fix: "--only" option in "hardening.sh"

"--only" was broken, it did not match correctly a script passed in only Previously we were checking the numerotation number, we now are using the full script name. Ex: 1.1.1.1_disable_freevxfs.sh Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh Now: look up for 1.1.1.1_disable_freevxfs.sh Usage example: previously: ``` bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh Total Available Checks : 0 Total Runned Checks : 0 Total Passed Checks : [ 0/0 ] Total Failed Checks : [ 0/0 ] Enabled Checks Percentage : 0 % Conformity Percentage : N.A % ``` now: ``` bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh 1.1.10_var_tmp_noexec [INFO] Working on 1.1.10_var_tmp_noexec 1.1.10_var_tmp_noexec [INFO] [DESCRIPTION] /var/tmp partition with noexec option. 1.1.10_var_tmp_noexec [INFO] Checking Configuration 1.1.10_var_tmp_noexec [INFO] Performing audit 1.1.10_var_tmp_noexec [INFO] Verifying that /var/tmp is a partition 1.1.10_var_tmp_noexec [ OK ] /var/tmp is a partition 1.1.10_var_tmp_noexec [ OK ] /var/tmp has noexec in fstab 1.1.10_var_tmp_noexec [ OK ] /var/tmp mounted with noexec 1.1.10_var_tmp_noexec [ OK ] Check Passed hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh 1.1.11.1_var_log_noexec [INFO] Working on 1.1.11.1_var_log_noexec 1.1.11.1_var_log_noexec [INFO] [DESCRIPTION] /var/log partition with noexec option. 1.1.11.1_var_log_noexec [INFO] Checking Configuration 1.1.11.1_var_log_noexec [INFO] Performing audit 1.1.11.1_var_log_noexec [INFO] Verifying that /var/log is a partition 1.1.11.1_var_log_noexec [ OK ] /var/log is a partition 1.1.11.1_var_log_noexec [ KO ] /var/log has no option noexec in fstab! 1.1.11.1_var_log_noexec [ KO ] Check Failed Total Available Checks : 2 Total Runned Checks : 2 Total Passed Checks : [ 1/2 ] Total Failed Checks : [ 1/2 ] Enabled Checks Percentage : 100.00 % Conformity Percentage : 50.00 % ```
2025-07-16 13:52:17 +02:00 · 2025-07-02 10:55:11 +02:00
3 changed files with 44 additions and 27 deletions
--- a/bin/hardening/record_mac_edit.sh
+++ b/bin/hardening/record_mac_edit.sh
@ -17,48 +17,64 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."

-AUDIT_PARAMS=("-w /etc/apparmor/ -p wa -k MAC-policy" "-w /etc/apparmor.d/ -p wa -k MAC-policy")
-AUDIT_FILE='/etc/audit/audit.rules'
-ADDITIONAL_PATH="/etc/audit/rules.d"
-FILE_TO_WRITE='/etc/audit/rules.d/audit.rules'
+AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    MISSING_PARAMS=()
-    index=0
-    # use find here in order to simplify test usage with sudo using secaudit user
-    FILES_TO_SEARCH="$(sudo_wrapper find $ADDITIONAL_PATH -name '*.rules' | paste -s) $AUDIT_FILE"
-    for i in "${!AUDIT_PARAMS[@]}"; do
-        debug "${AUDIT_PARAMS[i]} should be in file $FILES_TO_SEARCH"
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-            does_pattern_exist_in_file "$FILE_SEARCHED" "${AUDIT_PARAMS[i]}"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-                debug "${AUDIT_PARAMS[i]} is not in file $FILE_SEARCHED"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
-                ok "${AUDIT_PARAMS[i]} is present in $FILE_SEARCHED"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
-            crit "${AUDIT_PARAMS[i]} is not present in $FILES_TO_SEARCH"
-            MISSING_PARAMS[i]="${AUDIT_PARAMS[i]}"
-            index=$((index + 1))
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
+    IFS=$d_IFS
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    audit
-    changes=0
-    for i in "${!MISSING_PARAMS[@]}"; do
-        info "${MISSING_PARAMS[i]} is not present in $FILES_TO_SEARCH, adding it"
-        add_end_of_file "$FILE_TO_WRITE" "${MISSING_PARAMS[i]}"
-        changes=1
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
+            if [ "$FNRET" != 0 ]; then
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
+            else
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
        done
-
-    [ "$changes" -eq 0 ] || eval "$(pkill -HUP -P 1 auditd)"
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }

 # This function will check config parameters required
--- a/debian/control
+++ b/debian/control
@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/

 Package: cis-hardening
 Architecture: all
-Depends: ${misc:Depends}, patch, coreutils
+Depends: ${misc:Depends}, patch
 Description: Suite of configurable scripts to audit or harden a Debian.
 Modular Debian security hardening scripts based on cisecurity.org
 ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to
--- a/tests/hardening/record_mac_edit.sh
+++ b/tests/hardening/record_mac_edit.sh
@ -2,7 +2,8 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

@ -12,6 +13,6 @@ test_audit() {

    describe Checking resolved state
    register_test retvalshouldbe 0
-    register_test contain "[ OK ] -w /etc/apparmor/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
+    register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }