add hardening templating and several enhancements

2025-06-23 11:04:32 +02:00 · 2017-05-18 18:40:09 +02:00
parent 2ef500298b
commit 676b17c54f
386 changed files with 701 additions and 449 deletions
--- a/lib/main.sh
+++ b/lib/main.sh
@ -3,37 +3,30 @@ SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 # Variable initialization, to avoid crash
 CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
 status=""
+forcedstatus=""

 [ -r $CIS_ROOT_DIR/lib/constants.sh  ] && . $CIS_ROOT_DIR/lib/constants.sh
 [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh

-# Source specific configuration file
-[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
-
 # Environment Sanitizing
 export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

 info "Working on $SCRIPT_NAME"

-if [ -z $status ]; then
-    crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
-    exit 2
-fi
-
 # Arguments parsing
 while [[ $# > 0 ]]; do
    ARG="$1"
    case $ARG in
        --audit-all)
            debug "Audit all specified, setting status to audit regardless of configuration"
-            status=audit
+            forcedstatus=auditall
        ;;
        --audit)
-        if [ $status != 'disabled' -a $status != 'false' ]; then
+        if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
            debug "Audit argument detected, setting status to audit"
-            status=audit
+            forcedstatus=audit
        else
            info "Audit argument passed but script is disabled"
        fi
@ -45,6 +38,39 @@ while [[ $# > 0 ]]; do
    shift
 done

+# Source specific configuration file
+if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
+    # If it doesn't exist, create it with default values
+    echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+    # If create_config is a defined function, execute it.
+    # Otherwise, just disable the test by default.
+    if type -t create_config | grep -qw function ; then
+        create_config >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+    else
+        echo "status=disabled" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+    fi
+fi
+[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+
+# Now check configured value for status, and potential cmdline parameter
+if [ "$forcedstatus" = "auditall" ] ; then
+    # We want to audit even disabled script, so override config value in any case
+    status=audit
+elif [ "$forcedstatus" = "audit" ] ; then
+    # We want to audit only enabled scripts
+    if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
+        debug "Audit argument detected, setting status to audit"
+        status=audit
+    else
+        info "Audit argument passed but script is disabled"
+    fi
+fi
+
+if [ -z $status ]; then
+    crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
+    exit 2
+fi
+
 case $status in
    enabled | true )
        info "Checking Configuration"