From 372b6627ed3a9b71171c10e45f1b5ec02e4eef2d Mon Sep 17 00:00:00 2001
From: samson <sccxboy@gmail.com>
Date: Thu, 28 Mar 2019 03:39:16 +0800
Subject: [PATCH] Add new feature: Implement the exception handling feature for
 the specified service. Just implement http for 6.10

---
 bin/hardening.sh                          |  6 ++++++
 bin/hardening/6.10_disable_http_server.sh | 26 +++++++++++++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/bin/hardening.sh b/bin/hardening.sh
index 140650d..d6759e1 100755
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@@ -188,6 +188,12 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
         wantedstatus=disabled
         [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
         sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+    
+        # If use --allow-service to set, add HARDENING_EXCEPTION=1 to SCRTPT_BASENAME.cfg 
+        template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
+        if [ -n "$template" -a $(echo "${ALLOWED_SERVICES_LIST[@]}" | grep -wc "$template") -eq 1 ]; then
+            sed -i "s/^ISEXCEPTION=./ISEXCEPTION=1/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+        fi
     done
     echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
     exit 0
diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/6.10_disable_http_server.sh
index bd5c7f7..07b3eb4 100755
--- a/bin/hardening/6.10_disable_http_server.sh
+++ b/bin/hardening/6.10_disable_http_server.sh
@@ -22,7 +22,11 @@ audit () {
     for PACKAGE in $PACKAGES; do
         is_pkg_installed $PACKAGE
         if [ $FNRET = 0 ]; then
-            crit "$PACKAGE is installed!"
+            if [ $ISEXCEPTION -eq 1 ]; then
+                warn "$PACKAGE is installed! But Exception is set to 1, so it's pass!"
+            else
+                crit "$PACKAGE is installed!"
+            fi
         else
             ok "$PACKAGE is absent"
         fi
@@ -34,15 +38,29 @@ apply () {
     for PACKAGE in $PACKAGES; do
         is_pkg_installed $PACKAGE
         if [ $FNRET = 0 ]; then
-            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            if [ $ISEXCEPTION -eq 1 ]; then
+                warn "$PACKAGE is installed! But the exception is set to true, so don't need any operate."
+            else
+                crit "$PACKAGE is installed, purging it"
+                apt-get purge $PACKAGE
+                apt-get autoremove
+            fi
         else
             ok "$PACKAGE is absent"
         fi
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+cat <<EOF
+status=disabled
+# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
+ISEXCEPTION=0
+EOF
+}
+
+
 # This function will check config parameters required
 check_config() {
     :