mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-24 06:55:24 +01:00
ec6b79e3c7
As for now, if a sudo command was not allowed, check might sometimes pass, resulting compliant state even if it actually is not. Sudo wrapper first checks wether command is allowed before running it, otherwise issues a crit message, setting check as not compliant Fix script to make sudo_wrapper work, split "find" lines Fix quotes in $@ and $* when running sudo command Fixed quotes and curly braces with shellcheck report
130 lines
4.0 KiB
Bash
130 lines
4.0 KiB
Bash
LONG_SCRIPT_NAME=$(basename $0)
|
||
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
|
||
# Variable initialization, to avoid crash
|
||
CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
|
||
BATCH_MODE=0
|
||
BATCH_OUTPUT=""
|
||
status=""
|
||
forcedstatus=""
|
||
SUDO_CMD=""
|
||
|
||
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||
|
||
# Environment Sanitizing
|
||
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
||
|
||
# Arguments parsing
|
||
while [[ $# > 0 ]]; do
|
||
ARG="$1"
|
||
case $ARG in
|
||
--audit-all)
|
||
debug "Audit all specified, setting status to audit regardless of configuration"
|
||
forcedstatus=auditall
|
||
;;
|
||
--audit)
|
||
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
|
||
debug "Audit argument detected, setting status to audit"
|
||
forcedstatus=audit
|
||
else
|
||
info "Audit argument passed but script is disabled"
|
||
fi
|
||
;;
|
||
--sudo)
|
||
SUDO_CMD="sudo_wrapper"
|
||
;;
|
||
--batch)
|
||
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."
|
||
BATCH_MODE=1
|
||
LOGLEVEL=ok
|
||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||
;;
|
||
*)
|
||
debug "Unknown option passed"
|
||
;;
|
||
esac
|
||
shift
|
||
done
|
||
|
||
info "Working on $SCRIPT_NAME"
|
||
info "[DESCRIPTION] $DESCRIPTION"
|
||
|
||
# Source specific configuration file
|
||
if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
|
||
# If it doesn't exist, create it with default values
|
||
echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||
# If create_config is a defined function, execute it.
|
||
# Otherwise, just disable the test by default.
|
||
if type -t create_config | grep -qw function ; then
|
||
create_config >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||
else
|
||
echo "status=disabled" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||
fi
|
||
fi
|
||
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||
|
||
# Now check configured value for status, and potential cmdline parameter
|
||
if [ "$forcedstatus" = "auditall" ] ; then
|
||
# We want to audit even disabled script, so override config value in any case
|
||
status=audit
|
||
elif [ "$forcedstatus" = "audit" ] ; then
|
||
# We want to audit only enabled scripts
|
||
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
|
||
debug "Audit argument detected, setting status to audit"
|
||
status=audit
|
||
else
|
||
info "Audit argument passed but script is disabled"
|
||
fi
|
||
fi
|
||
|
||
if [ -z $status ]; then
|
||
crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
|
||
|
||
exit 2
|
||
fi
|
||
|
||
|
||
case $status in
|
||
enabled | true )
|
||
info "Checking Configuration"
|
||
check_config
|
||
info "Performing audit"
|
||
audit # Perform audit
|
||
info "Applying Hardening"
|
||
apply # Perform hardening
|
||
;;
|
||
audit )
|
||
info "Checking Configuration"
|
||
check_config
|
||
info "Performing audit"
|
||
audit # Perform audit
|
||
;;
|
||
disabled | false )
|
||
info "$SCRIPT_NAME is disabled, ignoring"
|
||
exit 2 # Means unknown status
|
||
;;
|
||
*)
|
||
warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
|
||
;;
|
||
esac
|
||
|
||
if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then
|
||
if [ $BATCH_MODE -eq 1 ]; then
|
||
BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"
|
||
echo $BATCH_OUTPUT
|
||
else
|
||
ok "Check Passed"
|
||
fi
|
||
exit 0 # Means ok status
|
||
else
|
||
if [ $BATCH_MODE -eq 1 ]; then
|
||
BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT"
|
||
echo $BATCH_OUTPUT
|
||
else
|
||
crit "Check Failed"
|
||
fi
|
||
exit 1 # Means critical status
|
||
fi
|