#!/bin/sh
#
# oscap-scan: OpenSCAP security scanner
#
# chkconfig: - 96 99
# description: This service runs OpenSCAP security scanner to check the \
# system settings. The program does not stay resident, \
# but rather runs once. The results of security audit are
# stored in /var/log/oscap-scan.xml.log
#
# processname: /usr/bin/oscap
# config: /etc/sysconfig/oscap-scan
#
# Return values according to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
PATH=/sbin:/bin:/usr/sbin:/usr/bin
prog="oscap"
# Source function library.
. /etc/rc.d/init.d/functions
# Allow anyone to run status
if [ "$1" = "status" ] ; then
exit 3
fi
# Check that we are root ... so non-root users stop here
test $EUID = 0 || exit 4
RETVAL=0
start() {
test -x /usr/bin/oscap || exit 5
# Now check that the sysconfig is found and has important things
# configured
for SCAN_FILE in `find /etc/sysconfig -name oscap-scan\*`; do
SCAN_OPTIONS="" && FIX_OPTIONS=""
test -f ${SCAN_FILE} && . ${SCAN_FILE} && test x"$SCAN_OPTIONS" != "x" || continue
echo -n $"Starting $prog (${SCAN_FILE}): "
$prog $SCAN_OPTIONS
ERR=$?
if [ $ERR -eq 0 ] ; then
sleep 1
logger "OpenSCAP security scan (${SCAN_FILE}): PASS"
elif [ $ERR -eq 1 ] ; then
sleep 1
logger "OpenSCAP security scan (${SCAN_FILE}): ERROR. Run oscap scan from command line."
else
sleep 1
logger "OpenSCAP security scan (${SCAN_FILE}): FAILED. See results in /var/log/oscap-scan.xml.log"
fi
[ "$ERR" -eq 0 ] && success $"$prog startup" || failure $"$prog startup"
echo
if [ $ERR -ne 0 ] && [ $ERR -ne 1 ]; then
test x"$FIX_OPTIONS" != "x" || continue
echo -n $"Starting $prog remediations (${SCAN_FILE}): "
temp_file=`mktemp`
$prog $FIX_OPTIONS > ${temp_file} 2>/dev/null
sh ${temp_file}
FIX_ERR=$?
if [ $FIX_ERR -eq 0 ] ; then
sleep 1
logger "OpenSCAP remediations (${SCAN_FILE}): PASS"
elif [ $vERR -eq 1 ] ; then
sleep 1
logger "OpenSCAP remediations (${SCAN_FILE}): ERROR. Run oscap scan from command line."
else
sleep 1
logger "OpenSCAP remediations (${SCAN_FILE}): FAILED."
fi
rm -f ${temp_file}
echo
fi
done
}
# See how we were called.
case "$1" in
start)
start
;;
restart)
start
;;
stop)
RETVAL=0;
;;
condrestart)
RETVAL=0;
;;
try-restart)
RETVAL=0;
;;
reload)
RETVAL=0;
;;
*)
echo $"Usage: $0 {start}"
RETVAL=2
;;
esac
exit $RETVAL