mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 14:05:23 +01:00
IMP(4.2.2.x): improve dealing with default conf
The default for journald is Compress=yes and ForwardToSyslog=yes So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
This commit is contained in:
parent
6efefa07ac
commit
6127f2fe67
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||
|
||||
FILE='/etc/systemd/journald.conf'
|
||||
OPTIONS='ForwardToSyslog=yes'
|
||||
OPTIONS='ForwardToSyslog=no'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
@ -34,9 +34,9 @@ audit() {
|
||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
crit "$PATTERN is present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -57,18 +57,18 @@ apply() {
|
||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE, deleting it"
|
||||
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
||||
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
|
||||
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
|
||||
else
|
||||
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
|
||||
fi
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||
|
||||
FILE='/etc/systemd/journald.conf'
|
||||
OPTIONS='Compress=yes'
|
||||
OPTIONS='Compress=no'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
@ -34,9 +34,9 @@ audit() {
|
||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
crit "$PATTERN is present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -57,18 +57,18 @@ apply() {
|
||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
||||
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
|
||||
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
|
||||
else
|
||||
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
|
||||
fi
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
@ -62,7 +62,7 @@ apply() {
|
||||
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
||||
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
|
||||
add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||
else
|
||||
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||
|
@ -3,7 +3,6 @@
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
@ -13,7 +12,7 @@ test_audit() {
|
||||
echo "ForwardToSyslog=no" >>"$FILE"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "$FILE exists, checking configuration"
|
||||
register_test contain "is not present in $FILE"
|
||||
register_test contain "is present in $FILE"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
@ -22,6 +21,6 @@ test_audit() {
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "is present in $FILE"
|
||||
register_test contain "is not present in $FILE"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -13,7 +13,7 @@ test_audit() {
|
||||
echo "Compress=no" >>"$FILE"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "$FILE exists, checking configuration"
|
||||
register_test contain "is not present in $FILE"
|
||||
register_test contain "is present in $FILE"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
@ -22,6 +22,6 @@ test_audit() {
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "is present in $FILE"
|
||||
register_test contain "is not present in $FILE"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user