1.1 Install updates

bin/hardening/1.1_Install_Updates.sh

@@ -13,16 +13,32 @@ set -u # One variable unset, it's over
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    :
+    info "Checking if apt needs an update"
+    apt_update_if_needed 
+    info "Fetching upgrades ..."
+    apt_check_updates "CIS_APT"
+    if [ $FNRET -gt 0 ]; then
+        warn "$RESULT"
+        FNRET=1
+    else
+        ok "No upgrades available"
+        FNRET=0
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    :
+    if [ $FNRET -gt 0 ]; then 
+        info "Applying Upgrades..."
+        DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
+    else
+        ok "No Upgrades to apply"
+    fi
 }
 
 # This function will check config parameters required
 check_config() {
+    # No parameters for this function
     :
 }
 
@@ -37,4 +53,5 @@ else
     fi
 fi 
 
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 [ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

lib/common.sh

@@ -9,14 +9,17 @@ case $LOGLEVEL in
     warning )
         MACHINE_LOG_LEVEL=2
         ;;
-    info )
+    ok )
         MACHINE_LOG_LEVEL=3
         ;;
-    debug )
+    info )
         MACHINE_LOG_LEVEL=4
         ;;
+    debug )
+        MACHINE_LOG_LEVEL=5
+        ;;
     *)
-        MACHINE_LOG_LEVEL=3 ## Default loglevel value to info
+        MACHINE_LOG_LEVEL=4 ## Default loglevel value to info
 esac
 
 _logger() {
@@ -33,18 +36,22 @@ cecho () {
     echo -e "${COLOR}$*${NC}"
 }
 
-info () { 
-    [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BWHITE "[INFO] $*"
+crit () {
+    [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*"
 }
 
 warn () {
     [ $MACHINE_LOG_LEVEL -ge 2 ] && _logger $BYELLOW "[WARN] $*"
 }
 
-crit () {
-    [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*"
+ok () {
+    [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BGREEN "[ OK ] $*"
+}
+
+info () {
+    [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $BWHITE "[INFO] $*"
 }
 
 debug () {
-    [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $GRAY "[DBG ] $*"
+    [ $MACHINE_LOG_LEVEL -ge 5 ] && _logger $GRAY "[DBG ] $*"
 }

lib/main.sh

@@ -23,12 +23,16 @@ fi
 
 case $status in
     enabled | true )
+        info "Checking Configuration"
+        check_config
         info "Performing audit"
         audit # Perform audit
         info "Applying Hardening"
         apply # Perform hardening
         ;;
     audit )
+        info "Checking Configuration"
+        check_config
         info "Performing audit"
         audit # Perform audit
         ;;

lib/utils.sh

@@ -16,3 +16,38 @@ is_installed()
 }
 
 
+# contains helper functions to work with apt
+
+apt_update_if_needed() 
+{
+    if [ -e /var/cache/apt/pkgcache.bin ]
+    then
+        UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y'  /var/cache/apt/pkgcache.bin)  ))
+
+        if [ $UPDATE_AGE -gt 21600 ]
+        then
+            # update too old, refresh database
+            apt-get update -y >/dev/null 2>/dev/null
+        fi
+    else
+        apt-get update -y >/dev/null 2>/dev/null
+    fi
+}
+
+apt_check_updates()
+{
+    local NAME="$1"
+    local DETAILS="/dev/shm/${NAME}"
+    LANGUAGE=C apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : 
+    local COUNT=$(wc -l < "$DETAILS")
+    FNRET=128 # Unknown function return result
+    RESULT="" # Result output for upgrade
+    if [ $COUNT -gt 0 ]; then
+        RESULT="There is $COUNT updates available :\n$(cat $DETAILS)"
+        FNRET=1
+    else
+        RESULT="OK, no updates available"
+        FNRET=0
+    fi
+    rm $DETAILS
+}