tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix some bugs for 4.6

Browse Source
This commit is contained in:
Samson-W 2020-06-25 21:35:50 +08:00
parent b93743847d
commit 3f7cb765d1
1 changed files with 36 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
bin/hardening/4.6_enable_selinux.sh
View File

@ -16,16 +16,18 @@ HARDENING_LEVEL=3
PACKAGES='selinux-basics selinux-policy-default' PACKAGES='selinux-basics selinux-policy-default'
SETSTRING="security=selinux" SETSTRING="security=selinux"
APPARMOR_RUN="/sys/kernel/security/apparmor/"
PROC_CMDLINE='/proc/cmdline' PROC_CMDLINE='/proc/cmdline'
SELINUXCONF_FILE='/etc/selinux/config' SELINUXCONF_FILE='/etc/selinux/config'
SELINUXENFORCE_MODE='SELINUX=enforcing' SELINUXENFORCE_MODE='SELINUX=enforcing'
LSM_RUN_STATUS_FILE='/sys/kernel/security/lsm' LSM_RUN_STATUS_FILE='/sys/kernel/security/lsm'
APPARMOR_STATUS='/usr/sbin/aa-status'
audit_debian () { audit_debian () {
if [ -d $APPARMOR_RUN ]; then if [ -f "$APPARMOR_STATUS" ]; then
ok "AppArmor was actived. So pass." if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
return 0 ok "AppArmor was actived. So pass."
return 0
fi
fi fi
for PACKAGE in ${PACKAGES} for PACKAGE in ${PACKAGES}
do do
@ -33,6 +35,7 @@ audit_debian () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
FNRET=1 FNRET=1
return
fi fi
done done
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -47,10 +50,12 @@ audit_debian () {
else else
crit "SELinux is not in Enforcing mode." crit "SELinux is not in Enforcing mode."
FNRET=3 FNRET=3
return
fi fi
else else
crit "SELinux is inactived." crit "SELinux is inactived."
FNRET=2 FNRET=2
return
fi fi
} }
@ -99,27 +104,34 @@ audit () {
} }
apply_debian () { apply_debian () {
if [ -d $APPARMOR_RUN ]; then if [ -f "$APPARMOR_STATUS" ]; then
ok "AppArmor was actived. So pass." if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
return 0 ok "AppArmor was actived. So pass."
return 0
fi
fi fi
if [ $FNRET = 0 ]; then case $FNRET in
ok "SELinux is active and in Enforcing mode." 0) ok "SELinux is active and in Enforcing mode."
elif [ $FNRET = 1 ]; then ;;
warn "$PACKAGE is not installed, install $PACKAGES" 1) warn "$PACKAGE is not installed, install $PACKAGES"
for PACKAGE in ${PACKAGES} for PACKAGE in ${PACKAGES}
do do
install_package $PACKAGE install_package $PACKAGE
done done
elif [ $FNRET = 2 ]; then warn "Set SELinux to activate, and need reboot"
warn "Set SELinux to activate, and need reboot" selinux-activate
selinux-activate warn "Set SELinux to enforcing mode, and need reboot"
elif [ $FNRET = 3 ]; then replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
warn "Set SELinux to enforcing mode, and need reboot" ;;
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE 2) warn "Set SELinux to activate, and need reboot"
else selinux-activate
: warn "Set SELinux to enforcing mode, and need reboot"
fi replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
;;
3) warn "Set SELinux to enforcing mode, and need reboot"
replace_in_file $SELINUXCONF_FILE 'SELINUX=.*' $SELINUXENFORCE_MODE
;;
esac
} }
apply_centos () { apply_centos () {