From 7435284d07a1eec094defda71df5a2524938a62f Mon Sep 17 00:00:00 2001
From: Samson-W <samson@hardenedlinux.org>
Date: Thu, 1 Aug 2019 04:01:28 +0800
Subject: [PATCH] Add audit and apply methods for redhat/CentOS to 1.3

---
 ....3_enable_verify_sign_of_local_packages.sh | 63 +++++++++++++++++--
 1 file changed, 58 insertions(+), 5 deletions(-)

diff --git a/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
index f995c19..971d958 100755
--- a/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
+++ b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# harbian audit Debian 9 Hardening
+# harbian audit Debian 9/CentOS Hardening
 #
 
 #
@@ -16,8 +16,10 @@ HARDENING_LEVEL=2
 OPTION='no-debsig'
 CONFFILE='/etc/dpkg/dpkg.cfg'
 
-# This function will be called if the script status is on enabled / audit mode
-audit () {
+YUM_OPTION='localpkg_gpgcheck'
+YUM_CONFFILE='/etc/yum.conf'
+
+audit_debian () {
     if [ $(grep -v "^#" ${CONFFILE} | grep -c ${OPTION}) -gt 0 ]; then
         crit "The signature of local packages option is disable "
         FNRET=1
@@ -27,8 +29,36 @@ audit () {
     fi
 }
 
-# This function will be called if the script status is on enabled mode
-apply () {
+audit_redhat ()
+{
+    if [ $(grep -c "^$YUM_OPTION" $YUM_CONF) -gt 0 ]; then
+        if [ $(grep "^$YUM_OPTION" $YUM_CONF | awk -F"=" '{print $2}') -eq 1 ]; then
+            ok "The signature of packages option is enable "
+            FNRET=0
+        else
+            crit "The signature of packages option is disable "
+            FNRET=1
+        fi
+    else
+        crit "Option $YUM_OPTION is not set in $YUM_CONF!"
+        FNRET=2
+    fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit()
+{
+	if [ $OS_RELEASE -eq 1 ]; then
+        audit_debian
+    elif [ $OS_RELEASE -eq 2 ]; then
+        audit_redhat
+    else
+        crit "Current OS is not support!"
+        FNRET=44
+    fi
+}
+
+apply_debian () {
     if [ $FNRET = 0 ]; then 
         ok "The signature of local packages option is enable "
     else
@@ -38,6 +68,29 @@ apply () {
     fi
 }
 
+apply_redhat () {
+    if [ $FNRET = 0 ]; then
+        ok "The signature of packages option is enable "
+    elif [ $FNRET = 1 ]; then
+        warn "Set to enabled signature of packages option"
+        sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF
+    else
+        warn "Add $YUM_OPTION option to $YUM_CONF"
+        add_end_of_file $YUM_CONF "$YUM_OPTION=1"
+    fi
+}
+
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $OS_RELEASE -eq 1 ]; then
+        apply_debian
+    elif [ $OS_RELEASE -eq 2 ]; then
+        apply_redhat
+    else
+        crit "Current OS is not support!"
+    fi
+}
 # This function will check config parameters required
 check_config() {
     # No parameters for this function