feat: add "--set-version" option

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12

Author: Damien Cavagnini

bin/hardening.sh

@@ -29,6 +29,7 @@ BATCH_MODE=''
 SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
+USED_VERSION="default"
 
 usage() {
     cat <<EOF
@@ -105,6 +106,13 @@ OPTIONS:
         This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
         Default value is : info
 
+    --set-version <version>
+        This option allows to run the scripts as defined for a specific CIS debian version.
+        Supported version are the folders listed in the "versions" folder.
+        examples:
+          --set-version debian_11
+          --set-version ovh_legacy
+
     --summary-json
         While performing system audit, this option sets LOGLEVEL to silent and
         only output a json summary at the end
@@ -163,6 +171,10 @@ while [[ $# -gt 0 ]]; do
         ASK_LOGLEVEL=$2
         shift
         ;;
+    --set-version)
+        USED_VERSION=$2
+        shift
+        ;;
     --only)
         TEST_LIST[${#TEST_LIST[@]}]="$2"
         shift
@@ -217,9 +229,20 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/constants.sh
 [ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
 
+# ensure the CIS version exists
+does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
+if [ "$FNRET" -ne 0 ] ; then
+  echo "$USED_VERSION is not a valid version"
+  echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
+  exit 1
+fi
+
 # If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 
+# update path for the remaining of the script
+CIS_CHECKS_DIR="$CIS_VERSIONS_DIR/$USED_VERSION"
+
 if [ "$DISTRIBUTION" != "debian" ]; then
     echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
     if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then

debian/default

@@ -5,3 +5,4 @@ CIS_LIB_DIR='/opt/cis-hardening/lib'
 CIS_CHECKS_DIR="/opt/cis-hardening/bin/hardening"
 CIS_CONF_DIR='/opt/cis-hardening/etc'
 CIS_TMP_DIR='/opt/cis-hardening/tmp'
+CIS_VERSIONS_DIR='/opt/cis-hardening/versions'

lib/main.sh

@@ -1,6 +1,7 @@
 # shellcheck shell=bash
 # run-shellcheck
 
+SCRIPT_FULL_PATH=$(realpath -s "$0")
 LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 # Variable initialization, to avoid crash
@@ -71,18 +72,40 @@ done
 info "Working on $SCRIPT_NAME"
 info "[DESCRIPTION] $DESCRIPTION"
 
+# check if the script is a link
+# if a file, script is executed from "bin/hardening", create a cfg file (if not already exists)
+# if a link, script is executed from "version"/X", create a link, or update it if already exits
+if [ -L "${SCRIPT_FULL_PATH}" ] ; then
+    # script is a link
+    script_real_path=$(readlink -f "${SCRIPT_FULL_PATH}")
+    script_real_name=$(basename "$script_real_path")
+    cfg_file=$(basename -s .sh "$script_real_path").cfg
+    cfg_link="$SCRIPT_NAME".cfg
+else
+    # script is a file
+    script_real_name=$LONG_SCRIPT_NAME
+    cfg_file="$SCRIPT_NAME".cfg
+    cfg_link=""
+fi
+
 # Source specific configuration file
-if ! [ -r "${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg ]; then
+if ! [ -r "${CIS_CONF_DIR}"/conf.d/"$cfg_file" ]; then
     # If it doesn't exist, create it with default values
-    echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
+    echo "# Configuration for $script_real_name, created from default values on $(date)" >"${CIS_CONF_DIR}"/conf.d/"$cfg_file"
     # If create_config is a defined function, execute it.
     # Otherwise, just disable the test by default.
     if type -t create_config | grep -qw function; then
-        create_config >>"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
+        create_config >>"${CIS_CONF_DIR}"/conf.d/"$cfg_file"
     else
-        echo "status=audit" >>"${CIS_CONF_DIR}"/conf.d/"$SCRIPT_NAME".cfg
+        echo "status=audit" >>"${CIS_CONF_DIR}"/conf.d/"$cfg_file"
     fi
+fi
 
+if [ -n "$cfg_link" ] ; then
+    if [ -f "${CIS_CONF_DIR}"/conf.d/"$cfg_link" ] ; then
+        rm -f "${CIS_CONF_DIR}"/conf.d/"$cfg_link"
+    fi
+    ln -fs "${CIS_CONF_DIR}"/conf.d/"$cfg_file" "${CIS_CONF_DIR}"/conf.d/"$cfg_link"
 fi
 
 if [ "$forcedstatus" = "createconfig" ]; then

lib/utils.sh

@@ -11,7 +11,6 @@ has_sysctl_param_expected_result() {
     local SYSCTL_PARAM=$1
     local EXP_RESULT=$2
 
-    # shellcheck disable=SC2319
     if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
         FNRET=0
     elif [ "$?" = 255 ]; then
@@ -36,7 +35,6 @@ set_sysctl_param() {
     local SYSCTL_PARAM=$1
     local VALUE=$2
     debug "Setting $SYSCTL_PARAM to $VALUE"
-    # shellcheck disable=SC2319
     if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
         FNRET=0
     elif [ $? = 255 ]; then

versions/README.md

@@ -0,0 +1,8 @@
+Here, we'll add some folders to represent a specific CIS version to use.
+Each folder will contains links to adequat scripts
+
+Ex:
+debian12/
+        1.1.1.1_disable_cramfs.sh ->../../bin/hardening/disable_cramfs.sh
+        1.1.1.2_disable_freevxfs.sh ->../../bin/hardening/disable_freevxfs.sh
+        etc.

versions/default

@@ -0,0 +1 @@
+../bin/hardening