mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 05:27:01 +01:00
1.1 Install updates
This commit is contained in:
thibault.dewailly
parent
5efc1d1a96
commit
6aa74d6188
@ -13,16 +13,32 @@ set -u # One variable unset, it's over
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
:
|
info "Checking if apt needs an update"
|
||||||
|
apt_update_if_needed
|
||||||
|
info "Fetching upgrades ..."
|
||||||
|
apt_check_updates "CIS_APT"
|
||||||
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
warn "$RESULT"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "No upgrades available"
|
||||||
|
FNRET=0
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply () {
|
||||||
:
|
if [ $FNRET -gt 0 ]; then
|
||||||
|
info "Applying Upgrades..."
|
||||||
|
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
|
||||||
|
else
|
||||||
|
ok "No Upgrades to apply"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
check_config() {
|
check_config() {
|
||||||
|
# No parameters for this function
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -37,4 +53,5 @@ else
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
|||||||
@ -9,14 +9,17 @@ case $LOGLEVEL in
|
|||||||
warning )
|
warning )
|
||||||
MACHINE_LOG_LEVEL=2
|
MACHINE_LOG_LEVEL=2
|
||||||
;;
|
;;
|
||||||
info )
|
ok )
|
||||||
MACHINE_LOG_LEVEL=3
|
MACHINE_LOG_LEVEL=3
|
||||||
;;
|
;;
|
||||||
debug )
|
info )
|
||||||
MACHINE_LOG_LEVEL=4
|
MACHINE_LOG_LEVEL=4
|
||||||
;;
|
;;
|
||||||
|
debug )
|
||||||
|
MACHINE_LOG_LEVEL=5
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
MACHINE_LOG_LEVEL=3 ## Default loglevel value to info
|
MACHINE_LOG_LEVEL=4 ## Default loglevel value to info
|
||||||
esac
|
esac
|
||||||
|
|
||||||
_logger() {
|
_logger() {
|
||||||
@ -33,18 +36,22 @@ cecho () {
|
|||||||
echo -e "${COLOR}$*${NC}"
|
echo -e "${COLOR}$*${NC}"
|
||||||
}
|
}
|
||||||
|
|
||||||
info () {
|
crit () {
|
||||||
[ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BWHITE "[INFO] $*"
|
[ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*"
|
||||||
}
|
}
|
||||||
|
|
||||||
warn () {
|
warn () {
|
||||||
[ $MACHINE_LOG_LEVEL -ge 2 ] && _logger $BYELLOW "[WARN] $*"
|
[ $MACHINE_LOG_LEVEL -ge 2 ] && _logger $BYELLOW "[WARN] $*"
|
||||||
}
|
}
|
||||||
|
|
||||||
crit () {
|
ok () {
|
||||||
[ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*"
|
[ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BGREEN "[ OK ] $*"
|
||||||
|
}
|
||||||
|
|
||||||
|
info () {
|
||||||
|
[ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $BWHITE "[INFO] $*"
|
||||||
}
|
}
|
||||||
|
|
||||||
debug () {
|
debug () {
|
||||||
[ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $GRAY "[DBG ] $*"
|
[ $MACHINE_LOG_LEVEL -ge 5 ] && _logger $GRAY "[DBG ] $*"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -22,13 +22,17 @@ if [ -z $status ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
case $status in
|
case $status in
|
||||||
enabled | true )
|
enabled | true )
|
||||||
|
info "Checking Configuration"
|
||||||
|
check_config
|
||||||
info "Performing audit"
|
info "Performing audit"
|
||||||
audit # Perform audit
|
audit # Perform audit
|
||||||
info "Applying Hardening"
|
info "Applying Hardening"
|
||||||
apply # Perform hardening
|
apply # Perform hardening
|
||||||
;;
|
;;
|
||||||
audit )
|
audit )
|
||||||
|
info "Checking Configuration"
|
||||||
|
check_config
|
||||||
info "Performing audit"
|
info "Performing audit"
|
||||||
audit # Perform audit
|
audit # Perform audit
|
||||||
;;
|
;;
|
||||||
|
|||||||
35
lib/utils.sh
35
lib/utils.sh
@ -16,3 +16,38 @@ is_installed()
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# contains helper functions to work with apt
|
||||||
|
|
||||||
|
apt_update_if_needed()
|
||||||
|
{
|
||||||
|
if [ -e /var/cache/apt/pkgcache.bin ]
|
||||||
|
then
|
||||||
|
UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin) ))
|
||||||
|
|
||||||
|
if [ $UPDATE_AGE -gt 21600 ]
|
||||||
|
then
|
||||||
|
# update too old, refresh database
|
||||||
|
apt-get update -y >/dev/null 2>/dev/null
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
apt-get update -y >/dev/null 2>/dev/null
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
apt_check_updates()
|
||||||
|
{
|
||||||
|
local NAME="$1"
|
||||||
|
local DETAILS="/dev/shm/${NAME}"
|
||||||
|
LANGUAGE=C apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || :
|
||||||
|
local COUNT=$(wc -l < "$DETAILS")
|
||||||
|
FNRET=128 # Unknown function return result
|
||||||
|
RESULT="" # Result output for upgrade
|
||||||
|
if [ $COUNT -gt 0 ]; then
|
||||||
|
RESULT="There is $COUNT updates available :\n$(cat $DETAILS)"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
RESULT="OK, no updates available"
|
||||||
|
FNRET=0
|
||||||
|
fi
|
||||||
|
rm $DETAILS
|
||||||
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user