FIX: fix issue, we had to run audit twice
First one as root to create conf files with good owner and permissions, and then with secaudit. Now first run with --create-config-files-only and the normally with --audit.
This commit is contained in:
parent
467e5f178c
commit
d40a85085d
3 changed files with 35 additions and 3 deletions
|
@ -20,6 +20,7 @@ AUDIT=0
|
|||
APPLY=0
|
||||
AUDIT_ALL=0
|
||||
AUDIT_ALL_ENABLE_PASSED=0
|
||||
CREATE_CONFIG=0
|
||||
ALLOW_SERVICE_LIST=0
|
||||
SET_HARDENING_LEVEL=0
|
||||
SUDO_MODE=''
|
||||
|
@ -76,6 +77,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
|||
Modifies the policy to allow a certain kind of services on the machine, such
|
||||
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
||||
Use --allow-service-list to get a list of supported services.
|
||||
|
||||
--create-config-files-only
|
||||
Create the config files in etc/conf.d
|
||||
Must be run as root, before running the audit with user secaudit
|
||||
|
||||
OPTIONS:
|
||||
|
||||
|
@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
|
|||
--allow-service-list)
|
||||
ALLOW_SERVICE_LIST=1
|
||||
;;
|
||||
--create-config-files-only)
|
||||
CREATE_CONFIG=1
|
||||
;;
|
||||
--allow-service)
|
||||
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||
shift
|
||||
|
@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
|
|||
done
|
||||
|
||||
# if no RUN_MODE was passed, usage and quit
|
||||
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
|
||||
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
|
@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
|
||||
echo "For --create-config-files-only, please run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Parse every scripts and execute them in the required mode
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
||||
|
@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
|||
fi
|
||||
|
||||
info "Treating $SCRIPT"
|
||||
|
||||
if [ $AUDIT = 1 ]; then
|
||||
if [ $CREATE_CONFIG = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
|
||||
$SCRIPT --create-config-files-only $BATCH_MODE
|
||||
elif [ $AUDIT = 1 ]; then
|
||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
|
||||
$SCRIPT --audit $SUDO_MODE $BATCH_MODE
|
||||
elif [ $AUDIT_ALL = 1 ]; then
|
||||
|
|
6
debian/changelog
vendored
6
debian/changelog
vendored
|
@ -1,3 +1,9 @@
|
|||
cis-hardening (2.1-2) unstable; urgency=medium
|
||||
|
||||
* Add --create-config-files-only mode that only create config files without running audit
|
||||
|
||||
-- Thibault Ayanides <tayanide@ovhcloud.com> Mon, 23 Nov 2020 13:40:14 +0100
|
||||
|
||||
cis-hardening (2.1-1) stable; urgency=medium
|
||||
* Move to most recent docker image for buster
|
||||
* Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
|
||||
|
|
11
lib/main.sh
11
lib/main.sh
|
@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
|
|||
info "Audit argument passed but script is disabled"
|
||||
fi
|
||||
;;
|
||||
--create-config-files-only)
|
||||
debug "Create config files"
|
||||
forcedstatus=createconfig
|
||||
;;
|
||||
--sudo)
|
||||
SUDO_CMD="sudo_wrapper"
|
||||
;;
|
||||
|
@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
|
|||
else
|
||||
echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if [ $forcedstatus = "createconfig" ]; then
|
||||
debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||||
|
||||
# Now check configured value for status, and potential cmdline parameter
|
||||
|
|
Loading…
Reference in a new issue