ADD(4.1.1.4): add new check

2024-11-22 13:37:02 +01:00 · 2021-01-04 09:03:44 +01:00 · 2021-01-04 09:03:44 +01:00 · a5e1cb90cd
commit a5e1cb90cd
parent b6fff5b8b6
2 changed files with 58 additions and 8 deletions
--- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh
+++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh
@ -17,14 +17,60 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Configure audit_backlog_limit to be sufficient."

+FILE='/etc/default/grub'
+OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for GRUB_OPTION in $OPTIONS; do
+            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for GRUB_OPTION in $OPTIONS; do
+        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
+            else
+                info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
 }

 # This function will check config parameters required
--- a/tests/hardening/4.1.1.4_audit_backlog_limit.sh
+++ b/tests/hardening/4.1.1.4_audit_backlog_limit.sh
@ -1,11 +1,15 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
-    # shellcheck disable=2154
-    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+        # TODO fill comprehensive tests
+    fi
 }