From a5e1cb90cd6f18a16f534b3f616b0edc168ca37c Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Mon, 4 Jan 2021 09:03:44 +0100 Subject: [PATCH] ADD(4.1.1.4): add new check --- bin/hardening/4.1.1.4_audit_backlog_limit.sh | 50 ++++++++++++++++++- .../hardening/4.1.1.4_audit_backlog_limit.sh | 16 +++--- 2 files changed, 58 insertions(+), 8 deletions(-) diff --git a/bin/hardening/4.1.1.4_audit_backlog_limit.sh b/bin/hardening/4.1.1.4_audit_backlog_limit.sh index aaa9af1..d9ae5db 100755 --- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh +++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh @@ -17,14 +17,60 @@ HARDENING_LEVEL=4 # shellcheck disable=2034 DESCRIPTION="Configure audit_backlog_limit to be sufficient." +FILE='/etc/default/grub' +OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"' + # This function will be called if the script status is on enabled / audit mode audit() { - : + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exists, checking configuration" + for GRUB_OPTION in $OPTIONS; do + GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) + GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + debug "$GRUB_PARAM should be set to $GRUB_VALUE" + does_pattern_exist_in_file "$FILE" "$PATTERN" + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in $FILE" + else + ok "$PATTERN is present in $FILE" + fi + done + fi } # This function will be called if the script status is on enabled mode apply() { - : + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + warn "$FILE does not exist, creating it" + touch "$FILE" + else + ok "$FILE exists" + fi + for GRUB_OPTION in $OPTIONS; do + GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) + GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) + debug "$GRUB_PARAM should be set to $GRUB_VALUE" + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + does_pattern_exist_in_file "$FILE" "$PATTERN" + if [ "$FNRET" != 0 ]; then + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM" + if [ "$FNRET" != 0 ]; then + info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" + add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE" + else + info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing" + replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" + fi + else + ok "$PATTERN is present in $FILE" + fi + done } # This function will check config parameters required diff --git a/tests/hardening/4.1.1.4_audit_backlog_limit.sh b/tests/hardening/4.1.1.4_audit_backlog_limit.sh index f85b20d..af007f7 100644 --- a/tests/hardening/4.1.1.4_audit_backlog_limit.sh +++ b/tests/hardening/4.1.1.4_audit_backlog_limit.sh @@ -1,11 +1,15 @@ # shellcheck shell=bash # run-shellcheck test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + if [ -f "/.dockerenv" ]; then + skip "SKIPPED on docker" + else + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + # TODO fill comprehensive tests + fi }