From 7433811fa0a020394b38c548fae89793dedf4094 Mon Sep 17 00:00:00 2001 From: samson Date: Wed, 5 Dec 2018 16:28:34 +0800 Subject: [PATCH] Fix some bugs. --- bin/hardening/8.2.4_set_logfile_perm.sh | 93 +++++++++++--------- bin/hardening/8.2.5_syslog-ng_remote_host.sh | 37 +++++--- 2 files changed, 75 insertions(+), 55 deletions(-) diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh index 869cbfb..866dd03 100755 --- a/bin/hardening/8.2.4_set_logfile_perm.sh +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -19,51 +19,62 @@ GROUP='adm' # This function will be called if the script status is on enabled / audit mode audit () { - FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2) - for FILE in $FILES; do - does_file_exist $FILE - if [ $FNRET != 0 ]; then - crit "$FILE does not exist" - else - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then - ok "$FILE has correct ownership" - else - crit "$FILE ownership was not set to $USER:$GROUP" - fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" - fi - fi - done + does_file_exist "$SYSLOG_BASEDIR/syslog-ng.conf" + if [ $FNRET != 0 ]; then + warn "$SYSLOG_BASEDIR/syslog-ng.conf is not exist! " + FNRET=1 + else + FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2) + for FILE in $FILES; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + fi + done + fi } # This function will be called if the script status is on enabled mode apply () { - for FILE in $FILES; do - does_file_exist $FILE - if [ $FNRET != 0 ]; then - info "$FILE does not exist" - touch $FILE - fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then - ok "$FILE has correct ownership" - else - warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE - fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE - fi - done + if [ $FNRET = 1 ]; then + warn "$SYSLOG_BASEDIR/syslog-ng.conf is not exist! " + else + FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2) + for FILE in $FILES; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi + done + fi } # This function will create the config file for this check with default values diff --git a/bin/hardening/8.2.5_syslog-ng_remote_host.sh b/bin/hardening/8.2.5_syslog-ng_remote_host.sh index 60f143d..b90e8ce 100755 --- a/bin/hardening/8.2.5_syslog-ng_remote_host.sh +++ b/bin/hardening/8.2.5_syslog-ng_remote_host.sh @@ -17,24 +17,33 @@ PATTERN='^destination.*(tcp|udp)[[:space:]]*\([[:space:]]*\".*\"[[:space:]]*\)' # This function will be called if the script status is on enabled / audit mode audit () { - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" - does_pattern_exist_in_file "$FILES" "$PATTERN" - if [ $FNRET != 0 ]; then - crit "$PATTERN is not present in $FILES" - else - ok "$PATTERN is present in $FILES" - fi + if [ -d "$SYSLOG_BASEDIR" ]; then + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" + does_pattern_exist_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN is not present in $FILES" + else + ok "$PATTERN is present in $FILES" + fi + else + warn "$SYSLOG_BASEDIR is not exist!" + FNRET=1 + fi } # This function will be called if the script status is on enabled mode apply () { - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" - does_pattern_exist_in_file "$FILES" "$PATTERN" - if [ $FNRET != 0 ]; then - crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" - else - ok "$PATTERN is present in $FILES" - fi + if [ $FNRET = 1 ]; then + warn "$SYSLOG_BASEDIR is not exist!" + else + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" + does_pattern_exist_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" + else + ok "$PATTERN is present in $FILES" + fi + fi } # This function will create the config file for this check with default values