elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

add --audit-all-enable-passed, add info in README and help

Browse Source
This commit is contained in:
Stéphane Lesimple 2016-04-19 20:16:47 +02:00 committed by thibault.dewailly
parent 8d84f38c97
commit 1d7865dd68
2 changed files with 45 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README
View File

@ -16,6 +16,7 @@
# Main script :
# bin/hardening.sh : Will execute hardening according to configuration
# Options are :
# --apply : Will apply hardening when scripts have status enabled (RW), and audit points where status is audit (RO)
# --audit : Will audit hardening when scripts have status enabled or audit (RO)
# --audit-all : Apply audit (RO) on all scripts
# --apply : Will apply hardening when scripts have status enabled (RW), and audit points where status is audit (RO)
# --audit : Will audit hardening when scripts have status enabled or audit (RO)
# --audit-all : Apply audit (RO) on all scripts
# --audit-all-enable-passed : Apply audit (RO) on all scripts, and *modify* configuration files to enable scripts that passed. In other words, this is an easy way to enable scripts for which you're already compliant. However, please always review each activated script afterwards, this option should only be regarded as a way to kickstart a configuration from scratch faster than otherwise. Don't run this if you have already customized the scripts enable/disable configurations, obviously.

45
bin/hardening.sh
View File

@ -19,13 +19,39 @@ TOTAL_TREATED_CHECKS=0
AUDIT=0
APPLY=0
AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0
usage() {
cat << EOF
$LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help >
--apply : Apply hardening if told in configuration
--audit : If script not disabled, audit configuration only
-h|--help : This help
$LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
--help -h
Show this help
--apply
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you're warmly
advised to use --audit before, which can be regarded as a dry-run mode.
--audit
Audit configuration for enabled scripts.
No modification will be made on the system, we'll only report on your system
compliance for each script.
--audit-all
Same as --audit, but for *all* scripts, even disabled ones.
This is a good way to peek at your compliance level if all scripts were enabled,
and might be a good starting point.
--audit-all-enable-passed
Same as --audit-all, but in addition, will *modify* the individual scripts
configurations to enable those which passed for your system.
This is an easy way to enable scripts for which you're already compliant.
However, please always review each activated script afterwards, this option
should only be regarded as a way to kickstart a configuration from scratch.
Don't run this if you have already customized the scripts enable/disable
configurations, obviously.
EOF
exit 0
}
@ -44,6 +70,9 @@ while [[ $# > 0 ]]; do
--audit-all)
AUDIT_ALL=1
;;
--audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1
;;
--apply)
APPLY=1
;;
@ -83,6 +112,9 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh | sort -V); do
elif [ $AUDIT_ALL = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
$SCRIPT --audit-all
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
$SCRIPT --audit-all
elif [ $APPLY = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT
@ -95,6 +127,11 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh | sort -V); do
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi
;;
1)
debug "$SCRIPT failed"