add hardening templating and several enhancements

lib/common.sh

@@ -46,9 +46,9 @@ _logger() {
     COLOR=$1
     shift
     test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
-    SCRIPT_NAME=$(printf "%-25.25s" "$SCRIPT_NAME")
     builtin echo "$*" | /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info"
-    cecho $COLOR "$SCRIPT_NAME $*"
+    SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")
+    cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"
 }
 
 cecho () {
@@ -72,7 +72,7 @@ ok () {
 }
 
 info () {
-    if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger $BWHITE "[INFO] $*"; fi
+    if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger ''      "[INFO] $*"; fi
 }
 
 debug () {

lib/main.sh

@@ -3,37 +3,30 @@ SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 # Variable initialization, to avoid crash
 CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
 status=""
+forcedstatus=""
 
 [ -r $CIS_ROOT_DIR/lib/constants.sh  ] && . $CIS_ROOT_DIR/lib/constants.sh
 [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
 
-# Source specific configuration file
-[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
-
 # Environment Sanitizing
 export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
 
 info "Working on $SCRIPT_NAME"
 
-if [ -z $status ]; then
-    crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
-    exit 2
-fi
-
 # Arguments parsing
 while [[ $# > 0 ]]; do
     ARG="$1"
     case $ARG in
         --audit-all)
             debug "Audit all specified, setting status to audit regardless of configuration"
-            status=audit
+            forcedstatus=auditall
         ;;
         --audit)
-        if [ $status != 'disabled' -a $status != 'false' ]; then
+        if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
             debug "Audit argument detected, setting status to audit"
-            status=audit
+            forcedstatus=audit
         else
             info "Audit argument passed but script is disabled"
         fi
@@ -45,6 +38,39 @@ while [[ $# > 0 ]]; do
     shift
 done
 
+# Source specific configuration file
+if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
+    # If it doesn't exist, create it with default values
+    echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+    # If create_config is a defined function, execute it.
+    # Otherwise, just disable the test by default.
+    if type -t create_config | grep -qw function ; then
+        create_config >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+    else
+        echo "status=disabled" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+    fi
+fi
+[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+
+# Now check configured value for status, and potential cmdline parameter
+if [ "$forcedstatus" = "auditall" ] ; then
+    # We want to audit even disabled script, so override config value in any case
+    status=audit
+elif [ "$forcedstatus" = "audit" ] ; then
+    # We want to audit only enabled scripts
+    if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
+        debug "Audit argument detected, setting status to audit"
+        status=audit
+    else
+        info "Audit argument passed but script is disabled"
+    fi
+fi
+
+if [ -z $status ]; then
+    crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
+    exit 2
+fi
+
 case $status in
     enabled | true )
         info "Checking Configuration"

lib/utils.sh

@@ -204,9 +204,17 @@ is_service_enabled() {
 #
 
 is_kernel_option_enabled() {
-    local KERNEL_OPTION=$1
-    RESULT=$(zgrep -i $KERNEL_OPTION /proc/config.gz | grep -vE "^#") || :
-    ANSWER=$(cut -d = -f 2 <<< $RESULT)
+    local KERNEL_OPTION="$1"
+    local MODULE_NAME=""
+    if [ $# -ge 2 ] ; then
+        MODULE_NAME="$2"
+    fi
+    if [ -r "/proc/config.gz" ] ; then
+        RESULT=$(zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
+    elif [ -r "/boot/config-$(uname -r)" ] ; then
+        RESULT=$(grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
+    fi
+    ANSWER=$(cut -d = -f 2 <<< "$RESULT")
     if [ "x$ANSWER" = "xy" ]; then
         debug "Kernel option $KERNEL_OPTION enabled"
         FNRET=0
@@ -217,6 +225,25 @@ is_kernel_option_enabled() {
         debug "Kernel option $KERNEL_OPTION not found"
         FNRET=2 # Not found
     fi
+
+    if [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ] ; then
+        # also check in modules, because even if not =y, maybe
+        # the admin compiled it separately later (or out-of-tree)
+        # as a module (regardless of the fact that we have =m or not)
+        debug "Checking if we have $MODULE_NAME.ko"
+        local modulefile=$(find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
+        if [ -n "$modulefile" ] ; then
+            debug "We do have $modulefile!"
+            # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
+            if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/ ; then
+                debug "... but it's blacklisted!"
+                FNRET=1 # Not found (found but blacklisted)
+                # FIXME: even if blacklisted, it might be present in the initrd and
+                # be insmod from there... but painful to check :/ maybe lsmod would be enough ?
+            fi
+            FNRET=0 # Found!
+        fi
+    fi
 }
 
 #