From 99e66942619755c98109c2de4de6c7e280df5cc4 Mon Sep 17 00:00:00 2001
From: damcav35 <51324122+damcav35@users.noreply.github.com>
Date: Wed, 2 Jul 2025 14:22:20 +0200
Subject: [PATCH] fix: "--only" option in "hardening.sh" (#261)

"--only" was broken, it did not match correctly a script passed in only

Previously we were checking the numerotation number, we now are using the full script name.

Ex: 1.1.1.1_disable_freevxfs.sh

Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh
Now: look up for 1.1.1.1_disable_freevxfs.sh

Usage example:
previously:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
      Total Available Checks : 0
         Total Runned Checks : 0
         Total Passed Checks : [     0/0 ]
         Total Failed Checks : [     0/0 ]
   Enabled Checks Percentage : 0 %
       Conformity Percentage : N.A %
```

now:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
hardening                 [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh
1.1.10_var_tmp_noexec     [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec     [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec     [INFO] Checking Configuration
1.1.10_var_tmp_noexec     [INFO] Performing audit
1.1.10_var_tmp_noexec     [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec     [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec     [ OK ] Check Passed
hardening                 [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh
1.1.11.1_var_log_noexec   [INFO] Working on 1.1.11.1_var_log_noexec
1.1.11.1_var_log_noexec   [INFO] [DESCRIPTION] /var/log partition with noexec option.
1.1.11.1_var_log_noexec   [INFO] Checking Configuration
1.1.11.1_var_log_noexec   [INFO] Performing audit
1.1.11.1_var_log_noexec   [INFO] Verifying that /var/log is a partition
1.1.11.1_var_log_noexec   [ OK ] /var/log is a partition
1.1.11.1_var_log_noexec   [ KO ] /var/log has no option noexec in fstab!
1.1.11.1_var_log_noexec   [ KO ] Check Failed
      Total Available Checks : 2
         Total Runned Checks : 2
         Total Passed Checks : [     1/2 ]
         Total Failed Checks : [     1/2 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 50.00 %
```

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
---
 bin/hardening.sh | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/bin/hardening.sh b/bin/hardening.sh
index 786f87a..ce4e257 100755
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@@ -319,10 +319,7 @@ fi
 for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
     if [ "${#TEST_LIST[@]}" -gt 0 ]; then
         # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
-        # shellcheck disable=SC2001
-        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
-        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
+        if ! grep -qE "$(basename "$SCRIPT")" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi