IMP: add multiple Improvements

* add new kernel module detection (enable & listing) with detection of monolithic kernel * change way to detect if file system type is disabled * add global IS_CONTAINER variable * disable test for 3.4.x to be consistent with others * add cli options to override configuration loglevel
2025-06-23 19:14:34 +02:00 · 2021-02-04 16:21:49 +01:00
parent ec9e2addc2
commit 0b6ea0d97e
22 changed files with 362 additions and 165 deletions
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
+ASK_LOGLEVEL=''

 usage() {
    cat <<EOF
@ -98,6 +99,10 @@ OPTIONS:
        the '-n' option instructs sudo not to prompt for a password.
        Finally note that '--sudo' mode only works for audit mode.

+    --set-log-level <level>
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+        Default value is : info
+
    --batch
        While performing system audit, this option sets LOGLEVEL to 'ok' and
        captures all output to print only one line once the check is done, formatted like :
@ -143,6 +148,10 @@ while [[ $# -gt 0 ]]; do
        SET_HARDENING_LEVEL="$2"
        shift
        ;;
+    --set-log-level)
+        ASK_LOGLEVEL=$2
+        shift
+        ;;
    --only)
        TEST_LIST[${#TEST_LIST[@]}]="$2"
        shift
@ -152,7 +161,7 @@ while [[ $# -gt 0 ]]; do
        ;;
    --batch)
        BATCH_MODE='--batch'
-        LOGLEVEL=ok
+        ASK_LOGLEVEL=ok
        ;;
    -h | --help)
        usage
@ -183,13 +192,12 @@ fi
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh

-if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
-
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
    declare -a HARDENING_EXCEPTIONS_LIST