IMP(4.2.2.x): improve dealing with default conf

The default for journald is Compress=yes and ForwardToSyslog=yes
So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
This commit is contained in:
Thibault Ayanides 2021-01-20 09:21:08 +01:00 committed by Thibault Serti
parent 6efefa07ac
commit 6127f2fe67
5 changed files with 20 additions and 21 deletions

View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure journald to send logs to syslog-ng."
FILE='/etc/systemd/journald.conf'
OPTIONS='ForwardToSyslog=yes'
OPTIONS='ForwardToSyslog=no'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -34,9 +34,9 @@ audit() {
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
ok "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
crit "$PATTERN is present in $FILE"
fi
done
fi
@ -57,18 +57,18 @@ apply() {
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, deleting it"
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
else
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
fi
else
ok "$PATTERN is present in $FILE"
ok "$PATTERN is not present in $FILE"
fi
done
}

View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure journald to send logs to syslog-ng."
FILE='/etc/systemd/journald.conf'
OPTIONS='Compress=yes'
OPTIONS='Compress=no'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -34,9 +34,9 @@ audit() {
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
ok "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
crit "$PATTERN is present in $FILE"
fi
done
fi
@ -57,18 +57,18 @@ apply() {
debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
else
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
fi
else
ok "$PATTERN is present in $FILE"
ok "$PATTERN is not present in $FILE"
fi
done
}

View File

@ -62,7 +62,7 @@ apply() {
does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
else
info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"

View File

@ -3,7 +3,6 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
@ -13,7 +12,7 @@ test_audit() {
echo "ForwardToSyslog=no" >>"$FILE"
register_test retvalshouldbe 1
register_test contain "$FILE exists, checking configuration"
register_test contain "is not present in $FILE"
register_test contain "is present in $FILE"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
@ -22,6 +21,6 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "is present in $FILE"
register_test contain "is not present in $FILE"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}

View File

@ -13,7 +13,7 @@ test_audit() {
echo "Compress=no" >>"$FILE"
register_test retvalshouldbe 1
register_test contain "$FILE exists, checking configuration"
register_test contain "is not present in $FILE"
register_test contain "is present in $FILE"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
@ -22,6 +22,6 @@ test_audit() {
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "is present in $FILE"
register_test contain "is not present in $FILE"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}