debian-cis/lib/common.sh

# shellcheck shell=bash
# CIS Debian Hardening common functions

# run-shellcheck
#
# File Backup functions
#
backup_file() {
    FILE=$1
    if [ ! -f $FILE ]; then
        crit "Cannot backup $FILE, it's not a file"
        FNRET=1
    else
        TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/" )
        TARGET="$BACKUPDIR/$TARGET"
        debug "Backuping $FILE to $TARGET"
        cp -a $FILE $TARGET
        FNRET=0
    fi
}


#
# Logging functions
#

case $LOGLEVEL in
    error )
        MACHINE_LOG_LEVEL=1
        ;;
    warning )
        MACHINE_LOG_LEVEL=2
        ;;
    ok )
        MACHINE_LOG_LEVEL=3
        ;;
    info )
        MACHINE_LOG_LEVEL=4
        ;;
    debug )
        MACHINE_LOG_LEVEL=5
        ;;
    *)
        MACHINE_LOG_LEVEL=4 ## Default loglevel value to info
esac

_logger() {
    COLOR=$1
    shift
    test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
    builtin echo "$*" | /usr/bin/logger -t "CIS_Hardening[$$] $SCRIPT_NAME" -p "user.info"
    SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")
    cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"
}

becho() {
    toprint=$(echo "$*" | /usr/bin/tr '\n' ' ')
    builtin echo "$toprint" | /usr/bin/logger -t "CIS_Hardening[$$]" -p "user.info"
    builtin echo "$toprint"
}

cecho () {
    COLOR=$1
    shift
    builtin echo -e "${COLOR}$*${NC}"
}

crit () {
    if [ ${BATCH_MODE:-0} -eq 1 ]; then
        BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}"
    else
        if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi
    fi
    # This variable incrementation is used to measure failure or success in tests
    CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1))
}

warn () {
    if [ ${BATCH_MODE:-0} -eq 1 ]; then
        BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}"
    else
        if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi
    fi
}

ok () {
    if [ ${BATCH_MODE:-0} -eq 1 ]; then
        BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}"
    else
        if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi
    fi
}

info () {
    if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger ''      "[INFO] $*"; fi
}

debug () {
    if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
}


#
# sudo wrapper
# issue crit state if not allowed to perform sudo
# for the specified command
#
sudo_wrapper() {
    if  sudo -l "$@" >/dev/null 2>&1 ; then
        sudo -n "$@"
    else
        crit "Not allowed to \"sudo -n $*\" "
    fi
}
IMP(shellcheck): add prefix to define shell (SC2148) 2020-11-27 09:22:47 +01:00			`# shellcheck shell=bash`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening common functions`
Added basic Configuration files and skeleton scripts 2016-04-01 09:32:17 +02:00
IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00			`# run-shellcheck`
2.2_tmp_nodev.sh 2016-04-04 15:05:10 +02:00			`#`
			`# File Backup functions`
			`#`
			`backup_file() {`
			`FILE=$1`
			`if [ ! -f $FILE ]; then`
			`crit "Cannot backup $FILE, it's not a file"`
			`FNRET=1`
			`else`
Added exit code to CIS_ROOT_DIR test def, optimized sed and sort 2016-04-20 11:29:44 +02:00			`TARGET=$(echo $FILE \| sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/" )`
2.2_tmp_nodev.sh 2016-04-04 15:05:10 +02:00			`TARGET="$BACKUPDIR/$TARGET"`
			`debug "Backuping $FILE to $TARGET"`
			`cp -a $FILE $TARGET`
			`FNRET=0`
			`fi`
			`}`


			`#`
skeleton 2016-04-01 16:48:31 +02:00			`# Logging functions`
2.2_tmp_nodev.sh 2016-04-04 15:05:10 +02:00			`#`
skeleton 2016-04-01 16:48:31 +02:00
			`case $LOGLEVEL in`
			`error )`
			`MACHINE_LOG_LEVEL=1`
			`;;`
			`warning )`
			`MACHINE_LOG_LEVEL=2`
			`;;`
1.1 Install updates 2016-04-04 11:23:03 +02:00			`ok )`
skeleton 2016-04-01 16:48:31 +02:00			`MACHINE_LOG_LEVEL=3`
			`;;`
1.1 Install updates 2016-04-04 11:23:03 +02:00			`info )`
skeleton 2016-04-01 16:48:31 +02:00			`MACHINE_LOG_LEVEL=4`
			`;;`
1.1 Install updates 2016-04-04 11:23:03 +02:00			`debug )`
			`MACHINE_LOG_LEVEL=5`
			`;;`
skeleton 2016-04-01 16:48:31 +02:00			`*)`
1.1 Install updates 2016-04-04 11:23:03 +02:00			`MACHINE_LOG_LEVEL=4 ## Default loglevel value to info`
skeleton 2016-04-01 16:48:31 +02:00			`esac`

			`_logger() {`
			`COLOR=$1`
			`shift`
Added basic Configuration files and skeleton scripts 2016-04-01 09:32:17 +02:00			`test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)`
FIX: add becho to send batch output to syslog too becho stands for batch echo formats the log line for syslog Also logs audit summary into syslog (in batch mode only) 2019-02-06 17:25:16 +01:00			`builtin echo "$*" \| /usr/bin/logger -t "CIS_Hardening[$$] $SCRIPT_NAME" -p "user.info"`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")`
			`cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"`
skeleton 2016-04-01 16:48:31 +02:00			`}`

FIX: add becho to send batch output to syslog too becho stands for batch echo formats the log line for syslog Also logs audit summary into syslog (in batch mode only) 2019-02-06 17:25:16 +01:00			`becho() {`
FIX(batch): sed \n to space in batch echo 2019-03-19 10:38:41 +01:00			`toprint=$(echo "$*" \| /usr/bin/tr '\n' ' ')`
			`builtin echo "$toprint" \| /usr/bin/logger -t "CIS_Hardening[$$]" -p "user.info"`
			`builtin echo "$toprint"`
FIX: add becho to send batch output to syslog too becho stands for batch echo formats the log line for syslog Also logs audit summary into syslog (in batch mode only) 2019-02-06 17:25:16 +01:00			`}`

skeleton 2016-04-01 16:48:31 +02:00			`cecho () {`
			`COLOR=$1`
			`shift`
Corrected script names, added License, Completed README and corrected bug with too long logger messages 2016-04-19 09:31:01 +02:00			`builtin echo -e "${COLOR}$*${NC}"`
skeleton 2016-04-01 16:48:31 +02:00			`}`

1.1 Install updates 2016-04-04 11:23:03 +02:00			`crit () {`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`if [ ${BATCH_MODE:-0} -eq 1 ]; then`
			`BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}"`
			`else`
			`if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi`
			`fi`
Added argument parsing and test checks 2016-04-17 23:10:47 +02:00			`# This variable incrementation is used to measure failure or success in tests`
			`CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1))`
skeleton 2016-04-01 16:48:31 +02:00			`}`

			`warn () {`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`if [ ${BATCH_MODE:-0} -eq 1 ]; then`
			`BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}"`
			`else`
			`if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi`
			`fi`
skeleton 2016-04-01 16:48:31 +02:00			`}`

1.1 Install updates 2016-04-04 11:23:03 +02:00			`ok () {`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`if [ ${BATCH_MODE:-0} -eq 1 ]; then`
			`BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}"`
			`else`
			`if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi`
			`fi`
1.1 Install updates 2016-04-04 11:23:03 +02:00			`}`

			`info () {`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi`
skeleton 2016-04-01 16:48:31 +02:00			`}`

			`debug () {`
log format correction, loglevel defaults to info 2016-04-18 14:01:03 +02:00			`if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi`
Added basic Configuration files and skeleton scripts 2016-04-01 09:32:17 +02:00			`}`
FEAT: Add sudo_wrapper to catch unauthorized sudo commands As for now, if a sudo command was not allowed, check might sometimes pass, resulting compliant state even if it actually is not. Sudo wrapper first checks wether command is allowed before running it, otherwise issues a crit message, setting check as not compliant Fix script to make sudo_wrapper work, split "find" lines Fix quotes in $@ and $* when running sudo command Fixed quotes and curly braces with shellcheck report 2018-03-16 12:06:56 +01:00

			`#`
			`# sudo wrapper`
			`# issue crit state if not allowed to perform sudo`
			`# for the specified command`
			`#`
			`sudo_wrapper() {`
			`if sudo -l "$@" >/dev/null 2>&1 ; then`
			`sudo -n "$@"`
			`else`
			`crit "Not allowed to \"sudo -n $*\" "`
			`fi`
			`}`