elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-02 23:39:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: "--only" option in "hardening.sh" (#261)

Browse Source 
"--only" was broken, it did not match correctly a script passed in only

Previously we were checking the numerotation number, we now are using the full script name.

Ex: 1.1.1.1_disable_freevxfs.sh

Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh
Now: look up for 1.1.1.1_disable_freevxfs.sh

Usage example:
previously:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
      Total Available Checks : 0
         Total Runned Checks : 0
         Total Passed Checks : [     0/0 ]
         Total Failed Checks : [     0/0 ]
   Enabled Checks Percentage : 0 %
       Conformity Percentage : N.A %
```

now:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
hardening                 [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh
1.1.10_var_tmp_noexec     [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec     [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec     [INFO] Checking Configuration
1.1.10_var_tmp_noexec     [INFO] Performing audit
1.1.10_var_tmp_noexec     [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec     [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec     [ OK ] Check Passed
hardening                 [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh
1.1.11.1_var_log_noexec   [INFO] Working on 1.1.11.1_var_log_noexec
1.1.11.1_var_log_noexec   [INFO] [DESCRIPTION] /var/log partition with noexec option.
1.1.11.1_var_log_noexec   [INFO] Checking Configuration
1.1.11.1_var_log_noexec   [INFO] Performing audit
1.1.11.1_var_log_noexec   [INFO] Verifying that /var/log is a partition
1.1.11.1_var_log_noexec   [ OK ] /var/log is a partition
1.1.11.1_var_log_noexec   [ KO ] /var/log has no option noexec in fstab!
1.1.11.1_var_log_noexec   [ KO ] Check Failed
      Total Available Checks : 2
         Total Runned Checks : 2
         Total Passed Checks : [     1/2 ]
         Total Failed Checks : [     1/2 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 50.00 %
```

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
This commit is contained in:
damcav35
2025-07-02 14:22:20 +02:00
committed by GitHub
parent 231db2bf93
commit 99e6694261
1 changed files with 1 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
bin/hardening.sh
View File

@ -319,10 +319,7 @@ fi
for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
if [ "${#TEST_LIST[@]}" -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
# shellcheck disable=SC2001
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
if ! grep -qE "$(basename "$SCRIPT")" <<<"${TEST_LIST[@]}"; then
# not in the list
continue
fi