add --audit-all-enable-passed, add info in README and help

This commit is contained in:
Stéphane Lesimple 2016-04-19 20:16:47 +02:00 committed by thibault.dewailly
parent 76811c8a7f
commit 55f9cae65c
2 changed files with 45 additions and 7 deletions

7
README
View File

@ -16,6 +16,7 @@
# Main script : # Main script :
# bin/hardening.sh : Will execute hardening according to configuration # bin/hardening.sh : Will execute hardening according to configuration
# Options are : # Options are :
# --apply : Will apply hardening when scripts have status enabled (RW), and audit points where status is audit (RO) # --apply : Will apply hardening when scripts have status enabled (RW), and audit points where status is audit (RO)
# --audit : Will audit hardening when scripts have status enabled or audit (RO) # --audit : Will audit hardening when scripts have status enabled or audit (RO)
# --audit-all : Apply audit (RO) on all scripts # --audit-all : Apply audit (RO) on all scripts
# --audit-all-enable-passed : Apply audit (RO) on all scripts, and *modify* configuration files to enable scripts that passed. In other words, this is an easy way to enable scripts for which you're already compliant. However, please always review each activated script afterwards, this option should only be regarded as a way to kickstart a configuration from scratch faster than otherwise. Don't run this if you have already customized the scripts enable/disable configurations, obviously.

View File

@ -19,13 +19,39 @@ TOTAL_TREATED_CHECKS=0
AUDIT=0 AUDIT=0
APPLY=0 APPLY=0
AUDIT_ALL=0 AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0
usage() { usage() {
cat << EOF cat << EOF
$LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help > $LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
--apply : Apply hardening if told in configuration
--audit : If script not disabled, audit configuration only --help -h
-h|--help : This help Show this help
--apply
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you're warmly
advised to use --audit before, which can be regarded as a dry-run mode.
--audit
Audit configuration for enabled scripts.
No modification will be made on the system, we'll only report on your system
compliance for each script.
--audit-all
Same as --audit, but for *all* scripts, even disabled ones.
This is a good way to peek at your compliance level if all scripts were enabled,
and might be a good starting point.
--audit-all-enable-passed
Same as --audit-all, but in addition, will *modify* the individual scripts
configurations to enable those which passed for your system.
This is an easy way to enable scripts for which you're already compliant.
However, please always review each activated script afterwards, this option
should only be regarded as a way to kickstart a configuration from scratch.
Don't run this if you have already customized the scripts enable/disable
configurations, obviously.
EOF EOF
exit 0 exit 0
} }
@ -44,6 +70,9 @@ while [[ $# > 0 ]]; do
--audit-all) --audit-all)
AUDIT_ALL=1 AUDIT_ALL=1
;; ;;
--audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1
;;
--apply) --apply)
APPLY=1 APPLY=1
;; ;;
@ -83,6 +112,9 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh | sort -V); do
elif [ $AUDIT_ALL = 1 ]; then elif [ $AUDIT_ALL = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
$SCRIPT --audit-all $SCRIPT --audit-all
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
$SCRIPT --audit-all
elif [ $APPLY = 1 ]; then elif [ $APPLY = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT $SCRIPT
@ -95,6 +127,11 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh | sort -V); do
0) 0)
debug "$SCRIPT passed" debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1)) PASSED_CHECKS=$((PASSED_CHECKS+1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi
;; ;;
1) 1)
debug "$SCRIPT failed" debug "$SCRIPT failed"