Modify is_service_enabled method for debian 9, and apply to 2.25.

2019-04-01 04:15:09 +08:00 · 2019-04-01 04:15:09 +08:00 · 5caa36d5af
parent c6a43f52c0
commit 5caa36d5af
2 changed files with 42 additions and 18 deletions
--- a/bin/hardening/2.25_disable_automounting.sh
+++ b/bin/hardening/2.25_disable_automounting.sh
@ -31,8 +31,16 @@ apply () {
    info "Checking if $SERVICE_NAME is enabled"
    is_service_enabled $SERVICE_NAME
    if [ $FNRET = 0 ]; then
-        info "Disabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
+        is_debian_9 
+        if [ $FNRET = 0 ]; then
+            info "Disabling $SERVICE_NAME"
+            systemctl stop $SERVICE_NAME
+            systemctl disable $SERVICE_NAME
+            apt-get -y purge --autoremove $SERVICE_NAME
+        else
+            info "Disabling $SERVICE_NAME"
+            update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
+        fi
    else
        ok "$SERVICE_NAME is disabled"
    fi
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -1,5 +1,21 @@
 # CIS Debian 7 Hardening Utility functions

+
+#
+# debian version check 
+#
+
+is_debian_9()
+{
+    if $(cat /etc/debian_version | grep -q "^9.[0-9]"); then
+        debug "Debian version is 9.*."
+        FNRET=0
+    else
+        debug "Debian version is not 9.*."
+        FNRET=1
+    fi
+}
+
 #
 # Sysctl 
 #
@ -203,16 +219,26 @@ does_group_exist() {

 is_service_enabled() {
    local SERVICE=$1
-    if [ $($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then
-        debug "Service $SERVICE is enabled"
-        FNRET=0
+    is_debian_9
+    if [ $FNRET = 0 ]; then
+        if [ $(systemctl is-enabled $SERVICE | grep -wc "^enabled") -eq 1 ]; then
+            debug "Service $SERVICE is enabled"
+            FNRET=0
+        else
+            debug "Service $SERVICE is disabled"
+            FNRET=1
+        fi
    else
-        debug "Service $SERVICE is disabled"
-        FNRET=1
+        if [ $($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then
+            debug "Service $SERVICE is enabled"
+            FNRET=0
+        else
+            debug "Service $SERVICE is disabled"
+            FNRET=1
+        fi
    fi
 }

-
 #
 # Kernel Options checks
 #
@ -454,16 +480,6 @@ is_pkg_installed()
    fi
 }

-is_debian_9()
-{
-    if $(cat /etc/debian_version | grep -q "^9.[0-9]"); then
-        debug "Debian version is 9.*."
-        FNRET=0
-    else
-        debug "Debian version is not 9.*."
-        FNRET=1
-    fi
-}

 verify_integrity_all_packages()
 {