mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 13:37:02 +01:00
IMP(4.2.2.x): improve dealing with default conf
The default for journald is Compress=yes and ForwardToSyslog=yes So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
This commit is contained in:
parent
6efefa07ac
commit
6127f2fe67
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||||
|
|
||||||
FILE='/etc/systemd/journald.conf'
|
FILE='/etc/systemd/journald.conf'
|
||||||
OPTIONS='ForwardToSyslog=yes'
|
OPTIONS='ForwardToSyslog=no'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -34,9 +34,9 @@ audit() {
|
|||||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
crit "$PATTERN is present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -57,18 +57,18 @@ apply() {
|
|||||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||||
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is not present in $FILE, adding it"
|
warn "$PATTERN is present in $FILE, deleting it"
|
||||||
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
||||||
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
|
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
|
||||||
else
|
else
|
||||||
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
||||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||||
|
|
||||||
FILE='/etc/systemd/journald.conf'
|
FILE='/etc/systemd/journald.conf'
|
||||||
OPTIONS='Compress=yes'
|
OPTIONS='Compress=no'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -34,9 +34,9 @@ audit() {
|
|||||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
crit "$PATTERN is present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -57,18 +57,18 @@ apply() {
|
|||||||
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
|
||||||
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is not present in $FILE, adding it"
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
|
||||||
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
|
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
|
||||||
else
|
else
|
||||||
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
|
||||||
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
|
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
@ -3,7 +3,6 @@
|
|||||||
test_audit() {
|
test_audit() {
|
||||||
describe Running on blank host
|
describe Running on blank host
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
dismiss_count_for_test
|
|
||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
@ -13,7 +12,7 @@ test_audit() {
|
|||||||
echo "ForwardToSyslog=no" >>"$FILE"
|
echo "ForwardToSyslog=no" >>"$FILE"
|
||||||
register_test retvalshouldbe 1
|
register_test retvalshouldbe 1
|
||||||
register_test contain "$FILE exists, checking configuration"
|
register_test contain "$FILE exists, checking configuration"
|
||||||
register_test contain "is not present in $FILE"
|
register_test contain "is present in $FILE"
|
||||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
describe correcting situation
|
describe correcting situation
|
||||||
@ -22,6 +21,6 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "is present in $FILE"
|
register_test contain "is not present in $FILE"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,7 +13,7 @@ test_audit() {
|
|||||||
echo "Compress=no" >>"$FILE"
|
echo "Compress=no" >>"$FILE"
|
||||||
register_test retvalshouldbe 1
|
register_test retvalshouldbe 1
|
||||||
register_test contain "$FILE exists, checking configuration"
|
register_test contain "$FILE exists, checking configuration"
|
||||||
register_test contain "is not present in $FILE"
|
register_test contain "is present in $FILE"
|
||||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
describe correcting situation
|
describe correcting situation
|
||||||
@ -22,6 +22,6 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "is present in $FILE"
|
register_test contain "is not present in $FILE"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user