Add audit and apply methods for redhat/CentOS to 1.1.

bin/hardening.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# harbian audit Debian 9 Hardening
+# harbian audit Debian 9 / CentOS Hardening
 # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
 # Authors : Samson wen, Samson <sccxboy@gmail.com>
 
@@ -171,8 +171,9 @@ fi
 
 if [ $INIT_G_CONFIG -eq 1 ]; then
 	if [ -r /etc/redhat-release ]; then
-		info "This OS is redhat or CentOS."
+		info "This OS is redhat/CentOS."
 		sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening 
+		. /etc/default/cis-hardening
 	elif [ -r /etc/debian_version ]; then
 		info "This OS is Debian."
 		:
@@ -183,6 +184,14 @@ if [ $INIT_G_CONFIG -eq 1 ]; then
 	exit 0
 fi
 
+if [ $OS_RELEASE -eq 1 ]; then
+	info "Start auditing for Debian."
+elif [ $OS_RELEASE -eq 2 ]; then
+	info "Start auditing for redhat/CentOS."
+else
+	crit "This OS not support!"
+	exit 128
+fi
 
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then

bin/hardening/1.1_install_updates.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
 
 #
-# harbian audit Debian 9 Hardening
+# harbian audit Debian 9/CentOS Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #
 
 #
@@ -13,8 +14,9 @@ set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
 
-# This function will be called if the script status is on enabled / audit mode
-audit () {
+
+audit_debian ()
+{
     info "Checking if apt needs an update"
     apt_update_if_needed 
     info "Fetching upgrades ..."
@@ -28,16 +30,67 @@ audit () {
     fi
 }
 
-# This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET -gt 0 ]; then 
+audit_redhat ()
+{
+	info "Checking if yum needs an update"
+	info "Fetching upgrades ..."
+	yum_check_updates
+	if [ $FNRET -eq 100 ]; then
+		crit "There are packages available for an update!"
+	elif [ $FNRET -eq 0 ]; then
+		ok "No upgrades available"
+	else
+		crit "Call yum_check_updates function error!"
+	fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () 
+{
+	if [ $OS_RELEASE -eq 1 ]; then
+		audit_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		audit_redhat
+	else
+		crit "Current OS is not support!"
+		FNRET=44 
+	fi
+}
+
+apply_debian ()
+{
+    if [ $FNRET -eq 1 ]; then 
         info "Applying Upgrades..."
         DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
-    else
-        ok "No Upgrades to apply"
+	else
+		ok "No Upgrades to apply"
     fi
 }
 
+apply_redhat ()
+{
+	if [ $FNRET -eq 100 ]; then 
+		info "Applying Upgrades..."
+		yum upgrade -y
+	elif [ $FNRET -eq 0 ]; then 
+		ok "No Upgrades to apply"
+	else
+		crit "Call yum_check_updates function error!"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () 
+{
+	if [ $OS_RELEASE -eq 1 ]; then
+		apply_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		apply_redhat
+	else
+		crit "Current OS is not support!"
+	fi
+}
+
 # This function will check config parameters required
 check_config() {
     # No parameters for this function

lib/utils.sh

@@ -880,3 +880,22 @@ check_auditd_is_immutable_mode()
 		eval $(pkill -HUP -P 1 auditd)
 	fi
 }
+
+
+#
+# yum
+#
+
+# FNRET values:
+# 100: need update
+# 0: not need update
+# 1: error
+yum_check_updates() 
+{
+	FNRET=$($SUDO_CMD yum check-update > /dev/null; echo $?)
+	if [ $FNRET -eq 100 ]; then 
+		# update too old, refresh database
+		$SUDO_CMD yum makecache >/dev/null 2>/dev/null
+    fi
+}
+