mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-23 05:55:38 +01:00
7690b57ea9
becho stands for batch echo formats the log line for syslog Also logs audit summary into syslog (in batch mode only)
130 lines
4.0 KiB
Bash
130 lines
4.0 KiB
Bash
LONG_SCRIPT_NAME=$(basename $0)
|
||
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
|
||
# Variable initialization, to avoid crash
|
||
CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
|
||
BATCH_MODE=0
|
||
BATCH_OUTPUT=""
|
||
status=""
|
||
forcedstatus=""
|
||
SUDO_CMD=""
|
||
|
||
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||
|
||
# Environment Sanitizing
|
||
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
||
|
||
# Arguments parsing
|
||
while [[ $# > 0 ]]; do
|
||
ARG="$1"
|
||
case $ARG in
|
||
--audit-all)
|
||
debug "Audit all specified, setting status to audit regardless of configuration"
|
||
forcedstatus=auditall
|
||
;;
|
||
--audit)
|
||
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
|
||
debug "Audit argument detected, setting status to audit"
|
||
forcedstatus=audit
|
||
else
|
||
info "Audit argument passed but script is disabled"
|
||
fi
|
||
;;
|
||
--sudo)
|
||
SUDO_CMD="sudo_wrapper"
|
||
;;
|
||
--batch)
|
||
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."
|
||
BATCH_MODE=1
|
||
LOGLEVEL=ok
|
||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||
;;
|
||
*)
|
||
debug "Unknown option passed"
|
||
;;
|
||
esac
|
||
shift
|
||
done
|
||
|
||
info "Working on $SCRIPT_NAME"
|
||
info "[DESCRIPTION] $DESCRIPTION"
|
||
|
||
# Source specific configuration file
|
||
if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
|
||
# If it doesn't exist, create it with default values
|
||
echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||
# If create_config is a defined function, execute it.
|
||
# Otherwise, just disable the test by default.
|
||
if type -t create_config | grep -qw function ; then
|
||
create_config >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||
else
|
||
echo "status=disabled" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||
fi
|
||
fi
|
||
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||
|
||
# Now check configured value for status, and potential cmdline parameter
|
||
if [ "$forcedstatus" = "auditall" ] ; then
|
||
# We want to audit even disabled script, so override config value in any case
|
||
status=audit
|
||
elif [ "$forcedstatus" = "audit" ] ; then
|
||
# We want to audit only enabled scripts
|
||
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then
|
||
debug "Audit argument detected, setting status to audit"
|
||
status=audit
|
||
else
|
||
info "Audit argument passed but script is disabled"
|
||
fi
|
||
fi
|
||
|
||
if [ -z $status ]; then
|
||
crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
|
||
|
||
exit 2
|
||
fi
|
||
|
||
|
||
case $status in
|
||
enabled | true )
|
||
info "Checking Configuration"
|
||
check_config
|
||
info "Performing audit"
|
||
audit # Perform audit
|
||
info "Applying Hardening"
|
||
apply # Perform hardening
|
||
;;
|
||
audit )
|
||
info "Checking Configuration"
|
||
check_config
|
||
info "Performing audit"
|
||
audit # Perform audit
|
||
;;
|
||
disabled | false )
|
||
info "$SCRIPT_NAME is disabled, ignoring"
|
||
exit 2 # Means unknown status
|
||
;;
|
||
*)
|
||
warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
|
||
;;
|
||
esac
|
||
|
||
if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then
|
||
if [ $BATCH_MODE -eq 1 ]; then
|
||
BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"
|
||
becho $BATCH_OUTPUT
|
||
else
|
||
ok "Check Passed"
|
||
fi
|
||
exit 0 # Means ok status
|
||
else
|
||
if [ $BATCH_MODE -eq 1 ]; then
|
||
BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT"
|
||
becho $BATCH_OUTPUT
|
||
else
|
||
crit "Check Failed"
|
||
fi
|
||
exit 1 # Means critical status
|
||
fi
|