2020-11-27 09:22:47 +01:00
|
|
|
# shellcheck shell=bash
|
2020-11-23 17:10:37 +01:00
|
|
|
# run-shellcheck
|
|
|
|
|
|
2020-12-07 17:11:32 +01:00
|
|
|
LONG_SCRIPT_NAME=$(basename "$0")
|
2016-04-01 16:48:31 +02:00
|
|
|
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
|
|
|
|
|
# Variable initialization, to avoid crash
|
2019-03-12 09:58:35 +01:00
|
|
|
CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
|
2017-10-31 17:44:15 +01:00
|
|
|
BATCH_MODE=0
|
|
|
|
|
BATCH_OUTPUT=""
|
2016-04-01 16:48:31 +02:00
|
|
|
status=""
|
2017-05-18 18:40:09 +02:00
|
|
|
forcedstatus=""
|
2017-11-09 15:45:42 +01:00
|
|
|
SUDO_CMD=""
|
2021-11-30 18:42:33 +01:00
|
|
|
SAVED_LOGLEVEL=""
|
2022-01-31 15:38:38 +01:00
|
|
|
ACTIONS_DONE=0
|
2021-02-08 13:54:24 +01:00
|
|
|
|
2021-11-30 18:42:33 +01:00
|
|
|
if [ -n "${LOGLEVEL:-}" ]; then
|
|
|
|
|
SAVED_LOGLEVEL=$LOGLEVEL
|
|
|
|
|
fi
|
2020-12-07 13:26:51 +01:00
|
|
|
# shellcheck source=../etc/hardening.cfg
|
2023-09-25 14:24:01 +02:00
|
|
|
[ -r "${CIS_CONF_DIR}"/hardening.cfg ] && . "${CIS_CONF_DIR}"/hardening.cfg
|
2021-11-30 18:42:33 +01:00
|
|
|
if [ -n "$SAVED_LOGLEVEL" ]; then
|
|
|
|
|
LOGLEVEL=$SAVED_LOGLEVEL
|
|
|
|
|
fi
|
2020-12-07 13:26:51 +01:00
|
|
|
# shellcheck source=../lib/common.sh
|
2023-09-25 14:24:01 +02:00
|
|
|
[ -r "${CIS_LIB_DIR}"/common.sh ] && . "${CIS_LIB_DIR}"/common.sh
|
2020-12-07 13:26:51 +01:00
|
|
|
# shellcheck source=../lib/utils.sh
|
2023-09-25 14:24:01 +02:00
|
|
|
[ -r "${CIS_LIB_DIR}"/utils.sh ] && . "${CIS_LIB_DIR}"/utils.sh
|
2021-02-08 13:54:24 +01:00
|
|
|
# shellcheck source=constants.sh
|
2023-09-25 14:24:01 +02:00
|
|
|
[ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
|
2016-04-01 16:48:31 +02:00
|
|
|
|
|
|
|
|
# Environment Sanitizing
|
|
|
|
|
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
|
|
|
|
|
2016-04-17 23:10:47 +02:00
|
|
|
# Arguments parsing
|
2020-12-07 14:53:10 +01:00
|
|
|
while [[ $# -gt 0 ]]; do
|
2016-04-17 23:10:47 +02:00
|
|
|
ARG="$1"
|
|
|
|
|
case $ARG in
|
2020-12-04 14:08:01 +01:00
|
|
|
--audit-all)
|
|
|
|
|
debug "Audit all specified, setting status to audit regardless of configuration"
|
|
|
|
|
forcedstatus=auditall
|
2016-04-19 19:26:04 +02:00
|
|
|
;;
|
2020-12-04 14:08:01 +01:00
|
|
|
--audit)
|
2020-12-04 15:29:19 +01:00
|
|
|
if [ "$status" != 'disabled' ] && [ "$status" != 'false' ]; then
|
2016-04-17 23:10:47 +02:00
|
|
|
debug "Audit argument detected, setting status to audit"
|
2017-05-18 18:40:09 +02:00
|
|
|
forcedstatus=audit
|
2016-04-17 23:10:47 +02:00
|
|
|
else
|
|
|
|
|
info "Audit argument passed but script is disabled"
|
|
|
|
|
fi
|
|
|
|
|
;;
|
2020-12-04 14:08:01 +01:00
|
|
|
--create-config-files-only)
|
|
|
|
|
debug "Create config files"
|
|
|
|
|
forcedstatus=createconfig
|
2020-11-20 10:05:14 +01:00
|
|
|
;;
|
2020-12-04 14:08:01 +01:00
|
|
|
--sudo)
|
2018-03-16 12:06:56 +01:00
|
|
|
SUDO_CMD="sudo_wrapper"
|
2017-11-09 15:45:42 +01:00
|
|
|
;;
|
2020-12-04 14:08:01 +01:00
|
|
|
--batch)
|
|
|
|
|
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."
|
|
|
|
|
BATCH_MODE=1
|
|
|
|
|
LOGLEVEL=ok
|
2020-12-07 13:26:51 +01:00
|
|
|
# shellcheck source=../lib/common.sh
|
2023-09-25 14:24:01 +02:00
|
|
|
[ -r "${CIS_LIB_DIR}"/common.sh ] && . "${CIS_LIB_DIR}"/common.sh
|
2017-10-31 17:44:15 +01:00
|
|
|
;;
|
2020-12-04 14:08:01 +01:00
|
|
|
*)
|
|
|
|
|
debug "Unknown option passed"
|
2016-04-17 23:10:47 +02:00
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
shift
|
|
|
|
|
done
|
|
|
|
|
|
2017-10-31 17:44:15 +01:00
|
|
|
info "Working on $SCRIPT_NAME"
|
|
|
|
|
info "[DESCRIPTION] $DESCRIPTION"
|
|
|
|
|
|
2017-05-18 18:40:09 +02:00
|
|
|
# Source specific configuration file
|
2023-09-25 14:24:01 +02:00
|
|
|
if ! [ -r "${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg ]; then
|
2017-05-18 18:40:09 +02:00
|
|
|
# If it doesn't exist, create it with default values
|
2023-09-25 14:24:01 +02:00
|
|
|
echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
|
2017-05-18 18:40:09 +02:00
|
|
|
# If create_config is a defined function, execute it.
|
|
|
|
|
# Otherwise, just disable the test by default.
|
2020-12-04 14:08:01 +01:00
|
|
|
if type -t create_config | grep -qw function; then
|
2023-09-25 14:24:01 +02:00
|
|
|
create_config >>"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
|
2017-05-18 18:40:09 +02:00
|
|
|
else
|
2023-09-25 14:24:01 +02:00
|
|
|
echo "status=audit" >>"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
|
2017-05-18 18:40:09 +02:00
|
|
|
fi
|
2020-11-20 10:05:14 +01:00
|
|
|
|
2017-05-18 18:40:09 +02:00
|
|
|
fi
|
2020-11-20 10:05:14 +01:00
|
|
|
|
2020-12-04 14:08:01 +01:00
|
|
|
if [ "$forcedstatus" = "createconfig" ]; then
|
2023-09-25 14:24:01 +02:00
|
|
|
debug "${CIS_CONF_DIR}/conf.d/$SCRIPT_NAME.cfg has been created"
|
2020-11-20 10:05:14 +01:00
|
|
|
exit 0
|
|
|
|
|
fi
|
2020-12-07 13:26:51 +01:00
|
|
|
# shellcheck source=/dev/null
|
2023-09-25 14:24:01 +02:00
|
|
|
[ -r "${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg ] && . "${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
|
2017-05-18 18:40:09 +02:00
|
|
|
|
|
|
|
|
# Now check configured value for status, and potential cmdline parameter
|
2020-12-04 14:08:01 +01:00
|
|
|
if [ "$forcedstatus" = "auditall" ]; then
|
2017-05-18 18:40:09 +02:00
|
|
|
# We want to audit even disabled script, so override config value in any case
|
|
|
|
|
status=audit
|
2020-12-04 14:08:01 +01:00
|
|
|
elif [ "$forcedstatus" = "audit" ]; then
|
2017-05-18 18:40:09 +02:00
|
|
|
# We want to audit only enabled scripts
|
2020-12-04 15:29:19 +01:00
|
|
|
if [ "$status" != 'disabled' ] && [ "$status" != 'false' ]; then
|
2017-05-18 18:40:09 +02:00
|
|
|
debug "Audit argument detected, setting status to audit"
|
|
|
|
|
status=audit
|
|
|
|
|
else
|
|
|
|
|
info "Audit argument passed but script is disabled"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
2020-12-07 17:11:32 +01:00
|
|
|
if [ -z "$status" ]; then
|
2017-05-18 18:40:09 +02:00
|
|
|
crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
|
2017-10-31 17:44:15 +01:00
|
|
|
|
2017-05-18 18:40:09 +02:00
|
|
|
exit 2
|
|
|
|
|
fi
|
|
|
|
|
|
2022-01-31 15:38:38 +01:00
|
|
|
# We want to trap unexpected failures in check scripts
|
|
|
|
|
trap exception EXIT
|
|
|
|
|
|
2016-04-01 16:48:31 +02:00
|
|
|
case $status in
|
2020-12-04 14:08:01 +01:00
|
|
|
enabled | true)
|
|
|
|
|
info "Checking Configuration"
|
|
|
|
|
check_config
|
|
|
|
|
info "Performing audit"
|
|
|
|
|
audit # Perform audit
|
|
|
|
|
info "Applying Hardening"
|
|
|
|
|
apply # Perform hardening
|
|
|
|
|
;;
|
|
|
|
|
audit)
|
|
|
|
|
info "Checking Configuration"
|
|
|
|
|
check_config
|
|
|
|
|
info "Performing audit"
|
|
|
|
|
audit # Perform audit
|
|
|
|
|
;;
|
|
|
|
|
disabled | false)
|
|
|
|
|
info "$SCRIPT_NAME is disabled, ignoring"
|
2022-01-31 15:38:38 +01:00
|
|
|
ACTIONS_DONE=1
|
2020-12-04 14:08:01 +01:00
|
|
|
exit 2 # Means unknown status
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
|
|
|
|
|
;;
|
2016-04-01 16:48:31 +02:00
|
|
|
esac
|
2016-04-17 23:10:47 +02:00
|
|
|
|
2022-01-31 15:38:38 +01:00
|
|
|
ACTIONS_DONE=1
|
|
|
|
|
|
2020-12-07 17:11:32 +01:00
|
|
|
if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
|
2020-12-10 09:50:33 +01:00
|
|
|
if [ "$BATCH_MODE" -eq 1 ]; then
|
2017-10-31 17:44:15 +01:00
|
|
|
BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"
|
2020-12-07 17:11:32 +01:00
|
|
|
becho "$BATCH_OUTPUT"
|
2017-10-31 17:44:15 +01:00
|
|
|
else
|
|
|
|
|
ok "Check Passed"
|
|
|
|
|
fi
|
2019-03-12 09:58:35 +01:00
|
|
|
exit 0 # Means ok status
|
2016-04-17 23:10:47 +02:00
|
|
|
else
|
2020-12-07 17:11:32 +01:00
|
|
|
if [ "$BATCH_MODE" -eq 1 ]; then
|
2017-10-31 17:44:15 +01:00
|
|
|
BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT"
|
2020-12-07 17:11:32 +01:00
|
|
|
becho "$BATCH_OUTPUT"
|
2017-10-31 17:44:15 +01:00
|
|
|
else
|
|
|
|
|
crit "Check Failed"
|
|
|
|
|
fi
|
2016-04-17 23:19:41 +02:00
|
|
|
exit 1 # Means critical status
|
2016-04-17 23:10:47 +02:00
|
|
|
fi
|
