@@ -28,7 +28,7 @@ SUDO_MODE=''
2828BATCH_MODE=' '
2929
3030usage () {
31- cat << EOF
31+ cat << EOF
3232$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
3333
3434 --help -h
@@ -117,48 +117,48 @@ declare -a TEST_LIST ALLOWED_SERVICES_LIST
117117while [[ $# > 0 ]]; do
118118 ARG=" $1 "
119119 case $ARG in
120- --audit)
121- AUDIT=1
120+ --audit)
121+ AUDIT=1
122122 ;;
123- --audit-all)
124- AUDIT_ALL=1
123+ --audit-all)
124+ AUDIT_ALL=1
125125 ;;
126- --audit-all-enable-passed)
127- AUDIT_ALL_ENABLE_PASSED=1
126+ --audit-all-enable-passed)
127+ AUDIT_ALL_ENABLE_PASSED=1
128128 ;;
129- --apply)
130- APPLY=1
129+ --apply)
130+ APPLY=1
131131 ;;
132- --allow-service-list)
133- ALLOW_SERVICE_LIST=1
132+ --allow-service-list)
133+ ALLOW_SERVICE_LIST=1
134134 ;;
135- --create-config-files-only)
136- CREATE_CONFIG=1
135+ --create-config-files-only)
136+ CREATE_CONFIG=1
137137 ;;
138- --allow-service)
139- ALLOWED_SERVICES_LIST[${# ALLOWED_SERVICES_LIST[@]} ]=" $2 "
140- shift
138+ --allow-service)
139+ ALLOWED_SERVICES_LIST[${# ALLOWED_SERVICES_LIST[@]} ]=" $2 "
140+ shift
141141 ;;
142- --set-hardening-level)
143- SET_HARDENING_LEVEL=" $2 "
144- shift
142+ --set-hardening-level)
143+ SET_HARDENING_LEVEL=" $2 "
144+ shift
145145 ;;
146- --only)
147- TEST_LIST[${# TEST_LIST[@]} ]=" $2 "
148- shift
146+ --only)
147+ TEST_LIST[${# TEST_LIST[@]} ]=" $2 "
148+ shift
149149 ;;
150- --sudo)
151- SUDO_MODE=' --sudo'
150+ --sudo)
151+ SUDO_MODE=' --sudo'
152152 ;;
153- --batch)
154- BATCH_MODE=' --batch'
155- LOGLEVEL=ok
153+ --batch)
154+ BATCH_MODE=' --batch'
155+ LOGLEVEL=ok
156156 ;;
157- -h| --help)
158- usage
157+ -h | --help)
158+ usage
159159 ;;
160- * )
161- usage
160+ * )
161+ usage
162162 ;;
163163 esac
164164 shift
@@ -174,20 +174,20 @@ if [ -r /etc/default/cis-hardening ]; then
174174 . /etc/default/cis-hardening
175175fi
176176if [ -z " $CIS_ROOT_DIR " ; then
177- echo " There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
178- echo " Cannot source CIS_ROOT_DIR variable, aborting."
177+ echo " There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
178+ echo " Cannot source CIS_ROOT_DIR variable, aborting."
179179 exit 128
180180fi
181181
182- [ -r $CIS_ROOT_DIR /lib/constants.sh ] && . $CIS_ROOT_DIR /lib/constants.sh
182+ [ -r $CIS_ROOT_DIR /lib/constants.sh ] && . $CIS_ROOT_DIR /lib/constants.sh
183183[ -r $CIS_ROOT_DIR /etc/hardening.cfg ] && . $CIS_ROOT_DIR /etc/hardening.cfg
184- [ -r $CIS_ROOT_DIR /lib/common.sh ] && . $CIS_ROOT_DIR /lib/common.sh
185- [ -r $CIS_ROOT_DIR /lib/utils.sh ] && . $CIS_ROOT_DIR /lib/utils.sh
184+ [ -r $CIS_ROOT_DIR /lib/common.sh ] && . $CIS_ROOT_DIR /lib/common.sh
185+ [ -r $CIS_ROOT_DIR /lib/utils.sh ] && . $CIS_ROOT_DIR /lib/utils.sh
186186
187187if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
188188
189189# If --allow-service-list is specified, don't run anything, just list the supported services
190- if [ " $ALLOW_SERVICE_LIST " = 1 ] ; then
190+ if [ " $ALLOW_SERVICE_LIST " = 1 ]; then
191191 declare -a HARDENING_EXCEPTIONS_LIST
192192 for SCRIPT in $( ls $CIS_ROOT_DIR /bin/hardening/* .sh -v) ; do
193193 template=$( grep " ^HARDENING_EXCEPTION=" " $SCRIPT " | cut -d= -f2)
@@ -198,16 +198,16 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
198198fi
199199
200200# If --set-hardening-level is specified, don't run anything, just apply config for each script
201- if [ -n " $SET_HARDENING_LEVEL " -a " $SET_HARDENING_LEVEL " != 0 ] ; then
202- if ! grep -q " ^[12345]$" <<< " $SET_HARDENING_LEVEL" ; then
201+ if [ -n " $SET_HARDENING_LEVEL " -a " $SET_HARDENING_LEVEL " != 0 ]; then
202+ if ! grep -q " ^[12345]$" <<< " $SET_HARDENING_LEVEL" ; then
203203 echo " Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL '), expected 1 to 5"
204204 exit 1
205205 fi
206206
207207 for SCRIPT in $( ls $CIS_ROOT_DIR /bin/hardening/* .sh -v) ; do
208208 SCRIPT_BASENAME=$( basename $SCRIPT .sh)
209209 script_level=$( grep " ^HARDENING_LEVEL=" " $SCRIPT " | cut -d= -f2)
210- if [ -z " $script_level " ; then
210+ if [ -z " $script_level " ; then
211211 echo " The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
212212 continue
213213 fi
226226
227227# Parse every scripts and execute them in the required mode
228228for SCRIPT in $( ls $CIS_ROOT_DIR /bin/hardening/* .sh -v) ; do
229- if [ ${# TEST_LIST[@]} -gt 0 ] ; then
229+ if [ ${# TEST_LIST[@]} -gt 0 ]; then
230230 # --only X has been specified at least once, is this script in my list ?
231- SCRIPT_PREFIX=$( grep -Eo ' ^[0-9.]+' <<< " $(basename $SCRIPT)" )
232- SCRIPT_PREFIX_RE=$( sed -e ' s/\./\\./g' <<< " $SCRIPT_PREFIX" )
233- if ! grep -qwE " (^| )$SCRIPT_PREFIX_RE " <<< " ${TEST_LIST[@]}" ; then
231+ SCRIPT_PREFIX=$( grep -Eo ' ^[0-9.]+' <<< " $(basename $SCRIPT)" )
232+ SCRIPT_PREFIX_RE=$( sed -e ' s/\./\\./g' <<< " $SCRIPT_PREFIX" )
233+ if ! grep -qwE " (^| )$SCRIPT_PREFIX_RE " <<< " ${TEST_LIST[@]}" ; then
234234 # not in the list
235235 continue
236236 fi
@@ -258,56 +258,56 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
258258
259259 debug " Script $SCRIPT finished with exit code $SCRIPT_EXITCODE "
260260 case $SCRIPT_EXITCODE in
261- 0)
262- debug " $SCRIPT passed"
263- PASSED_CHECKS=$(( PASSED_CHECKS+ 1 ))
264- if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
265- SCRIPT_BASENAME=$( basename $SCRIPT .sh)
266- sed -i -re ' s/^status=.+/status=enabled/' $CIS_ROOT_DIR /etc/conf.d/$SCRIPT_BASENAME .cfg
267- info " Status set to enabled in $CIS_ROOT_DIR /etc/conf.d/$SCRIPT_BASENAME .cfg"
268- fi
261+ 0)
262+ debug " $SCRIPT passed"
263+ PASSED_CHECKS=$(( PASSED_CHECKS + 1 ))
264+ if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
265+ SCRIPT_BASENAME=$( basename $SCRIPT .sh)
266+ sed -i -re ' s/^status=.+/status=enabled/' $CIS_ROOT_DIR /etc/conf.d/$SCRIPT_BASENAME .cfg
267+ info " Status set to enabled in $CIS_ROOT_DIR /etc/conf.d/$SCRIPT_BASENAME .cfg"
268+ fi
269269 ;;
270- 1)
271- debug " $SCRIPT failed"
272- FAILED_CHECKS=$(( FAILED_CHECKS+ 1 ))
270+ 1)
271+ debug " $SCRIPT failed"
272+ FAILED_CHECKS=$(( FAILED_CHECKS + 1 ))
273273 ;;
274- 2)
275- debug " $SCRIPT is disabled"
276- DISABLED_CHECKS=$(( DISABLED_CHECKS+ 1 ))
274+ 2)
275+ debug " $SCRIPT is disabled"
276+ DISABLED_CHECKS=$(( DISABLED_CHECKS + 1 ))
277277 ;;
278278 esac
279279
280- TOTAL_CHECKS=$(( TOTAL_CHECKS+ 1 ))
280+ TOTAL_CHECKS=$(( TOTAL_CHECKS + 1 ))
281281
282282done
283283
284- TOTAL_TREATED_CHECKS=$(( TOTAL_CHECKS- DISABLED_CHECKS))
284+ TOTAL_TREATED_CHECKS=$(( TOTAL_CHECKS - DISABLED_CHECKS))
285285
286286if [ $BATCH_MODE ]; then
287287 BATCH_SUMMARY=" AUDIT_SUMMARY "
288288 BATCH_SUMMARY+=" PASSED_CHECKS:${PASSED_CHECKS:- 0} "
289289 BATCH_SUMMARY+=" RUN_CHECKS:${TOTAL_TREATED_CHECKS:- 0} "
290290 BATCH_SUMMARY+=" TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:- 0} "
291291 if [ $TOTAL_TREATED_CHECKS != 0 ]; then
292- CONFORMITY_PERCENTAGE=$( bc -l <<< " scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" )
292+ CONFORMITY_PERCENTAGE=$( bc -l <<< " scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" )
293293 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$( printf " %s" " $CONFORMITY_PERCENTAGE " ) "
294294 else
295295 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
296296 fi
297297 becho $BATCH_SUMMARY
298298else
299299 printf " %40s\n" " ################### SUMMARY ###################"
300- printf " %30s %s\n" " Total Available Checks :" " $TOTAL_CHECKS "
301- printf " %30s %s\n" " Total Runned Checks :" " $TOTAL_TREATED_CHECKS "
302- printf " %30s [ %7s ]\n" " Total Passed Checks :" " $PASSED_CHECKS /$TOTAL_TREATED_CHECKS "
303- printf " %30s [ %7s ]\n" " Total Failed Checks :" " $FAILED_CHECKS /$TOTAL_TREATED_CHECKS "
304-
305- ENABLED_CHECKS_PERCENTAGE=$( bc -l <<< " scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" )
306- CONFORMITY_PERCENTAGE=$( bc -l <<< " scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" )
307- printf " %30s %s %%\n" " Enabled Checks Percentage :" " $ENABLED_CHECKS_PERCENTAGE "
300+ printf " %30s %s\n" " Total Available Checks :" " $TOTAL_CHECKS "
301+ printf " %30s %s\n" " Total Runned Checks :" " $TOTAL_TREATED_CHECKS "
302+ printf " %30s [ %7s ]\n" " Total Passed Checks :" " $PASSED_CHECKS /$TOTAL_TREATED_CHECKS "
303+ printf " %30s [ %7s ]\n" " Total Failed Checks :" " $FAILED_CHECKS /$TOTAL_TREATED_CHECKS "
304+
305+ ENABLED_CHECKS_PERCENTAGE=$( bc -l <<< " scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" )
306+ CONFORMITY_PERCENTAGE=$( bc -l <<< " scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" )
307+ printf " %30s %s %%\n" " Enabled Checks Percentage :" " $ENABLED_CHECKS_PERCENTAGE "
308308 if [ $TOTAL_TREATED_CHECKS != 0 ]; then
309- printf " %30s %s %%\n" " Conformity Percentage :" " $CONFORMITY_PERCENTAGE "
309+ printf " %30s %s %%\n" " Conformity Percentage :" " $CONFORMITY_PERCENTAGE "
310310 else
311- printf " %30s %s %%\n" " Conformity Percentage :" " N.A" # No check runned, avoid division by 0
311+ printf " %30s %s %%\n" " Conformity Percentage :" " N.A" # No check runned, avoid division by 0
312312 fi
313313fi
0 commit comments