tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add audit and apply methods for redhat/CentOS to 1.2.

This commit is contained in:
Samson-W 2019-07-31 18:02:53 +08:00
parent 5ea65ad6de
commit 399a8a3721
2 changed files with 60 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/hardening.sh
View File

@ -33,7 +33,8 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
Show this help Show this help
--init --init
Initialize the global configuration file(/etc/default/cis-hardening) based on the release version number Initialize the global configuration file(/etc/default/cis-hardening) based
on the release version number.
--apply --apply
Apply hardening for enabled scripts. Apply hardening for enabled scripts.

63
bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit Debian 9 Hardening # harbian audit Debian 9/CentOS Hardening
# #
# #
@ -14,9 +14,11 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
OPTION='AllowUnauthenticated' OPTION='AllowUnauthenticated'
YUM_OPTION='gpgcheck'
YUM_CONF='/etc/yum.conf'
# This function will be called if the script status is on enabled / audit mode audit_debian ()
audit () { {
if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
crit "The signature of packages option is disable " crit "The signature of packages option is disable "
FNRET=1 FNRET=1
@ -26,8 +28,37 @@ audit () {
fi fi
} }
# This function will be called if the script status is on enabled mode audit_redhat ()
apply () { {
if [ $(grep -c "^$YUM_OPTION" $YUM_CONF) -gt 0 ]; then
if [ $(grep "^$YUM_OPTION" $YUM_CONF | awk -F"=" '{print $2}') -eq 1 ]; then
ok "The signature of packages option is enable "
FNRET=0
else
crit "The signature of packages option is disable "
FNRET=1
fi
else
crit "Option $YUM_OPTION is not set in $YUM_CONF!"
FNRET=2
fi
}
# This function will be called if the script status is on enabled / audit mode
audit ()
{
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
crit "Current OS is not support!"
FNRET=44
fi
}
apply_debian () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable " ok "The signature of packages option is enable "
else else
@ -39,6 +70,28 @@ apply () {
done done
fi fi
} }
apply_redhat () {
if [ $FNRET = 0 ]; then
ok "The signature of packages option is enable "
elif [ $FNRET = 1 ]
warn "Set to enabled signature of packages option"
sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF
else
warn "Add $YUM_OPTION option to $YUM_CONF"
add_end_of_file $YUM_CONF "$YUM_OPTION=1"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
crit "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {