Check that package are installed before launching check (#69)

* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed * FIX(2.2.15): check package install * FIX(4.2.x): check package install * FIX(5.1.x): check crontab files exist * FIX(5.2.1): check package install * FIX(99.3.3.x): check conf file exist * Remove useless SUDO_CMD * Deal with non existant /run/shm * Replace exit code 128 by exit code 2 fix #65 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2025-06-24 03:24:34 +02:00 · 2021-03-25 14:01:57 +01:00
parent f8ac58700d
commit 1c51e4cec4
24 changed files with 561 additions and 409 deletions
--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
+            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
+    if [ "$ERROR" = 0 ]; then
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")

-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+        if [ -n "$RESULT_UNCONFINED" ]; then
+            ok "No profiles are unconfined"
+        else
+            crit "Some processes are unconfined while they have defined profile"
+        fi

-    if [ -n "$RESULT_UNCONFINED" ]; then
-        ok "No profiles are unconfined"
-    else
-        crit "Some processes are unconfined while they have defined profile"
-    fi
-
-    if [ -n "$RESULT_COMPLAIN" ]; then
-        ok "No profiles are in complain mode"
-    else
-        crit "Some processes are in complain mode"
+        if [ -n "$RESULT_COMPLAIN" ]; then
+            ok "No profiles are in complain mode"
+        else
+            crit "Some processes are in complain mode"
+        fi
    fi
 }

@ -52,6 +55,7 @@ apply() {
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
+            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi