From 300095cfa14cce649f7fbab587c7e1bd9a029cc8 Mon Sep 17 00:00:00 2001
From: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
Date: Tue, 24 Jun 2025 10:30:20 +0200
Subject: [PATCH] feat: add "--set-version" option

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12
---
 bin/hardening.sh   | 23 +++++++++++++++++++++++
 debian/default     |  1 +
 lib/main.sh        | 31 +++++++++++++++++++++++++++----
 versions/README.md |  8 ++++++++
 versions/default   |  1 +
 5 files changed, 60 insertions(+), 4 deletions(-)
 create mode 100644 versions/README.md
 create mode 120000 versions/default

diff --git a/bin/hardening.sh b/bin/hardening.sh
index 3420aac..786f87a 100755
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@@ -29,6 +29,7 @@ BATCH_MODE=''
 SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
+USED_VERSION="default"
 
 usage() {
     cat <<EOF
@@ -105,6 +106,13 @@ OPTIONS:
         This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
         Default value is : info
 
+    --set-version <version>
+        This option allows to run the scripts as defined for a specific CIS debian version.
+        Supported version are the folders listed in the "versions" folder.
+        examples:
+          --set-version debian_11
+          --set-version ovh_legacy
+
     --summary-json
         While performing system audit, this option sets LOGLEVEL to silent and
         only output a json summary at the end
@@ -163,6 +171,10 @@ while [[ $# -gt 0 ]]; do
         ASK_LOGLEVEL=$2
         shift
         ;;
+    --set-version)
+        USED_VERSION=$2
+        shift
+        ;;
     --only)
         TEST_LIST[${#TEST_LIST[@]}]="$2"
         shift
@@ -217,9 +229,20 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/constants.sh
 [ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
 
+# ensure the CIS version exists
+does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
+if [ "$FNRET" -ne 0 ]; then
+    echo "$USED_VERSION is not a valid version"
+    echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
+    exit 1
+fi
+
 # If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 
+# update path for the remaining of the script
+CIS_CHECKS_DIR="$CIS_VERSIONS_DIR/$USED_VERSION"
+
 if [ "$DISTRIBUTION" != "debian" ]; then
     echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
     if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
diff --git a/debian/default b/debian/default
index 488eb02..8b35518 100644
--- a/debian/default
+++ b/debian/default
@@ -5,3 +5,4 @@ CIS_LIB_DIR='/opt/cis-hardening/lib'
 CIS_CHECKS_DIR="/opt/cis-hardening/bin/hardening"
 CIS_CONF_DIR='/opt/cis-hardening/etc'
 CIS_TMP_DIR='/opt/cis-hardening/tmp'
+CIS_VERSIONS_DIR='/opt/cis-hardening/versions'
diff --git a/lib/main.sh b/lib/main.sh
index 0047d45..fbb6dd3 100644
--- a/lib/main.sh
+++ b/lib/main.sh
@@ -1,6 +1,7 @@
 # shellcheck shell=bash
 # run-shellcheck
 
+SCRIPT_FULL_PATH=$(realpath -s "$0")
 LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 # Variable initialization, to avoid crash
@@ -71,18 +72,40 @@ done
 info "Working on $SCRIPT_NAME"
 info "[DESCRIPTION] $DESCRIPTION"
 
+# check if the script is a link
+# if a file, script is executed from "bin/hardening", create a cfg file (if not already exists)
+# if a link, script is executed from "version"/X", create a link, or update it if already exits
+if [ -L "${SCRIPT_FULL_PATH}" ]; then
+    # script is a link
+    script_real_path=$(readlink -f "${SCRIPT_FULL_PATH}")
+    script_real_name=$(basename "$script_real_path")
+    cfg_file=$(basename -s .sh "$script_real_path").cfg
+    cfg_link="$SCRIPT_NAME".cfg
+else
+    # script is a file
+    script_real_name=$LONG_SCRIPT_NAME
+    cfg_file="$SCRIPT_NAME".cfg
+    cfg_link=""
+fi
+
 # Source specific configuration file
-if ! [ -r "${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg ]; then
+if ! [ -r "${CIS_CONF_DIR}"/conf.d/"$cfg_file" ]; then
     # If it doesn't exist, create it with default values
-    echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
+    echo "# Configuration for $script_real_name, created from default values on $(date)" >"${CIS_CONF_DIR}"/conf.d/"$cfg_file"
     # If create_config is a defined function, execute it.
     # Otherwise, just disable the test by default.
     if type -t create_config | grep -qw function; then
-        create_config >>"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
+        create_config >>"${CIS_CONF_DIR}"/conf.d/"$cfg_file"
     else
-        echo "status=audit" >>"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
+        echo "status=audit" >>"${CIS_CONF_DIR}"/conf.d/"$cfg_file"
     fi
+fi
 
+if [ -n "$cfg_link" ]; then
+    if [ -f "${CIS_CONF_DIR}"/conf.d/"$cfg_link" ]; then
+        rm -f "${CIS_CONF_DIR}"/conf.d/"$cfg_link"
+    fi
+    ln -fs "${CIS_CONF_DIR}"/conf.d/"$cfg_file" "${CIS_CONF_DIR}"/conf.d/"$cfg_link"
 fi
 
 if [ "$forcedstatus" = "createconfig" ]; then
diff --git a/versions/README.md b/versions/README.md
new file mode 100644
index 0000000..ce5b7ee
--- /dev/null
+++ b/versions/README.md
@@ -0,0 +1,8 @@
+Here, we'll add some folders to represent a specific CIS version to use.
+Each folder will contains links to adequat scripts
+
+Ex:
+debian12/
+        1.1.1.1_disable_cramfs.sh ->../../bin/hardening/disable_cramfs.sh
+        1.1.1.2_disable_freevxfs.sh ->../../bin/hardening/disable_freevxfs.sh
+        etc.
diff --git a/versions/default b/versions/default
new file mode 120000
index 0000000..82c82a4
--- /dev/null
+++ b/versions/default
@@ -0,0 +1 @@
+../bin/hardening
\ No newline at end of file