FIX: fix issue, we had to run audit twice
First one as root to create conf files with good owner and permissions, and then with secaudit. Now first run with --create-config-files-only and the normally with --audit.
This commit is contained in:
parent
467e5f178c
commit
d40a85085d
3 changed files with 35 additions and 3 deletions
|
@ -20,6 +20,7 @@ AUDIT=0
|
||||||
APPLY=0
|
APPLY=0
|
||||||
AUDIT_ALL=0
|
AUDIT_ALL=0
|
||||||
AUDIT_ALL_ENABLE_PASSED=0
|
AUDIT_ALL_ENABLE_PASSED=0
|
||||||
|
CREATE_CONFIG=0
|
||||||
ALLOW_SERVICE_LIST=0
|
ALLOW_SERVICE_LIST=0
|
||||||
SET_HARDENING_LEVEL=0
|
SET_HARDENING_LEVEL=0
|
||||||
SUDO_MODE=''
|
SUDO_MODE=''
|
||||||
|
@ -77,6 +78,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
||||||
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
||||||
Use --allow-service-list to get a list of supported services.
|
Use --allow-service-list to get a list of supported services.
|
||||||
|
|
||||||
|
--create-config-files-only
|
||||||
|
Create the config files in etc/conf.d
|
||||||
|
Must be run as root, before running the audit with user secaudit
|
||||||
|
|
||||||
OPTIONS:
|
OPTIONS:
|
||||||
|
|
||||||
--only <test_number>
|
--only <test_number>
|
||||||
|
@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
|
||||||
--allow-service-list)
|
--allow-service-list)
|
||||||
ALLOW_SERVICE_LIST=1
|
ALLOW_SERVICE_LIST=1
|
||||||
;;
|
;;
|
||||||
|
--create-config-files-only)
|
||||||
|
CREATE_CONFIG=1
|
||||||
|
;;
|
||||||
--allow-service)
|
--allow-service)
|
||||||
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||||
shift
|
shift
|
||||||
|
@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
|
||||||
done
|
done
|
||||||
|
|
||||||
# if no RUN_MODE was passed, usage and quit
|
# if no RUN_MODE was passed, usage and quit
|
||||||
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
|
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
|
||||||
usage
|
usage
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
|
||||||
|
echo "For --create-config-files-only, please run as root"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# Parse every scripts and execute them in the required mode
|
# Parse every scripts and execute them in the required mode
|
||||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
||||||
|
@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
fi
|
fi
|
||||||
|
|
||||||
info "Treating $SCRIPT"
|
info "Treating $SCRIPT"
|
||||||
|
if [ $CREATE_CONFIG = 1 ]; then
|
||||||
if [ $AUDIT = 1 ]; then
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
|
||||||
|
$SCRIPT --create-config-files-only $BATCH_MODE
|
||||||
|
elif [ $AUDIT = 1 ]; then
|
||||||
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
|
||||||
$SCRIPT --audit $SUDO_MODE $BATCH_MODE
|
$SCRIPT --audit $SUDO_MODE $BATCH_MODE
|
||||||
elif [ $AUDIT_ALL = 1 ]; then
|
elif [ $AUDIT_ALL = 1 ]; then
|
||||||
|
|
6
debian/changelog
vendored
6
debian/changelog
vendored
|
@ -1,3 +1,9 @@
|
||||||
|
cis-hardening (2.1-2) unstable; urgency=medium
|
||||||
|
|
||||||
|
* Add --create-config-files-only mode that only create config files without running audit
|
||||||
|
|
||||||
|
-- Thibault Ayanides <tayanide@ovhcloud.com> Mon, 23 Nov 2020 13:40:14 +0100
|
||||||
|
|
||||||
cis-hardening (2.1-1) stable; urgency=medium
|
cis-hardening (2.1-1) stable; urgency=medium
|
||||||
* Move to most recent docker image for buster
|
* Move to most recent docker image for buster
|
||||||
* Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
|
* Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
|
||||||
|
|
11
lib/main.sh
11
lib/main.sh
|
@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
|
||||||
info "Audit argument passed but script is disabled"
|
info "Audit argument passed but script is disabled"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
--create-config-files-only)
|
||||||
|
debug "Create config files"
|
||||||
|
forcedstatus=createconfig
|
||||||
|
;;
|
||||||
--sudo)
|
--sudo)
|
||||||
SUDO_CMD="sudo_wrapper"
|
SUDO_CMD="sudo_wrapper"
|
||||||
;;
|
;;
|
||||||
|
@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
|
||||||
else
|
else
|
||||||
echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ $forcedstatus = "createconfig" ]; then
|
||||||
|
debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||||||
|
|
||||||
# Now check configured value for status, and potential cmdline parameter
|
# Now check configured value for status, and potential cmdline parameter
|
||||||
|
|
Loading…
Reference in a new issue