IMP(4.2.2.x): improve dealing with default conf

The default for journald is Compress=yes and ForwardToSyslog=yes So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
2025-06-23 02:54:35 +02:00 · 2021-01-20 09:21:08 +01:00
parent 6efefa07ac
commit 6127f2fe67
5 changed files with 20 additions and 21 deletions
--- a/bin/hardening/4.2.2.1_journald_logs.sh
+++ b/bin/hardening/4.2.2.1_journald_logs.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."

 FILE='/etc/systemd/journald.conf'
-OPTIONS='ForwardToSyslog=yes'
+OPTIONS='ForwardToSyslog=no'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -34,9 +34,9 @@ audit() {
            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
            else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
            fi
        done
    fi
@ -57,18 +57,18 @@ apply() {
        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            warn "$PATTERN is not present in $FILE, adding it"
+        if [ "$FNRET" = 0 ]; then
+            warn "$PATTERN is present in $FILE, deleting it"
            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
            else
                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
            fi
        else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
        fi
    done
 }
--- a/bin/hardening/4.2.2.2_journald_compress.sh
+++ b/bin/hardening/4.2.2.2_journald_compress.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."

 FILE='/etc/systemd/journald.conf'
-OPTIONS='Compress=yes'
+OPTIONS='Compress=no'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -34,9 +34,9 @@ audit() {
            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
            else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
            fi
        done
    fi
@ -57,18 +57,18 @@ apply() {
        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
            else
                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
            fi
        else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
        fi
    done
 }
--- a/bin/hardening/4.2.2.3_journald_write_persistent.sh
+++ b/bin/hardening/4.2.2.3_journald_write_persistent.sh
@ -62,7 +62,7 @@ apply() {
            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
            else
                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"