From d40a85085de8ecaeeec154ac536c3b0c5cfcf03d Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Fri, 20 Nov 2020 10:05:14 +0100 Subject: [PATCH] FIX: fix issue, we had to run audit twice First one as root to create conf files with good owner and permissions, and then with secaudit. Now first run with --create-config-files-only and the normally with --audit. --- bin/hardening.sh | 21 ++++++++++++++++++--- debian/changelog | 6 ++++++ lib/main.sh | 11 +++++++++++ 3 files changed, 35 insertions(+), 3 deletions(-) diff --git a/bin/hardening.sh b/bin/hardening.sh index f843da6..adf0d9f 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -20,6 +20,7 @@ AUDIT=0 APPLY=0 AUDIT_ALL=0 AUDIT_ALL_ENABLE_PASSED=0 +CREATE_CONFIG=0 ALLOW_SERVICE_LIST=0 SET_HARDENING_LEVEL=0 SUDO_MODE='' @@ -76,6 +77,10 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: Modifies the policy to allow a certain kind of services on the machine, such as http, mail, etc. Can be specified multiple times to allow multiple services. Use --allow-service-list to get a list of supported services. + + --create-config-files-only + Create the config files in etc/conf.d + Must be run as root, before running the audit with user secaudit OPTIONS: @@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do --allow-service-list) ALLOW_SERVICE_LIST=1 ;; + --create-config-files-only) + CREATE_CONFIG=1 + ;; --allow-service) ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2" shift @@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do done # if no RUN_MODE was passed, usage and quit -if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then +if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then usage fi @@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then exit 0 fi +if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then + echo "For --create-config-files-only, please run as root" + exit 1 +fi + # Parse every scripts and execute them in the required mode for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do if [ ${#TEST_LIST[@]} -gt 0 ] ; then @@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do fi info "Treating $SCRIPT" - - if [ $AUDIT = 1 ]; then + if [ $CREATE_CONFIG = 1 ]; then + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only" + $SCRIPT --create-config-files-only $BATCH_MODE + elif [ $AUDIT = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" $SCRIPT --audit $SUDO_MODE $BATCH_MODE elif [ $AUDIT_ALL = 1 ]; then diff --git a/debian/changelog b/debian/changelog index 2a1d653..6821786 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cis-hardening (2.1-2) unstable; urgency=medium + + * Add --create-config-files-only mode that only create config files without running audit + + -- Thibault Ayanides Mon, 23 Nov 2020 13:40:14 +0100 + cis-hardening (2.1-1) stable; urgency=medium * Move to most recent docker image for buster * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant diff --git a/lib/main.sh b/lib/main.sh index 41653ab..7842ffc 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do info "Audit argument passed but script is disabled" fi ;; + --create-config-files-only) + debug "Create config files" + forcedstatus=createconfig + ;; --sudo) SUDO_CMD="sudo_wrapper" ;; @@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then else echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg fi + fi + +if [ $forcedstatus = "createconfig" ]; then + debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created" + exit 0 +fi + [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg # Now check configured value for status, and potential cmdline parameter