From 540f3df601da70c70ae62aadd3b09350358cb37d Mon Sep 17 00:00:00 2001
From: "YiLin.Li" <YiLin.Li@linux.alibaba.com>
Date: Wed, 8 Nov 2023 11:27:38 +0800
Subject: [PATCH] access-and-control && logging-and-auditing: Support multiple
 executions in 1.37, 1.39, 1.51, 1.52, 2.11, 2.14, 2.16, 2.17, 2.18

Fixes: #I8ERSE

Signed-off-by: YiLin.Li <YiLin.Li@linux.alibaba.com>
---
 ...ault-user-shell-timeout-is-900-seconds-or-less.sh |  2 +-
 ...-default-user-umask-is-027-or-more-restrictive.sh |  4 ++--
 ...ensure-mounting-of-udf-filesystems-is-disabled.sh |  4 ++--
 ...ure-mounting-of-cramfs-filesystems-is-disabled.sh |  4 ++--
 ...e-used-to-protect-the-integrity-of-audit-tools.sh | 12 ++++++------
 ...re-rsyslog-default-file-permissions-configured.sh |  4 ++--
 ...journald-is-configured-to-send-logs-to-rsyslog.sh |  2 +-
 ...nald-is-configured-to-compress-large-log-files.sh |  2 +-
 ...onfigured-to-write-logfiles-to-persistent-disk.sh |  2 +-
 9 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh b/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh
index 164a64f..7b13bd6 100644
--- a/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh
+++ b/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh
@@ -1 +1 @@
-echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile
\ No newline at end of file
+grep -Psq "^readonly TMOUT=900 ; export TMOUT" /etc/profile || echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile
diff --git a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh
index 96d649b..91786ab 100644
--- a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh
+++ b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh
@@ -3,5 +3,5 @@ grep -Eq "(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/(\s*)umask\s+
 grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile || echo "umask 027" >> /etc/profile
 grep -Eq "^(\s*)UMASK\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)UMASK\s+\S+(\s*#.*)?\s*$/\1UMASK 027\2/" /etc/login.defs || echo "UMASK 027" >> /etc/login.defs
 grep -q "USERGROUPS_ENAB" /etc/login.defs && sed -ri "s/^(\s*)USERGROUPS_ENAB\s+\S+(\s*#.*)?\s*$/\1USERGROUPS_ENAB no\2/" /etc/login.defs  ||  echo "USERGROUPS_ENAB no" >> /etc/login.defs
-echo "session     optional                                     pam_umask.so"   >>  /etc/pam.d/password-auth
-echo "session     optional                                     pam_umask.so"   >>  /etc/pam.d/system-auth
+grep -Psq "^session     optional                                     pam_umask.so" /etc/pam.d/password-auth || echo "session     optional                                     pam_umask.so"   >>  /etc/pam.d/password-auth
+grep -Psq "^session     optional                                     pam_umask.so" /etc/pam.d/system-auth || echo "session     optional                                     pam_umask.so"   >>  /etc/pam.d/system-auth
diff --git a/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh
index 2211012..d51c68d 100644
--- a/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh
+++ b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh
@@ -1,3 +1,3 @@
-echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf
-echo "blacklist udf" >> /etc/modprobe.d/udf.conf
+grep -Psq "^install udf /bin/false" /etc/modprobe.d/udf.conf || echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf
+grep -Psq "^blacklist udf" /etc/modprobe.d/udf.conf || echo "blacklist udf" >> /etc/modprobe.d/udf.conf
 modprobe -r udf
diff --git a/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh
index 9b74e2e..2899759 100644
--- a/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh
+++ b/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh
@@ -1,3 +1,3 @@
-echo "install cramfs /bin/false" >> /etc/modprobe.d/cramfs.conf
-echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf
+grep -Psq "^install cramfs /bin/false" /etc/modprobe.d/cramfs.conf || echo "install cramfs /bin/false" >> /etc/modprobe.d/cramfs.conf
+grep -Psq "^blacklist cramfs" /etc/modprobe.d/cramfs.conf || echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf
 modprobe -r cramfs
diff --git a/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh b/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh
index 05d1e8b..9c431f5 100644
--- a/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh
+++ b/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh
@@ -1,7 +1,7 @@
 mkdir -p /etc/aide
-echo "/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
-echo "/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512"  >> /etc/aide/aide.conf
-echo "/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
-echo "/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
-echo "/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
-echo "/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
\ No newline at end of file
+grep -Psq "^\/sbin\/auditctl p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
+grep -Psq "^\/sbin\/auditd p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512"  >> /etc/aide/aide.conf
+grep -Psq "^\/sbin\/ausearch p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
+grep -Psq "^\/sbin\/aureport p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
+grep -Psq "^\/sbin\/autrace p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
+grep -Psq "^\/sbin\/augenrules p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
diff --git a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh
index e497be8..69e213e 100644
--- a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh
+++ b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh
@@ -1,2 +1,2 @@
-echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf
-echo "\$FileCreateMode 0640" >> /etc/rsyslog.d/listen.conf
\ No newline at end of file
+grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf
+grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.d/listen.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.d/listen.conf
diff --git a/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh b/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh
index 3b9dd56..3344bca 100644
--- a/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh
+++ b/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh
@@ -1 +1 @@
-echo "ForwardToSyslog=yes" >> /etc/systemd/journald.conf
\ No newline at end of file
+grep -Psq "^ForwardToSyslog=yes" /etc/systemd/journald.conf ||echo "ForwardToSyslog=yes" >> /etc/systemd/journald.conf
diff --git a/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh b/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh
index f365dfe..8ce6ef6 100644
--- a/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh
+++ b/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh
@@ -1 +1 @@
-echo "Compress=yes" >> /etc/systemd/journald.conf
\ No newline at end of file
+grep -Psq "^Compress=yes" /etc/systemd/journald.conf ||echo "Compress=yes" >> /etc/systemd/journald.conf
diff --git a/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh b/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh
index ed01b7b..a11656c 100644
--- a/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh
+++ b/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh
@@ -1 +1 @@
-echo "Storage=persistent" >> /etc/systemd/journald.conf
\ No newline at end of file
+grep -Psq "^Storage=persistent" /etc/systemd/journald.conf || echo "Storage=persistent" >> /etc/systemd/journald.conf
-- 
Gitee