elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixup! IMP(4.5): rename to 1.6.1.2 improve test

Browse Source
This commit is contained in:
Thibault Ayanides 2020-11-17 13:02:02 +01:00
parent d244a2e810
commit 467e5f178c
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
bin/hardening/1.6.2.1_enable_apparmor.sh
View File

@ -27,12 +27,18 @@ audit () {
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured" crit "$line is not configured"
ERROR=1 ERROR=1
fi fi
done done
IFS=$d_IFS
if [ $ERROR = 0 ]; then if [ $ERROR = 0 ]; then
ok "$PACKAGE is configured" ok "$PACKAGE is configured"
@ -47,15 +53,22 @@ apply () {
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured" crit "$line is not configured"
ERROR=1 ERROR=1
fi fi
done done
IFS=$d_IFS
if [ $ERROR = 1 ]; then if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
$SUDO_CMD update-grub $SUDO_CMD update-grub