FIX: fix issue, we had to run audit twice

First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.
This commit is contained in:
Thibault Ayanides 2020-11-20 10:05:14 +01:00
parent 467e5f178c
commit d40a85085d
3 changed files with 35 additions and 3 deletions

View File

@ -20,6 +20,7 @@ AUDIT=0
APPLY=0 APPLY=0
AUDIT_ALL=0 AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0 AUDIT_ALL_ENABLE_PASSED=0
CREATE_CONFIG=0
ALLOW_SERVICE_LIST=0 ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
@ -77,6 +78,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
as http, mail, etc. Can be specified multiple times to allow multiple services. as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services. Use --allow-service-list to get a list of supported services.
--create-config-files-only
Create the config files in etc/conf.d
Must be run as root, before running the audit with user secaudit
OPTIONS: OPTIONS:
--only <test_number> --only <test_number>
@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
--allow-service-list) --allow-service-list)
ALLOW_SERVICE_LIST=1 ALLOW_SERVICE_LIST=1
;; ;;
--create-config-files-only)
CREATE_CONFIG=1
;;
--allow-service) --allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2" ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift shift
@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
done done
# if no RUN_MODE was passed, usage and quit # if no RUN_MODE was passed, usage and quit
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
usage usage
fi fi
@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
exit 0 exit 0
fi fi
if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
echo "For --create-config-files-only, please run as root"
exit 1
fi
# Parse every scripts and execute them in the required mode # Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then if [ ${#TEST_LIST[@]} -gt 0 ] ; then
@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
fi fi
info "Treating $SCRIPT" info "Treating $SCRIPT"
if [ $CREATE_CONFIG = 1 ]; then
if [ $AUDIT = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
$SCRIPT --create-config-files-only $BATCH_MODE
elif [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit $SUDO_MODE $BATCH_MODE $SCRIPT --audit $SUDO_MODE $BATCH_MODE
elif [ $AUDIT_ALL = 1 ]; then elif [ $AUDIT_ALL = 1 ]; then

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
cis-hardening (2.1-2) unstable; urgency=medium
* Add --create-config-files-only mode that only create config files without running audit
-- Thibault Ayanides <tayanide@ovhcloud.com> Mon, 23 Nov 2020 13:40:14 +0100
cis-hardening (2.1-1) stable; urgency=medium cis-hardening (2.1-1) stable; urgency=medium
* Move to most recent docker image for buster * Move to most recent docker image for buster
* Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant

View File

@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
info "Audit argument passed but script is disabled" info "Audit argument passed but script is disabled"
fi fi
;; ;;
--create-config-files-only)
debug "Create config files"
forcedstatus=createconfig
;;
--sudo) --sudo)
SUDO_CMD="sudo_wrapper" SUDO_CMD="sudo_wrapper"
;; ;;
@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
else else
echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
fi fi
fi fi
if [ $forcedstatus = "createconfig" ]; then
debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
exit 0
fi
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
# Now check configured value for status, and potential cmdline parameter # Now check configured value for status, and potential cmdline parameter