debian12
+  functionnal-tests-docker-debian13:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+      - name: Run the tests debian13
+        run: ./tests/docker_build_and_run_tests.sh debian13

tests/docker/Dockerfile.debian13

@@ -0,0 +1,21 @@
+FROM debian:trixie
+
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
+
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 procps
+
+COPY --chown=500:500 . /opt/debian-cis/
+
+COPY debian/default /etc/default/cis-hardening
+RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
+
+COPY cisharden.sudoers /etc/sudoers.d/secaudit
+RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
+
+
+ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]

tests/hardening/acc_logindefs_sha512.sh

@@ -10,6 +10,7 @@ test_audit() {
     cp /etc/login.defs /tmp/login.defs.bak
     describe Line as comment
     sed -i 's/\(ENCRYPT_METHOD SHA512\)/# \1/' /etc/login.defs
+    sed -i 's/\(ENCRYPT_METHOD YESCRYPT\)/# \1/' /etc/login.defs
     register_test retvalshouldbe 1
     register_test contain "is not present in /etc/login.defs"
     run commented "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
@@ -22,6 +23,7 @@ test_audit() {
 
     cp /tmp/login.defs.bak /etc/login.defs
     sed -ir 's/ENCRYPT_METHOD[[:space:]]\+SHA512/ENCRYPT_METHOD MD5/' /etc/login.defs
+    sed -ir 's/ENCRYPT_METHOD[[:space:]]\+YESCRYPT/ENCRYPT_METHOD MD5/' /etc/login.defs
     describe Fail: wrong hash function configuration
     register_test retvalshouldbe 1
     register_test contain "is not present in /etc/login.defs"

tests/hardening/check_user_dot_file_perm.sh

@@ -13,6 +13,7 @@ test_audit() {
     describe Tests purposely failing
     useradd --create-home "$test_user"
     touch "/home/$test_user/$test_file"
+    chmod o+rx "/home/$test_user"
     chmod 777 "/home/$test_user/$test_file"
     register_test retvalshouldbe 1
     register_test contain "Group Write permission set on FILE"

tests/hardening/find_user_forward_files.sh

@@ -12,6 +12,7 @@ test_audit() {
 
     describe Tests purposely failing
     useradd --create-home "$test_user"
+    chmod o+rx "/home/$test_user/"
     touch "/home/$test_user/$test_file"
     register_test retvalshouldbe 1
     register_test contain "$test_file present"

tests/hardening/find_user_netrc_files.sh

@@ -12,6 +12,7 @@ test_audit() {
 
     describe Tests purposely failing
     useradd --create-home "$test_user"
+    chmod o+rx "/home/$test_user/"
     touch "/home/$test_user/$test_file"
     register_test retvalshouldbe 1
     register_test contain "$test_file present"

tests/hardening/find_user_rhosts_files.sh

@@ -12,6 +12,7 @@ test_audit() {
 
     describe Tests purposely failing
     useradd --create-home "$test_user"
+    chmod o+rx "/home/$test_user"
     touch "/home/$test_user/$test_file"
     register_test retvalshouldbe 1
     register_test contain "$test_file present"

tests/hardening/set_perm_on_user_netrc.sh

@@ -12,6 +12,7 @@ test_audit() {
 
     describe Tests purposely failing
     useradd --create-home "$test_user"
+    chmod o+rx "/home/$test_user/"
     touch "/home/$test_user/$test_file"
     chmod 777 "/home/$test_user/$test_file"
     register_test retvalshouldbe 1

tests/hardening/ssh_sys_accept_env.sh

@@ -9,7 +9,8 @@ test_audit() {
 
     # Proceed to operation that will end up to a non compliant system
     describe Tests purposely failing
-    sed -ri 's/^\s*AcceptEnv\s+LANG LC_\*//' /etc/ssh/sshd_config
+    # remove the whole line, or sshd wont start (trixie)
+    sed -ri 's/^\s*AcceptEnv\s+LANG LC_\*.*$//' /etc/ssh/sshd_config
     register_test retvalshouldbe 1
     register_test contain "[ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config"
     run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

tests/hardening/tftp_is_disabled.sh

@@ -19,18 +19,11 @@ test_audit() {
     register_test retvalshouldbe 0
     run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
-    describe Prepare test package dependencies
-    # try to install a package that depends on 'tftpd-hpa'
-    apt install -y tftp-hpa-dbg
-    # running on a container, we can only test the package installation, not the service management
-
-    describe Running successfull test
-    register_test retvalshouldbe 0
-    # shellcheck disable=2154
-    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    # we can not test dependencies on trixie, because no package depends from tftpf-hpa
+    # we should use the "get_debian_major_version" from lib/utils.sh, but we can't source it in the actual state
 
     describe clean installation
-    apt remove -y tftp-hpa-dbg tftpd-hpa
+    apt remove -y tftpd-hpa
     apt autoremove -y
 
 }