mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
ADD(4.1.1.4): add new check
This commit is contained in:
parent
b6fff5b8b6
commit
a5e1cb90cd
@ -17,14 +17,60 @@ HARDENING_LEVEL=4
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Configure audit_backlog_limit to be sufficient."
|
DESCRIPTION="Configure audit_backlog_limit to be sufficient."
|
||||||
|
|
||||||
|
FILE='/etc/default/grub'
|
||||||
|
OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
:
|
does_file_exist "$FILE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
else
|
||||||
|
ok "$FILE exists, checking configuration"
|
||||||
|
for GRUB_OPTION in $OPTIONS; do
|
||||||
|
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
|
||||||
|
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
|
||||||
|
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
|
||||||
|
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
|
||||||
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
:
|
does_file_exist "$FILE"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
warn "$FILE does not exist, creating it"
|
||||||
|
touch "$FILE"
|
||||||
|
else
|
||||||
|
ok "$FILE exists"
|
||||||
|
fi
|
||||||
|
for GRUB_OPTION in $OPTIONS; do
|
||||||
|
GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
|
||||||
|
GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
|
||||||
|
debug "$GRUB_PARAM should be set to $GRUB_VALUE"
|
||||||
|
PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
|
||||||
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
|
does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
|
||||||
|
add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
|
||||||
|
replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -1,11 +1,15 @@
|
|||||||
# shellcheck shell=bash
|
# shellcheck shell=bash
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
test_audit() {
|
test_audit() {
|
||||||
describe Running on blank host
|
if [ -f "/.dockerenv" ]; then
|
||||||
register_test retvalshouldbe 0
|
skip "SKIPPED on docker"
|
||||||
dismiss_count_for_test
|
else
|
||||||
# shellcheck disable=2154
|
describe Running on blank host
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
# TODO fill comprehensive tests
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user