FIX: fix issue, we had to run audit twice

First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.

bin/hardening.sh

@@ -20,6 +20,7 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
+CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
@@ -76,6 +77,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
         Modifies the policy to allow a certain kind of services on the machine, such
         as http, mail, etc. Can be specified multiple times to allow multiple services.
         Use --allow-service-list to get a list of supported services.
+    
+    --create-config-files-only
+        Create the config files in etc/conf.d
+        Must be run as root, before running the audit with user secaudit
 
 OPTIONS:
 
@@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
         --allow-service-list)
             ALLOW_SERVICE_LIST=1
         ;;
+        --create-config-files-only)
+            CREATE_CONFIG=1
+        ;;
         --allow-service)
             ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
             shift
@@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
 done
 
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
     usage
 fi
 
@@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
     exit 0
 fi
 
+if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
+    echo "For --create-config-files-only, please run as root"
+    exit 1
+fi
+
 # Parse every scripts and execute them in the required mode
 for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     if [ ${#TEST_LIST[@]} -gt 0 ] ; then
@@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     fi
 
     info "Treating $SCRIPT"
-
+    if [ $CREATE_CONFIG = 1 ]; then
-    if [ $AUDIT = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
+        $SCRIPT --create-config-files-only $BATCH_MODE
+    elif [ $AUDIT = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
         $SCRIPT --audit $SUDO_MODE $BATCH_MODE
     elif [ $AUDIT_ALL = 1 ]; then

debian/changelog

@@ -1,3 +1,9 @@
+cis-hardening (2.1-2) unstable; urgency=medium
+
+  * Add --create-config-files-only mode that only create config files without running audit
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Mon, 23 Nov 2020 13:40:14 +0100
+ 
 cis-hardening (2.1-1) stable; urgency=medium
   * Move to most recent docker image for buster
   * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant

lib/main.sh

@@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
             info "Audit argument passed but script is disabled"
         fi
         ;;
+        --create-config-files-only)
+            debug "Create config files"
+            forcedstatus=createconfig
+        ;;
         --sudo)
         SUDO_CMD="sudo_wrapper"
         ;;
@@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
     else
         echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
     fi
+
 fi
+
+if [ $forcedstatus = "createconfig" ]; then
+    debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
+    exit 0
+fi
+
 [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
 
 # Now check configured value for status, and potential cmdline parameter