Update changelog

FIX(main): fix small bug in main
The bug (introduced in 2.1-2) leaded to an error in the test that evaluates forcedstatus
2025-07-16 22:02:17 +02:00 · 2020-11-30 15:16:36 +01:00 · 2020-11-30 15:10:39 +01:00 · 2020-11-30 14:27:20 +01:00 · 2020-11-20 10:05:14 +01:00
4 changed files with 56 additions and 7 deletions
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -20,6 +20,7 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
 CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
@ -76,6 +77,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
        Modifies the policy to allow a certain kind of services on the machine, such
        as http, mail, etc. Can be specified multiple times to allow multiple services.
        Use --allow-service-list to get a list of supported services.
    --create-config-files-only
        Create the config files in etc/conf.d
        Must be run as root, before running the audit with user secaudit
 OPTIONS:
@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
        --allow-service-list)
            ALLOW_SERVICE_LIST=1
        ;;
        --create-config-files-only)
            CREATE_CONFIG=1
        ;;
        --allow-service)
            ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
            shift
@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
 done
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
    usage
 fi
@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
    exit 0
 fi
 if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
    echo "For --create-config-files-only, please run as root"
    exit 1
 fi
 # Parse every scripts and execute them in the required mode
 for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
    if [ ${#TEST_LIST[@]} -gt 0 ] ; then
@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
    fi
    info "Treating $SCRIPT"
-
+    if [ $CREATE_CONFIG = 1 ]; then
-    if [ $AUDIT = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
        $SCRIPT --create-config-files-only $BATCH_MODE
    elif [ $AUDIT = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
    elif [ $AUDIT_ALL = 1 ]; then
--- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
+++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
@ -32,8 +32,13 @@ audit () {
            if [ $FNRET = 0 ]; then
                ok "$FILE permissions were set to $PERMISSIONS"
            else
-                ERRORS=$((ERRORS+1))
+                has_file_correct_permissions $FILE 600
-                crit "$FILE permissions were not set to $PERMISSIONS"
+                if [ $FNRET = 0 ]; then
                    ok "$FILE permissions were set to $PERMISSIONS"
                else
                    ERRORS=$((ERRORS+1))
                    crit "$FILE permissions were not set to $PERMISSIONS"
                fi
            fi
        fi
@ -73,8 +78,13 @@ apply () {
            if [ $FNRET = 0 ]; then
                ok "$FILE permissions were set to $PERMISSIONS"
            else
-                warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
+                has_file_correct_permissions $FILE 600
-                chmod 0$PERMISSIONS $FILE
+                if [ $FNRET = 0 ]; then
                    ok "$FILE permissions were set to $PERMISSIONS"
                else
                    warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
                    chmod 0$PERMISSIONS $FILE
                fi
            fi
        fi
    done
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,16 @@
 cis-hardening (2.1-3) unstable; urgency=medium
  * Fix permissions on 5.2.3 (authorize 600)
  * Fix minor bug with --create-config-files-only
 -- Thibault Ayanides <tayanide@ovhcloud.com>  Mon, 30 Nov 2020 15:14:17 +0100
 cis-hardening (2.1-2) unstable; urgency=medium
  * Add --create-config-files-only mode that only create config files without running audit
 -- Thibault Ayanides <tayanide@ovhcloud.com>  Mon, 23 Nov 2020 13:40:14 +0100
 cis-hardening (2.1-1) stable; urgency=medium
  * Move to most recent docker image for buster
  * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
--- a/lib/main.sh
+++ b/lib/main.sh
@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
            info "Audit argument passed but script is disabled"
        fi
        ;;
        --create-config-files-only)
            debug "Create config files"
            forcedstatus=createconfig
        ;;
        --sudo)
        SUDO_CMD="sudo_wrapper"
        ;;
@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
    else
        echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
    fi
 fi
 if [ "$forcedstatus" = "createconfig" ] ; then
    debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
    exit 0
 fi
 [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
 # Now check configured value for status, and potential cmdline parameter
Author	SHA1	Message	Date
Thibault Ayanides	9c3aa51982	Update changelog	2020-11-30 15:16:36 +01:00
Thibault Ayanides	b994ca11a7	FIX(main): fix small bug in main The bug (introduced in 2.1-2) leaded to an error in the test that evaluates forcedstatus	2020-11-30 15:10:39 +01:00
Thibault Ayanides	f4e0aafacc	IMP(5.2.3): fix possible permissions for 5.2.3	2020-11-30 14:27:20 +01:00
Thibault Ayanides	d40a85085d	FIX: fix issue, we had to run audit twice First one as root to create conf files with good owner and permissions, and then with secaudit. Now first run with --create-config-files-only and the normally with --audit.	2020-11-20 10:05:14 +01:00