Damcava35/set version by damcav35 · Pull Request #257 · ovh/debian-cis

damcav35 · 2025-06-25T14:23:56Z

No description provided.

github-actions · 2025-06-25T14:24:13Z

`sh-checker report`

To get the full details, please check in the job output.

shellcheck errors

shellcheck checking is disabled.

shfmt errors


'shfmt -l -i 4 -w' returned error 1 finding the following formatting issues:

----------
bin/hardening.sh
--- bin/hardening.sh.orig
+++ bin/hardening.sh
@@ -231,10 +231,10 @@
 
 # ensure the CIS version exists
 does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
-if [ "$FNRET" -ne 0 ] ; then
-  echo "$USED_VERSION is not a valid version"
-  echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
-  exit 1
+if [ "$FNRET" -ne 0 ]; then
+    echo "$USED_VERSION is not a valid version"
+    echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
+    exit 1
 fi
 
 # If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
lib/main.sh
--- lib/main.sh.orig
+++ lib/main.sh
@@ -75,7 +75,7 @@
 # check if the script is a link
 # if a file, script is executed from "bin/hardening", create a cfg file (if not already exists)
 # if a link, script is executed from "version"/X", create a link, or update it if already exits
-if [ -L "${SCRIPT_FULL_PATH}" ] ; then
+if [ -L "${SCRIPT_FULL_PATH}" ]; then
     # script is a link
     script_real_path=$(readlink -f "${SCRIPT_FULL_PATH}")
     script_real_name=$(basename "$script_real_path")
@@ -101,8 +101,8 @@
     fi
 fi
 
-if [ -n "$cfg_link" ] ; then
-    if [ -f "${CIS_CONF_DIR}"/conf.d/"$cfg_link" ] ; then
+if [ -n "$cfg_link" ]; then
+    if [ -f "${CIS_CONF_DIR}"/conf.d/"$cfg_link" ]; then
         rm -f "${CIS_CONF_DIR}"/conf.d/"$cfg_link"
     fi
     ln -fs "${CIS_CONF_DIR}"/conf.d/"$cfg_file" "${CIS_CONF_DIR}"/conf.d/"$cfg_link"
----------

You can reformat the above files to meet shfmt's requirements by typing:

  shfmt -l -i 4 -w -w filename

github-actions · 2025-06-25T14:35:19Z

`sh-checker report`

To get the full details, please check in the job output.

shellcheck errors

shellcheck checking is disabled.

shfmt errors


'shfmt -l -i 4 -w' returned error 1 finding the following formatting issues:

----------
bin/hardening.sh
--- bin/hardening.sh.orig
+++ bin/hardening.sh
@@ -231,7 +231,7 @@
 
 # ensure the CIS version exists
 does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
-if [ "$FNRET" -ne 0 ] ; then
+if [ "$FNRET" -ne 0 ]; then
     echo "$USED_VERSION is not a valid version"
     echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
     exit 1
----------

You can reformat the above files to meet shfmt's requirements by typing:

  shfmt -l -i 4 -w -w filename

ovh-cds · 2025-06-25T14:37:15Z

CDS Report build-stretch-amd64#581.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T14:37:15Z

CDS Report build-bullseye-amd64#580.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T14:37:16Z

CDS Report build-buster-amd64#581.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T14:37:16Z

CDS Report build-stretch-amd64#580.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T14:37:17Z

CDS Report build-buster-amd64#580.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T14:37:20Z

CDS Report build-bullseye-amd64#581.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T14:37:21Z

CDS Report build-bookworm-amd64#580.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T14:37:27Z

CDS Report build-bookworm-amd64#581.0 ✔
*

Build ✔

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12

And use it as default version. To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number. Only impact is if you are used to execute scripts directly from bin/hardening. In this case, please use the "bin/hardening.sh" wrapper as intended. I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept

find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times: - test repository is not cleaned - configuration is updated multiple times Those tests are also failing, because: - the sed to change the status in the configuration was also changing the test folder path. - missing /proc in EXCLUDED paths - the EXCLUDED configuration doesn't have the correct format for egrep

ovh-cds · 2025-06-25T15:01:09Z

CDS Report build-stretch-amd64#583.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T15:01:09Z

CDS Report build-bullseye-amd64#583.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T15:01:11Z

CDS Report build-buster-amd64#582.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T15:01:12Z

CDS Report build-bullseye-amd64#582.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T15:01:12Z

CDS Report build-stretch-amd64#582.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T15:01:12Z

CDS Report build-buster-amd64#583.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T15:01:16Z

CDS Report build-bookworm-amd64#583.0 ✔
*

Build ✔

ovh-cds · 2025-06-25T15:01:22Z

CDS Report build-bookworm-amd64#582.0 ✔
*

Build ✔

ThibaultDewailly · 2025-06-30T08:23:37Z

bin/hardening.sh

+        This option allows to run the scripts as defined for a specific CIS debian version.
+        Supported version are the folders listed in the "versions" folder.
+        examples:
+          --set-version debian_11


debian word is redundant here, on next step we should decide between 11, bullseye, or bullseye_11

We can also include the pdf file version, like "12_1.0.1", "11_1.0.0" etc.

pdf version may be not convenient for automation usage though

We'll settle that in the next PR

damcav35 force-pushed the damcava35/set_version branch from 9b1ac1d to babcc49 Compare June 25, 2025 14:35

Damien Cavagnini added 4 commits June 25, 2025 16:58

feat: add "--set-version" option

300095c

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12

chore: remove CIS recommendation numbers from bin/hardening scripts

b6965e7

damcav35 force-pushed the damcava35/set_version branch from babcc49 to ecd32e8 Compare June 25, 2025 14:58

ThibaultDewailly reviewed Jun 30, 2025

View reviewed changes

ThibaultDewailly approved these changes Jul 1, 2025

View reviewed changes

ThibaultDewailly merged commit be33848 into master Jul 1, 2025
11 checks passed

damcav35 deleted the damcava35/set_version branch July 22, 2025 08:55

Conversation

damcav35 commented Jun 25, 2025

Uh oh!

github-actions bot commented Jun 25, 2025

sh-checker report

Uh oh!

github-actions bot commented Jun 25, 2025

sh-checker report

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ovh-cds commented Jun 25, 2025

Uh oh!

ThibaultDewailly Jun 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

damcav35 Jun 30, 2025

Choose a reason for hiding this comment

Uh oh!

damcav35 Jun 30, 2025

Choose a reason for hiding this comment

Uh oh!

ThibaultDewailly Jul 1, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Comments

`sh-checker report`

`sh-checker report`

ThibaultDewailly Jun 30, 2025 •

edited

Loading