From 6aa74d61883543b39e872c855b3f1dc4162a66e6 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 4 Apr 2016 11:23:03 +0200 Subject: [PATCH] 1.1 Install updates --- bin/hardening/1.1_Install_Updates.sh | 21 +++++++++++++++-- lib/common.sh | 23 +++++++++++------- lib/main.sh | 6 ++++- lib/utils.sh | 35 ++++++++++++++++++++++++++++ 4 files changed, 74 insertions(+), 11 deletions(-) diff --git a/bin/hardening/1.1_Install_Updates.sh b/bin/hardening/1.1_Install_Updates.sh index 40d0d5a..70f720f 100755 --- a/bin/hardening/1.1_Install_Updates.sh +++ b/bin/hardening/1.1_Install_Updates.sh @@ -13,16 +13,32 @@ set -u # One variable unset, it's over # This function will be called if the script status is on enabled / audit mode audit () { - : + info "Checking if apt needs an update" + apt_update_if_needed + info "Fetching upgrades ..." + apt_check_updates "CIS_APT" + if [ $FNRET -gt 0 ]; then + warn "$RESULT" + FNRET=1 + else + ok "No upgrades available" + FNRET=0 + fi } # This function will be called if the script status is on enabled mode apply () { - : + if [ $FNRET -gt 0 ]; then + info "Applying Upgrades..." + DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y + else + ok "No Upgrades to apply" + fi } # This function will check config parameters required check_config() { + # No parameters for this function : } @@ -37,4 +53,5 @@ else fi fi +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) [ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/lib/common.sh b/lib/common.sh index 1a64f3d..cadf77e 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -9,14 +9,17 @@ case $LOGLEVEL in warning ) MACHINE_LOG_LEVEL=2 ;; - info ) + ok ) MACHINE_LOG_LEVEL=3 ;; - debug ) + info ) MACHINE_LOG_LEVEL=4 ;; + debug ) + MACHINE_LOG_LEVEL=5 + ;; *) - MACHINE_LOG_LEVEL=3 ## Default loglevel value to info + MACHINE_LOG_LEVEL=4 ## Default loglevel value to info esac _logger() { @@ -33,18 +36,22 @@ cecho () { echo -e "${COLOR}$*${NC}" } -info () { - [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BWHITE "[INFO] $*" +crit () { + [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" } warn () { [ $MACHINE_LOG_LEVEL -ge 2 ] && _logger $BYELLOW "[WARN] $*" } -crit () { - [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" +ok () { + [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BGREEN "[ OK ] $*" +} + +info () { + [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $BWHITE "[INFO] $*" } debug () { - [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $GRAY "[DBG ] $*" + [ $MACHINE_LOG_LEVEL -ge 5 ] && _logger $GRAY "[DBG ] $*" } diff --git a/lib/main.sh b/lib/main.sh index 69e554c..3cfcdc3 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -22,13 +22,17 @@ if [ -z $status ]; then fi case $status in - enabled | true ) + enabled | true ) + info "Checking Configuration" + check_config info "Performing audit" audit # Perform audit info "Applying Hardening" apply # Perform hardening ;; audit ) + info "Checking Configuration" + check_config info "Performing audit" audit # Perform audit ;; diff --git a/lib/utils.sh b/lib/utils.sh index de09676..ce93991 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -16,3 +16,38 @@ is_installed() } +# contains helper functions to work with apt + +apt_update_if_needed() +{ + if [ -e /var/cache/apt/pkgcache.bin ] + then + UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin) )) + + if [ $UPDATE_AGE -gt 21600 ] + then + # update too old, refresh database + apt-get update -y >/dev/null 2>/dev/null + fi + else + apt-get update -y >/dev/null 2>/dev/null + fi +} + +apt_check_updates() +{ + local NAME="$1" + local DETAILS="/dev/shm/${NAME}" + LANGUAGE=C apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : + local COUNT=$(wc -l < "$DETAILS") + FNRET=128 # Unknown function return result + RESULT="" # Result output for upgrade + if [ $COUNT -gt 0 ]; then + RESULT="There is $COUNT updates available :\n$(cat $DETAILS)" + FNRET=1 + else + RESULT="OK, no updates available" + FNRET=0 + fi + rm $DETAILS +}