Bugs Correction

2026-04-06 06:07:02 +02:00
parent 751dc8892c
commit 4980d8cf3c
34 changed files with 20541 additions and 35 deletions
--- a/securecheck/tasks.py
+++ b/securecheck/tasks.py
@@ -1,15 +1,29 @@
 from __future__ import annotations

 import json
+import re
 from datetime import datetime
 from pathlib import Path

 from .assets import asset_text
-from .executor import ExecutionContext, SecureCheckError
+from .executor import CommandResult, ExecutionContext, SecureCheckError
 from .models import TaskDefinition, TaskResult

 P10K_REMOTE_URL = "https://git.h3campus.fr/Johnny/Install_zsh/raw/branch/main/.p10k.zsh"
 P10K_THEME_GIT_URL = "https://github.com/romkatv/powerlevel10k.git"
+AIDE_DEFAULT_CONF = """database=file:/var/lib/aide/aide.db
+gzip_dbout=yes
+
+group=default
+dbinfo=file:/var/lib/aide/aide.db
+dbinfo=file:/var/lib/aide/aide.db.gz
+verbose=5
+report_url=file:/var/log/aide/aide.log
+
+checksum=sha512
+
+file = p+u+g+s+m+acl+selinux+xattrs+sha512
+"""


 def _result(
@@ -98,6 +112,23 @@ system_name = securecheck
    return _result(context, task, started_at, changed=changed, details=details)


+def _parse_lynis_result(result: CommandResult) -> tuple[int | None, int | None, list[str]]:
+    score = None
+    hardening = None
+    issues: list[str] = []
+    for line in result.stdout.splitlines():
+        stripped = line.strip()
+        lowered = stripped.lower()
+        if match := re.search(r"final score\s*:\s*(\d+)", stripped, re.IGNORECASE):
+            score = int(match.group(1))
+        elif match := re.search(r"hardening index score\s*:\s*(\d+)", stripped, re.IGNORECASE):
+            hardening = int(match.group(1))
+        if any(keyword in lowered for keyword in ("warning", "suggest", "recommend", "failed", "error")):
+            if stripped and not stripped.startswith("Tip"):
+                issues.append(stripped)
+    return score, hardening, sorted(set(issues))
+
+
 def lynis_audit(context: ExecutionContext, task: TaskDefinition) -> TaskResult:
    started_at = datetime.now()
    details: list[str] = []
@@ -115,8 +146,23 @@ def lynis_audit(context: ExecutionContext, task: TaskDefinition) -> TaskResult:
    ).strip() + "\n"
    report_path = _write_report(context, "lynis", report_body)
    details.append(f"Rapport Lynis: {report_path}")
-    success = result.returncode == 0
-    return context.make_result(task, success=success, changed=changed, started_at=started_at, details=details, error=None if success else "Lynis a remonté une erreur")
+    score, hardening, issues = _parse_lynis_result(result)
+    if score is not None:
+        details.append(f"Score Lynis: {score}")
+    if hardening is not None:
+        details.append(f"Hardening index: {hardening}")
+    if issues:
+        details.append("Modifications recommandées Lynis :")
+        details.extend(f"  • {issue}" for issue in issues[:10])
+    success = result.returncode == 0 and not issues
+    return context.make_result(
+        task,
+        success=success,
+        changed=changed,
+        started_at=started_at,
+        details=details,
+        error=None if success else "Lynis a détecté des recommandations",
+    )


 def rootkit_check(context: ExecutionContext, task: TaskDefinition) -> TaskResult:
@@ -310,15 +356,92 @@ def utilities_setup(context: ExecutionContext, task: TaskDefinition) -> TaskResu
            "ca-certificates",
        ]
    elif manager in {"dnf", "yum"}:
-        packages = ["ncdu", "git", "curl", "fail2ban", "htop", "nmon", "duf", "net-tools", "tmux", "tree", "vim-enhanced"]
+        packages = [
+            "ncdu",
+            "git",
+            "curl",
+            "fail2ban",
+            "htop",
+            "nmon",
+            "duf",
+            "net-tools",
+            "tmux",
+            "tree",
+            "vim-enhanced",
+            "libpam-tmpdir",
+            "clamav",
+            "apparmor",
+            "wazuh-agent",
+            "aide",
+            "aide-common",
+        ]
    else:
-        packages = ["ncdu", "git", "curl", "htop", "nmon", "duf", "net-tools", "tmux", "tree", "vim"]
+        packages = [
+            "ncdu",
+            "git",
+            "curl",
+            "htop",
+            "nmon",
+            "duf",
+            "net-tools",
+            "tmux",
+            "tree",
+            "vim",
+            "libpam-tmpdir",
+            "clamav",
+            "apparmor",
+            "wazuh-agent",
+            "aide",
+            "aide-common",
+        ]

    details: list[str] = []
    pkg_report = context.runner.ensure_packages_report(packages)
    changed = _append_package_details(context, details, pkg_report)
    if context.runner.command_exists("systemctl") and context.runner.command_exists("fail2ban-client"):
        context.runner.enable_service("fail2ban.service")
+    if context.runner.command_exists("systemctl") and context.runner.command_exists("avahi-daemon"):
+        context.runner.run(["systemctl", "disable", "--now", "avahi-daemon"], requires_root=True, check=False)
+        details.append("Service avahi-daemon stoppé/désactivé")
+
+    if context.runner.package_available("apparmor") or context.runner.command_exists("apparmor_status"):
+        context.runner.run(["systemctl", "enable", "--now", "apparmor"], requires_root=True, check=False)
+        details.append("AppArmor activé")
+
+    if context.runner.package_available("clamav") or context.runner.command_exists("clamd"):
+        context.runner.run(["systemctl", "enable", "--now", "clamav-freshclam"], requires_root=True, check=False)
+        context.runner.run(["systemctl", "enable", "--now", "clamav-daemon"], requires_root=True, check=False)
+        details.append("ClamAV (daemon + freshclam) activé")
+
+    if context.runner.package_available("aide") or context.runner.package_available("aide-common"):
+        aide_conf_path = Path("/etc/aide/aide.conf")
+        if not aide_conf_path.exists() or aide_conf_path.read_text(encoding="utf-8") != AIDE_DEFAULT_CONF:
+            context.runner.write_text_file(aide_conf_path, AIDE_DEFAULT_CONF, mode=0o644, requires_root=True)
+            details.append("Configuration AIDE appliquée")
+        default_env = Path("/etc/default/aide")
+        if not default_env.exists() or default_env.read_text(encoding="utf-8") != 'MAILTO=""\n':
+            context.runner.write_text_file(default_env, 'MAILTO=""\n', mode=0o644, requires_root=True)
+            details.append("MAILTO AIDE désactivé")
+        aide_db_new = Path("/var/lib/aide/aide.db.new")
+        if not aide_db_new.exists():
+            context.runner.run(["aideinit"], requires_root=True, check=False)
+            details.append("AIDE initialisé (aideinit)")
+        else:
+            details.append("AIDE déjà initialisé")
+        if aide_db_new.exists():
+            existing_db = Path("/var/lib/aide/aide.db")
+            if not existing_db.exists() or aide_db_new.read_bytes() != existing_db.read_bytes():
+                context.runner.run(["cp", "-f", str(aide_db_new), "/var/lib/aide/aide.db"], requires_root=True, check=False)
+                details.append("Base AIDE mise à jour")
+        if context.runner.command_exists("systemctl"):
+            context.runner.run(["systemctl", "enable", "--now", "aidecheck.timer"], requires_root=True, check=False)
+            context.runner.run(["systemctl", "enable", "--now", "dailyaidecheck.timer"], requires_root=True, check=False)
+            details.append("Timers AIDE activés")
+
+    if context.runner.command_exists("systemctl"):
+        context.runner.run(["systemctl", "enable", "--now", "wazuh-agent"], requires_root=True, check=False)
+        details.append("Wazuh agent activé (configuration server sur 192.168.1.219 à gérer manuellement)")
+
    details.append("Utilitaires système et sécurité installés / vérifiés")
    return _result(context, task, started_at, changed=changed, details=details)