Everbrent/cis
8
0
Fork 0
mirror of https://github.com/m8tin/cis.git synced 2026-06-02 14:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Checks improved

Browse Source
This commit is contained in:
Martin Berghaus
2026-05-09 21:59:40 +02:00
parent ee114ee732
commit 00b920763e
30 changed files with 21 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+3
View File
@@ -9,6 +9,9 @@
!/definitions/README.md !/definitions/README.md
!/definitions/default/ !/definitions/default/
/definitions/default/* /definitions/default/*
!/definitions/default/check/
/definitions/default/check/*
!/definitions/default/check/all/
!/definitions/default/core/ !/definitions/default/core/
/definitions/default/core/* /definitions/default/core/*
!/definitions/default/core/all/ !/definitions/default/core/all/
script/check/host/all/app_docker-compose_is_installed.check.sh → definitions/default/check/all/app_docker-compose_is_installed.check.sh
View File
script/check/host/all/app_docker_is_installed.check.sh → definitions/default/check/all/app_docker_is_installed.check.sh
View File
script/check/host/all/app_nginx_is_installed.check.sh → definitions/default/check/all/app_nginx_is_installed.check.sh
View File
script/check/host/all/app_nginx_starts_reliable.check.sh → definitions/default/check/all/app_nginx_starts_reliable.check.sh
View File
script/check/host/all/core_cron_starts_setup_as_fallback.check.sh → definitions/default/check/all/core_cron_starts_setup_as_fallback.check.sh
View File
script/check/host/all/core_git_app_is_installed.check.sh → definitions/default/check/all/core_git_app_is_installed.check.sh
View File
script/check/host/all/core_hostname_is_long.check.sh → definitions/default/check/all/core_hostname_is_long.check.sh
View File
script/check/host/all/core_pam_lib_google-authenticator_is_installed.check.sh → definitions/default/check/all/core_pam_lib_google-authenticator_is_installed.check.sh
View File
script/check/host/all/core_pam_lib_pwquality_is_installed.check.sh → definitions/default/check/all/core_pam_lib_pwquality_is_installed.check.sh
View File
script/check/host/all/core_ssh_app_is_installed.check.sh → definitions/default/check/all/core_ssh_app_is_installed.check.sh
View File
script/check/host/all/core_ssh_authorized_keys_of_jenkins_points_to_definitions.check.sh → definitions/default/check/all/core_ssh_authorized_keys_of_jenkins_points_to_definitions.check.sh
View File
script/check/host/all/core_ssh_authorized_keys_of_root_is_empty_or_points_to_definitions.check.sh → definitions/default/check/all/core_ssh_authorized_keys_of_root_is_empty_or_points_to_definitions.check.sh
View File
script/check/host/all/core_ssh_config_access_restriction.check.sh → definitions/default/check/all/core_ssh_config_access_restriction.check.sh
View File
script/check/host/all/core_ssh_group_ssh_login_exists.check.sh → definitions/default/check/all/core_ssh_group_ssh_login_exists.check.sh
View File
script/check/host/all/core_ssh_key_of_root_exists_as_expected.check.sh → definitions/default/check/all/core_ssh_key_of_root_exists_as_expected.check.sh
View File
script/check/host/all/core_ssh_user_jenkins_is_member_of_group_ssh_login.check.sh → definitions/default/check/all/core_ssh_user_jenkins_is_member_of_group_ssh_login.check.sh
View File
script/check/host/all/core_sudoers_file_of_jenkins_points_to_definitions.check.sh → definitions/default/check/all/core_sudoers_file_of_jenkins_points_to_definitions.check.sh
View File
script/check/host/all/core_user_jenkins_exists.check.sh → definitions/default/check/all/core_user_jenkins_exists.check.sh
View File
script/check/host/all/core_user_name_may_contain_dots.check.sh → definitions/default/check/all/core_user_name_may_contain_dots.check.sh
View File
script/check/host/all/system_is_up_to_date.check.sh → definitions/default/check/all/system_is_up_to_date.check.sh
View File
script/check/host/all/system_localtime_contains_cet_and_cest.check.sh → definitions/default/check/all/system_localtime_contains_cet_and_cest.check.sh
View File
script/check/host/all/system_timezone_is_berlin.check.sh → definitions/default/check/all/system_timezone_is_berlin.check.sh
View File
script/check/host/all/system_unattended_upgrades_are_disabled.check.sh → definitions/default/check/all/system_unattended_upgrades_are_disabled.check.sh
View File
script/check/host/all/system_zfs_app_is_installed.check.sh → definitions/default/check/all/system_zfs_app_is_installed.check.sh
View File
script/check/host/all/system_zfs_atime_of_rootfs_zpool1.check.sh → definitions/default/check/all/system_zfs_atime_of_rootfs_zpool1.check.sh
View File
script/check/host/all/system_zfs_compression_of_rootfs_zpool1.check.sh → definitions/default/check/all/system_zfs_compression_of_rootfs_zpool1.check.sh
View File
script/check/host/all/system_zfs_mountpoint_of_rootfs_zpool1.check.sh → definitions/default/check/all/system_zfs_mountpoint_of_rootfs_zpool1.check.sh
View File
script/check/host/all/system_zpool_alignment_of_pool.check.sh → definitions/default/check/all/system_zpool_alignment_of_pool.check.sh
View File
script/check/runAllChecks.sh
+18 -20
View File
@@ -1,12 +1,5 @@
#!/bin/bash #!/bin/bash
source /cis/core/base.module.sh
_SCRIPT="$(readlink -f "${0}" 2> /dev/null)"
# Folders always ends with an tailing '/'
_CIS_ROOT="${_SCRIPT%%/script/check/*}/" #Removes longest matching pattern '/script/check/*' from the end
_SCRIPT_PATH="${_CIS_ROOT:?"Missing CIS_ROOT"}script/"
_OWN_DOMAIN="$(${_CIS_ROOT}core/printOwnDomain.sh)"
_OWN_DEFINITIONS="${_CIS_ROOT}definitions/${_OWN_DOMAIN:?"Missing OWN_DOMAIN"}/"
@@ -20,7 +13,7 @@ function run_as_root() {
} }
function scripts_are_updateable_by_git() { function scripts_are_updateable_by_git() {
git -C "${_SCRIPT_PATH:?"Missing SCRIPT_PATH"}" pull > /dev/null 2>&1 \ git -C "${CIS[SCRIPTDIR]?"Missing CIS_SCRIPTDIR"}" pull > /dev/null 2>&1 \
&& echo OK \ && echo OK \
&& return 0 && return 0
@@ -29,31 +22,36 @@ function scripts_are_updateable_by_git() {
} }
function allChecks() { function allChecks() {
local _CHECK_PATH _MODE_PATH local _CHECK_PATH _MODE_PATH _CHECK_FILES
_CHECK_PATH="${1:?"allChecks(): Missing first parameter CHECK_PATH"}check/" _CHECK_PATH="${1:?"allChecks(): Missing first parameter CHECK_PATH"}check/"
_MODE_PATH="${2:-all}/" _MODE_PATH="${2:-all}/"
readonly _CHECK_PATH _MODE_PATH _CHECK_FILES="${_CHECK_PATH}${_MODE_PATH}"
readonly _CHECK_PATH _MODE_PATH _CHECK_FILES
echo " - ${_CHECK_PATH}host/${_MODE_PATH}*.check.sh" local _CHECK_FOUND="false"
[ "$(ls -1 ${_CHECK_PATH}host/${_MODE_PATH}*.check.sh 2> /dev/null | grep -cE '.*')" == "0" ] \ echo " - ${_CHECK_FILES}*.check.sh"
&& echo " nothing to do" \ for _CURRENT_CHECK in "${_CHECK_FILES}"*.check.sh; do
&& return 0 ! [ -x "${_CURRENT_CHECK}" ] \
&& continue
for _CURRENT_CHECK in ${_CHECK_PATH}host/${_MODE_PATH}*.check.sh; do _CHECK_FOUND="true"
_NAME="$(basename ${_CURRENT_CHECK} | cut -d'.' -f1)" _NAME="$(basename ${_CURRENT_CHECK} | cut -d'.' -f1)"
_CONTEXT="$(echo ${_NAME} | cut -d'_' -f1)" _CONTEXT="$(echo ${_NAME} | cut -d'_' -f1)"
_CHECK="$(echo ${_NAME} | cut -d'_' -f2- | tr '_' ' ')" _CHECK="$(echo ${_NAME} | cut -d'_' -f2- | tr '_' ' ')"
_RESULT="$("${_CURRENT_CHECK}" && echo OK || echo FAIL)" _RESULT="$("${_CURRENT_CHECK}" && echo OK || echo FAIL)"
echo " ${_CONTEXT^^} ${_CHECK}: ${_RESULT}" echo " ${_CONTEXT^^} ${_CHECK}: ${_RESULT}"
done done
[ "${_CHECK_FOUND}" == "false" ] \
&& echo " nothing to do" \
&& return 0
} }
echo "PRECONDITION run as root: $(run_as_root)" echo "PRECONDITION run as root: $(run_as_root)"
echo "PRECONDITION scripts are updateable by git: $(scripts_are_updateable_by_git)" echo "PRECONDITION scripts are updateable by git: $(scripts_are_updateable_by_git)"
echo echo
echo "Check all (common):" echo "Check all (common):"
allChecks "${_SCRIPT_PATH}" allChecks "${CIS[DEFAULTDEFINITIONS]?"Missing CIS_DEFAULTDEFINITIONS"}"
echo "Check all (own):" echo "Check all (own):"
allChecks "${_OWN_DEFINITIONS}" allChecks "${CIS[DOMAINDEFINITIONS]?"Missing CIS_DOMAINDEFINITIONS"}"
echo "Check this host:" echo "Check this host:"
allChecks "${_OWN_DEFINITIONS}" "$(hostname -s)" allChecks "${CIS[DOMAINDEFINITIONS]}" "$(hostname -s)"