debian-cis/bin/hardening/1.8_install_updates.sh

70 lines
1.9 KiB
Bash
Raw Normal View History

#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
First batch of renaming to comply to comply to 8v2 and 9 pdf renamed: 2.19_disable_freevxfs.sh -> 1.1.1.1_disable_freevxfs.sh renamed: 2.20_disable_jffs2.sh -> 1.1.1.2_disable_jffs2.sh renamed: 2.21_disable_hfs.sh -> 1.1.1.3_disable_hfs.sh renamed: 2.22_disable_hfsplus.sh -> 1.1.1.4_disable_hfsplus.sh renamed: 2.24_disable_udf.sh -> 1.1.1.5_disable_udf.sh renamed: 2.7_var_log_partition.sh -> 1.1.11_var_log_partition.sh renamed: 2.8_var_log_audit_partition.sh -> 1.1.12_var_log_audit_partition.sh renamed: 2.9_home_partition.sh -> 1.1.13_home_partition.sh renamed: 2.10_home_nodev.sh -> 1.1.14_home_nodev.sh renamed: 2.14_run_shm_nodev.sh -> 1.1.15_run_shm_nodev.sh renamed: 2.15_run_shm_nosuid.sh -> 1.1.16_run_shm_nosuid.sh renamed: 2.16_run_shm_noexec.sh -> 1.1.17_run_shm_noexec.sh renamed: 2.11_removable_device_nodev.sh -> 1.1.18_removable_device_nodev.sh renamed: 2.13_removable_device_nosuid.sh -> 1.1.19_removable_device_nosuid.sh renamed: 2.12_removable_device_noexec.sh -> 1.1.20_removable_device_noexec.sh renamed: 2.17_sticky_bit_world_writable_folder.sh -> 1.1.21_sticky_bit_world_writable_folder.sh renamed: 2.25_disable_automounting.sh -> 1.1.22_disable_automounting.sh renamed: 2.1_tmp_partition.sh -> 1.1.2_tmp_partition.sh renamed: 2.2_tmp_nodev.sh -> 1.1.3_tmp_nodev.sh renamed: 2.3_tmp_nosuid.sh -> 1.1.4_tmp_nosuid.sh renamed: 2.4_tmp_noexec.sh -> 1.1.5_tmp_noexec.sh renamed: 2.5_var_partition.sh -> 1.1.6_var_partition.sh renamed: 1.1_install_updates.sh -> 1.8_install_updates.sh
2019-08-27 15:30:47 +02:00
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
# This function will be called if the script status is on enabled / audit mode
audit () {
2016-04-04 11:23:03 +02:00
info "Checking if apt needs an update"
apt_update_if_needed
info "Fetching upgrades ..."
apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then
2016-04-17 23:10:47 +02:00
crit "$RESULT"
2016-04-04 11:23:03 +02:00
FNRET=1
else
ok "No upgrades available"
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
2016-04-04 11:23:03 +02:00
if [ $FNRET -gt 0 ]; then
info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else
ok "No Upgrades to apply"
fi
}
2016-04-01 16:48:31 +02:00
# This function will check config parameters required
check_config() {
2016-04-04 11:23:03 +02:00
# No parameters for this function
2016-04-01 16:48:31 +02:00
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
2016-04-18 17:39:14 +02:00
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
2016-04-04 11:23:03 +02:00
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi