elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-08-05 23:01:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shfmt): add shell formatter

Browse Source
This commit is contained in:
Thibault Ayanides
2020-12-04 14:08:01 +01:00
parent bc1aa65b91
commit 3a342b784a
300 changed files with 2370 additions and 2427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
lib/common.sh
View File

@@ -11,7 +11,7 @@ backup_file() {
crit "Cannot backup $FILE, it's not a file"
FNRET=1
else
TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/" )
TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
TARGET="$BACKUPDIR/$TARGET"
debug "Backuping $FILE to $TARGET"
cp -a $FILE $TARGET
@@ -19,29 +19,29 @@ backup_file() {
fi
}
#
# Logging functions
#
case $LOGLEVEL in
error )
MACHINE_LOG_LEVEL=1
;;
warning )
MACHINE_LOG_LEVEL=2
;;
ok )
MACHINE_LOG_LEVEL=3
;;
info )
MACHINE_LOG_LEVEL=4
;;
debug )
MACHINE_LOG_LEVEL=5
;;
*)
MACHINE_LOG_LEVEL=4 ## Default loglevel value to info
error)
MACHINE_LOG_LEVEL=1
;;
warning)
MACHINE_LOG_LEVEL=2
;;
ok)
MACHINE_LOG_LEVEL=3
;;
info)
MACHINE_LOG_LEVEL=4
;;
debug)
MACHINE_LOG_LEVEL=5
;;
*)
MACHINE_LOG_LEVEL=4 ## Default loglevel value to info
;;
esac
_logger() {
@@ -59,23 +59,23 @@ becho() {
builtin echo "$toprint"
}
cecho () {
cecho() {
COLOR=$1
shift
builtin echo -e "${COLOR}$*${NC}"
}
crit () {
crit() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}"
else
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi
fi
# This variable incrementation is used to measure failure or success in tests
CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1))
CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER + 1))
}
warn () {
warn() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}"
else
@@ -83,7 +83,7 @@ warn () {
fi
}
ok () {
ok() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}"
else
@@ -91,25 +91,23 @@ ok () {
fi
}
info () {
if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi
info() {
if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi
}
debug () {
debug() {
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
}
#
# sudo wrapper
# issue crit state if not allowed to perform sudo
# for the specified command
#
sudo_wrapper() {
if sudo -l "$@" >/dev/null 2>&1 ; then
if sudo -l "$@" >/dev/null 2>&1; then
sudo -n "$@"
else
crit "Not allowed to \"sudo -n $*\" "
fi
}

10
lib/constants.sh
View File

@@ -14,10 +14,10 @@ WHITE='\033[0m'
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
GRAY='\033[0;40m' # Gray
GRAY='\033[0;40m' # Gray
# Bold
BRED='\033[1;31m' # Red
BGREEN='\033[1;32m' # Green
BYELLOW='\033[1;33m' # Yellow
BWHITE='\033[1;37m' # White
BRED='\033[1;31m' # Red
BGREEN='\033[1;32m' # Green
BYELLOW='\033[1;33m' # Yellow
BWHITE='\033[1;37m' # White

95
lib/main.sh
View File

@@ -11,10 +11,10 @@ status=""
forcedstatus=""
SUDO_CMD=""
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# Environment Sanitizing
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@@ -23,11 +23,11 @@ export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
while [[ $# > 0 ]]; do
ARG="$1"
case $ARG in
--audit-all)
debug "Audit all specified, setting status to audit regardless of configuration"
forcedstatus=auditall
--audit-all)
debug "Audit all specified, setting status to audit regardless of configuration"
forcedstatus=auditall
;;
--audit)
--audit)
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
debug "Audit argument detected, setting status to audit"
forcedstatus=audit
@@ -35,21 +35,21 @@ while [[ $# > 0 ]]; do
info "Audit argument passed but script is disabled"
fi
;;
--create-config-files-only)
debug "Create config files"
forcedstatus=createconfig
--create-config-files-only)
debug "Create config files"
forcedstatus=createconfig
;;
--sudo)
--sudo)
SUDO_CMD="sudo_wrapper"
;;
--batch)
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."
BATCH_MODE=1
LOGLEVEL=ok
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
--batch)
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."
BATCH_MODE=1
LOGLEVEL=ok
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
;;
*)
debug "Unknown option passed"
*)
debug "Unknown option passed"
;;
esac
shift
@@ -59,20 +59,20 @@ info "Working on $SCRIPT_NAME"
info "[DESCRIPTION] $DESCRIPTION"
# Source specific configuration file
if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ]; then
# If it doesn't exist, create it with default values
echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
# If create_config is a defined function, execute it.
# Otherwise, just disable the test by default.
if type -t create_config | grep -qw function ; then
create_config >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
if type -t create_config | grep -qw function; then
create_config >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
else
echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
echo "status=audit" >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
fi
fi
if [ "$forcedstatus" = "createconfig" ] ; then
if [ "$forcedstatus" = "createconfig" ]; then
debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
exit 0
fi
@@ -80,10 +80,10 @@ fi
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
# Now check configured value for status, and potential cmdline parameter
if [ "$forcedstatus" = "auditall" ] ; then
if [ "$forcedstatus" = "auditall" ]; then
# We want to audit even disabled script, so override config value in any case
status=audit
elif [ "$forcedstatus" = "audit" ] ; then
elif [ "$forcedstatus" = "audit" ]; then
# We want to audit only enabled scripts
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
debug "Audit argument detected, setting status to audit"
@@ -99,29 +99,28 @@ if [ -z $status ]; then
exit 2
fi
case $status in
enabled | true )
info "Checking Configuration"
check_config
info "Performing audit"
audit # Perform audit
info "Applying Hardening"
apply # Perform hardening
;;
audit )
info "Checking Configuration"
check_config
info "Performing audit"
audit # Perform audit
;;
disabled | false )
info "$SCRIPT_NAME is disabled, ignoring"
exit 2 # Means unknown status
;;
*)
warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
;;
enabled | true)
info "Checking Configuration"
check_config
info "Performing audit"
audit # Perform audit
info "Applying Hardening"
apply # Perform hardening
;;
audit)
info "Checking Configuration"
check_config
info "Performing audit"
audit # Perform audit
;;
disabled | false)
info "$SCRIPT_NAME is disabled, ignoring"
exit 2 # Means unknown status
;;
*)
warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
;;
esac
if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then

23
lib/shellfmt/launch_shellfmt.sh Executable file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
# run-shellcheck
if [ ! -f tmp/shfmt ]; then
wget -O tmp/shfmt https://github.com/mvdan/sh/releases/download/v3.2.0/shfmt_v3.2.0_linux_amd64
fi
chmod +x tmp/shfmt
files=""
retval=0
if [ "$#" -eq 0 ]; then
files=$(find . -name "*.sh" | sort -V)
else
files="$*"
fi
for f in $files; do
./tmp/shfmt -l -i 4 -w "$f"
done
exit "$retval"

80
lib/utils.sh
View File

@@ -4,7 +4,7 @@
# run-shellcheck
#
# Sysctl
# Sysctl
#
has_sysctl_param_expected_result() {
@@ -24,14 +24,13 @@ has_sysctl_param_expected_result() {
does_sysctl_param_exists() {
local SYSCTL_PARAM=$1
if [ "$($SUDO_CMD sysctl -a 2>/dev/null |grep "$SYSCTL_PARAM" -c)" = 0 ]; then
if [ "$($SUDO_CMD sysctl -a 2>/dev/null | grep "$SYSCTL_PARAM" -c)" = 0 ]; then
FNRET=1
else
FNRET=0
fi
}
set_sysctl_param() {
local SYSCTL_PARAM=$1
local VALUE=$2
@@ -48,7 +47,7 @@ set_sysctl_param() {
}
#
# Dmesg
# Dmesg
#
does_pattern_exist_in_dmesg() {
@@ -61,7 +60,7 @@ does_pattern_exist_in_dmesg() {
}
#
# File
# File
#
does_file_exist() {
@@ -90,12 +89,12 @@ has_file_correct_ownership() {
has_file_correct_permissions() {
local FILE=$1
local PERMISSIONS=$2
if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then
FNRET=0
else
FNRET=1
fi
fi
}
does_pattern_exist_in_file_nocase() {
@@ -114,7 +113,7 @@ _does_pattern_exist_in_file() {
local PATTERN="$*"
debug "Checking if $PATTERN is present in $FILE"
if $SUDO_CMD [ -r "$FILE" ] ; then
if $SUDO_CMD [ -r "$FILE" ]; then
debug "$SUDO_CMD grep -q $OPTIONS -- '$PATTERN' $FILE"
if $($SUDO_CMD grep -q $OPTIONS -- "$PATTERN" $FILE); then
debug "Pattern found in $FILE"
@@ -145,9 +144,9 @@ does_pattern_exist_in_file_multiline() {
local PATTERN="$*"
debug "Checking if multiline pattern: $PATTERN is present in $FILE"
if $SUDO_CMD [ -r "$FILE" ] ; then
if $SUDO_CMD [ -r "$FILE" ]; then
debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN""
if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN" ); then
if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
debug "Pattern found in $FILE"
FNRET=0
else
@@ -166,9 +165,9 @@ add_end_of_file() {
debug "Adding $LINE at the end of $FILE"
backup_file "$FILE"
echo "$LINE" >> $FILE
echo "$LINE" >>$FILE
}
add_line_file_before_pattern() {
local FILE=$1
local LINE=$2
@@ -176,7 +175,7 @@ add_line_file_before_pattern() {
backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE"
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
debug "sed -i '/$PATTERN/i $LINE' $FILE"
sed -i "/$PATTERN/i $LINE" $FILE
FNRET=0
@@ -189,7 +188,7 @@ replace_in_file() {
backup_file "$FILE"
debug "Replacing $SOURCE to $DESTINATION in $FILE"
SOURCE=$(sed 's@/@\\\/@g' <<< $SOURCE)
SOURCE=$(sed 's@/@\\\/@g' <<<$SOURCE)
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
FNRET=0
@@ -201,7 +200,7 @@ delete_line_in_file() {
backup_file "$FILE"
debug "Deleting lines from $FILE containing $PATTERN"
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
debug "sed -i '/$PATTERN/d' $FILE"
sed -i "/$PATTERN/d" $FILE
FNRET=0
@@ -244,7 +243,6 @@ is_service_enabled() {
fi
}
#
# Kernel Options checks
#
@@ -252,15 +250,15 @@ is_service_enabled() {
is_kernel_option_enabled() {
local KERNEL_OPTION="$1"
local MODULE_NAME=""
if [ $# -ge 2 ] ; then
if [ $# -ge 2 ]; then
MODULE_NAME="$2"
fi
if $SUDO_CMD [ -r "/proc/config.gz" ] ; then
if $SUDO_CMD [ -r "/proc/config.gz" ]; then
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ] ; then
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
fi
ANSWER=$(cut -d = -f 2 <<< "$RESULT")
ANSWER=$(cut -d = -f 2 <<<"$RESULT")
if [ "x$ANSWER" = "xy" ]; then
debug "Kernel option $KERNEL_OPTION enabled"
FNRET=0
@@ -272,16 +270,16 @@ is_kernel_option_enabled() {
FNRET=2 # Not found
fi
if $SUDO_CMD [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ] ; then
if $SUDO_CMD [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ]; then
# also check in modules, because even if not =y, maybe
# the admin compiled it separately later (or out-of-tree)
# as a module (regardless of the fact that we have =m or not)
debug "Checking if we have $MODULE_NAME.ko"
local modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
if $SUDO_CMD [ -n "$modulefile" ] ; then
if $SUDO_CMD [ -n "$modulefile" ]; then
debug "We do have $modulefile!"
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/ ; then
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/; then
debug "... but it's blacklisted!"
FNRET=1 # Not found (found but blacklisted)
# FIXME: even if blacklisted, it might be present in the initrd and
@@ -359,7 +357,7 @@ add_option_to_fstab() {
local OPTION=$2
debug "Setting $OPTION for $PARTITION in fstab"
backup_file "/etc/fstab"
# For example :
# For example :
# /dev/sda9 /home ext4 auto,acl,errors=remount-ro 0 2
# /dev/sda9 /home ext4 auto,acl,errors=remount-ro,nodev 0 2
debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab"
@@ -373,17 +371,14 @@ remount_partition() {
}
#
# APT
# APT
#
apt_update_if_needed()
{
if [ -e /var/cache/apt/pkgcache.bin ]
then
UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin) ))
apt_update_if_needed() {
if [ -e /var/cache/apt/pkgcache.bin ]; then
UPDATE_AGE=$(($(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin)))
if [ $UPDATE_AGE -gt 21600 ]
then
if [ $UPDATE_AGE -gt 21600 ]; then
# update too old, refresh database
$SUDO_CMD apt-get update -y >/dev/null 2>/dev/null
fi
@@ -392,12 +387,11 @@ apt_update_if_needed()
fi
}
apt_check_updates()
{
apt_check_updates() {
local NAME="$1"
local DETAILS="/dev/shm/${NAME}"
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || :
local COUNT=$(wc -l < "$DETAILS")
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >$DETAILS || :
local COUNT=$(wc -l <"$DETAILS")
FNRET=128 # Unknown function return result
RESULT="" # Result output for upgrade
if [ $COUNT -gt 0 ]; then
@@ -410,22 +404,19 @@ apt_check_updates()
rm $DETAILS
}
apt_install()
{
apt_install() {
local PACKAGE=$1
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y
FNRET=0
}
#
# Returns if a package is installed
#
is_pkg_installed()
{
is_pkg_installed() {
PKG_NAME=$1
if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then
if $(dpkg -s $PKG_NAME 2>/dev/null | grep -q '^Status: install '); then
debug "$PKG_NAME is installed"
FNRET=0
else
@@ -434,11 +425,9 @@ is_pkg_installed()
fi
}
# Returns Debian major version
get_debian_major_version()
{
get_debian_major_version() {
DEB_MAJ_VER=""
does_file_exist /etc/debian_version
if [ $FNRET ]; then
@@ -447,4 +436,3 @@ get_debian_major_version()
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
fi
}