IMP(shfmt): add shell formatter

2024-11-21 21:17:00 +01:00 · 2020-12-04 14:08:01 +01:00 · 2020-12-04 14:08:01 +01:00 · 3a342b784a
commit 3a342b784a
parent bc1aa65b91
300 changed files with 2370 additions and 2427 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 tmp/shfmt
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -20,7 +20,6 @@ DESCRIPTION="Disable mounting of freevxfs filesystems."
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -20,7 +20,6 @@ DESCRIPTION="Disable mounting of jffs2 filesystems."
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -20,7 +20,6 @@ DESCRIPTION="Disable mounting of hfs filesystems."
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -20,7 +20,6 @@ DESCRIPTION="Disable mounting of hfsplus filesystems."
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
--- a/bin/hardening/1.1.1.5_disable_udf.sh
+++ b/bin/hardening/1.1.1.5_disable_udf.sh
@ -20,7 +20,6 @@ DESCRIPTION="Disable mounting of udf filesystems."
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
--- a/bin/hardening/1.1.1.6_disable_cramfs.sh
+++ b/bin/hardening/1.1.1.6_disable_cramfs.sh
@ -20,7 +20,6 @@ DESCRIPTION="Disable mounting of cramfs filesystems."
 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
--- a/bin/hardening/1.1.1.7_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.7_disable_squashfs.sh
@ -20,7 +20,6 @@ DESCRIPTION="Disable mounting of squashfs filesytems."
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
--- a/bin/hardening/2.2.1.1_use_time_sync.sh
+++ b/bin/hardening/2.2.1.1_use_time_sync.sh
@ -55,7 +55,6 @@ if [ -z "$CIS_ROOT_DIR" ]; then
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
@ -64,4 +63,3 @@ else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh
@ -1,6 +1,5 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
--- a/bin/hardening/4.2.4_logs_permissions.sh
+++ b/bin/hardening/4.2.4_logs_permissions.sh
@ -23,8 +23,7 @@ PERMISSIONS='640'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERRORS=0
-    for FILE in $($SUDO_CMD find $DIR -type f);
+    for FILE in $($SUDO_CMD find $DIR -type f); do
    do
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
@ -42,8 +41,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    ERRORS=0
-    for FILE in $($SUDO_CMD find $DIR -type f);
+    for FILE in $($SUDO_CMD find $DIR -type f); do
    do
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
--- a/bin/hardening/5.2.15_ssh_cry_kex.sh
+++ b/bin/hardening/5.2.15_ssh_cry_kex.sh
@ -91,7 +91,6 @@ OPTIONS="KexAlgorithms=$KEX"
 EOF
 }
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
+++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
@ -25,8 +25,7 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERRORS=0
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
    do
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
@ -42,8 +41,7 @@ audit () {
    fi
    ERRORS=0
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
    do
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE ownership was set to $USER:$GROUP"
@ -61,8 +59,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
    do
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE ownership was set to $USER:$GROUP"
@ -73,8 +70,7 @@ apply () {
        fi
    done
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
    do
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
@ -84,7 +80,6 @@ apply () {
        fi
    done
 }
 # This function will check config parameters required
--- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
+++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
@ -25,8 +25,7 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERRORS=0
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do
    do
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
@ -52,8 +51,7 @@ audit () {
    fi
    ERRORS=0
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do
    do
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE ownership was set to $USER:$GROUP"
@ -71,8 +69,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do
    do
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
@ -92,8 +89,7 @@ apply () {
        fi
    done
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do
    do
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE ownership was set to $USER:$GROUP"
--- a/bin/hardening/5.3.4_acc_pam_sha512.sh
+++ b/bin/hardening/5.3.4_acc_pam_sha512.sh
@ -48,7 +48,6 @@ apply () {
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/6.2.1_remove_empty_password_field.sh
+++ b/bin/hardening/6.2.1_remove_empty_password_field.sh
@ -17,7 +17,6 @@ HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="Ensure password fields are not empty in /etc/shadow."
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if accounts have an empty password"
--- a/bin/hardening/6.2.6_sanitize_root_path.sh
+++ b/bin/hardening/6.2.6_sanitize_root_path.sh
@ -25,11 +25,11 @@ ERRORS=0
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    if [ "`echo $path | grep :: `" != "" ]; then
+    if [ "$(echo $path | grep ::)" != "" ]; then
        crit "Empty Directory in PATH (::)"
        ERRORS=$((ERRORS + 1))
    fi
-    if [ "`echo $path | grep :$`" != "" ]; then
+    if [ "$(echo $path | grep :$)" != "" ]; then
        crit "Trailing : in PATH $path"
        ERRORS=$((ERRORS + 1))
    fi
--- a/bin/hardening/8.0_enable_auditd_kernel.sh
+++ b/bin/hardening/8.0_enable_auditd_kernel.sh
@ -21,7 +21,6 @@ DESCRIPTION="Ensure CONFIG_AUDIT is enabled in your running kernel."
 KERNEL_OPTION="CONFIG_AUDIT"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION"
--- a/bin/hardening/99.3.1_acc_shadow_sha512.sh
+++ b/bin/hardening/99.3.1_acc_shadow_sha512.sh
@ -16,7 +16,6 @@ set -u # One variable unset, it's over
 DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
 FILE="/etc/shadow"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    # Review shadow file for existing passwords
--- a/bin/hardening/99.3.4_acc_logindefs_sha512.sh
+++ b/bin/hardening/99.3.4_acc_logindefs_sha512.sh
@ -75,4 +75,3 @@ else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/99.5.4_ssh_keys_from.sh
+++ b/bin/hardening/99.5.4_ssh_keys_from.sh
@ -32,8 +32,8 @@ ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
 check_ip() {
    file=$1
    if [ -z "$ALLOWED_IPS" ]; then
-        warn  "No allowed IPs to treat";
+        warn "No allowed IPs to treat"
-        return ;
+        return
    fi
    for line in $($SUDO_CMD grep -noP "$REGEX_FROM_IP" "$file" | tr -s " " | sed 's/ /_/g'); do
        linum=$(echo "$line" | cut -d ':' -f 1)
@ -67,7 +67,10 @@ check_ip() {
 check_file() {
    file=$1
-    if $SUDO_CMD [ ! -e "$file" ]; then debug "$file does not exist"; return; fi
+    if $SUDO_CMD [ ! -e "$file" ]; then
        debug "$file does not exist"
        return
    fi
    if $SUDO_CMD [ -r "$file" ]; then
        debug "Treating $file"
        FOUND_AUTHKF=1
@ -124,11 +127,11 @@ audit () {
    for user in $USERS_TO_CHECK; do
        # Checking if at least one AuthKeyFile has been found for this user
        FOUND_AUTHKF=0
-        shell=$(getent passwd "$user" | cut -d ':' -f 7);
+        shell=$(getent passwd "$user" | cut -d ':' -f 7)
        if grep -q "$shell" <<<"$ALLOWED_NOLOGIN_SHELLS"; then
            continue
        else
-            info "User $user has a valid shell ($shell).";
+            info "User $user has a valid shell ($shell)."
            if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
                check_dir /root
                continue
--- a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh
+++ b/bin/hardening/99.5.7_ssh_sys_no_legacy.sh
@ -17,8 +17,7 @@ SERVICES="rlogin rlogind rcp"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    for SERVICE in $SERVICES
+    for SERVICE in $SERVICES; do
    do
        info "Checking if $SERVICE is enabled and installed"
        is_service_enabled "$SERVICE"
        if [ "$FNRET" != 0 ]; then
@ -40,7 +39,6 @@ apply () {
    :
 }
 # This function will check config parameters required
 check_config() {
    :
@ -56,7 +54,6 @@ if [ -z "$CIS_ROOT_DIR" ]; then
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
--- a/bin/hardening/99.5.8_ssh_sys_sandbox.sh
+++ b/bin/hardening/99.5.8_ssh_sys_sandbox.sh
@ -42,7 +42,6 @@ audit () {
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
--- a/lib/common.sh
+++ b/lib/common.sh
@ -19,7 +19,6 @@ backup_file() {
    fi
 }
 #
 # Logging functions
 #
@ -42,6 +41,7 @@ case $LOGLEVEL in
    ;;
 *)
    MACHINE_LOG_LEVEL=4 ## Default loglevel value to info
    ;;
 esac
 _logger() {
@ -99,7 +99,6 @@ debug () {
    if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
 }
 #
 # sudo wrapper
 # issue crit state if not allowed to perform sudo
@ -112,4 +111,3 @@ sudo_wrapper() {
        crit "Not allowed to \"sudo -n $*\" "
    fi
 }
--- a/lib/main.sh
+++ b/lib/main.sh
@ -61,7 +61,7 @@ info "[DESCRIPTION] $DESCRIPTION"
 # Source specific configuration file
 if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ]; then
    # If it doesn't exist, create it with default values
-    echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+    echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
    # If create_config is a defined function, execute it.
    # Otherwise, just disable the test by default.
    if type -t create_config | grep -qw function; then
@ -99,7 +99,6 @@ if [ -z $status ]; then
    exit 2
 fi
 case $status in
 enabled | true)
    info "Checking Configuration"
--- a/lib/shellfmt/launch_shellfmt.sh
+++ b/lib/shellfmt/launch_shellfmt.sh
@ -0,0 +1,23 @@
 #!/bin/bash
 # run-shellcheck
 if [ ! -f tmp/shfmt ]; then
    wget -O tmp/shfmt https://github.com/mvdan/sh/releases/download/v3.2.0/shfmt_v3.2.0_linux_amd64
 fi
 chmod +x tmp/shfmt
 files=""
 retval=0
 if [ "$#" -eq 0 ]; then
    files=$(find . -name "*.sh" | sort -V)
 else
    files="$*"
 fi
 for f in $files; do
    ./tmp/shfmt -l -i 4 -w "$f"
 done
 exit "$retval"
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -31,7 +31,6 @@ does_sysctl_param_exists() {
    fi
 }
 set_sysctl_param() {
    local SYSCTL_PARAM=$1
    local VALUE=$2
@ -244,7 +243,6 @@ is_service_enabled() {
    fi
 }
 #
 # Kernel Options checks
 #
@ -376,14 +374,11 @@ remount_partition() {
 # APT
 #
-apt_update_if_needed() 
+apt_update_if_needed() {
-{
+    if [ -e /var/cache/apt/pkgcache.bin ]; then
    if [ -e /var/cache/apt/pkgcache.bin ]
    then
        UPDATE_AGE=$(($(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin)))
-        if [ $UPDATE_AGE -gt 21600 ]
+        if [ $UPDATE_AGE -gt 21600 ]; then
        then
            # update too old, refresh database
            $SUDO_CMD apt-get update -y >/dev/null 2>/dev/null
        fi
@ -392,8 +387,7 @@ apt_update_if_needed()
    fi
 }
-apt_check_updates()
+apt_check_updates() {
 {
    local NAME="$1"
    local DETAILS="/dev/shm/${NAME}"
    $SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >$DETAILS || :
@ -410,20 +404,17 @@ apt_check_updates()
    rm $DETAILS
 }
-apt_install() 
+apt_install() {
 {
    local PACKAGE=$1
    DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y
    FNRET=0
 }
 #
 #   Returns if a package is installed
 #
-is_pkg_installed()
+is_pkg_installed() {
 {
    PKG_NAME=$1
    if $(dpkg -s $PKG_NAME 2>/dev/null | grep -q '^Status: install '); then
        debug "$PKG_NAME is installed"
@ -434,11 +425,9 @@ is_pkg_installed()
    fi
 }
 # Returns Debian major version
-get_debian_major_version()
+get_debian_major_version() {
 {
    DEB_MAJ_VER=""
    does_file_exist /etc/debian_version
    if [ $FNRET ]; then
@ -447,4 +436,3 @@ get_debian_major_version()
        DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
    fi
 }
--- a/shellcheck/docker_build_and_run_shellcheck.sh
+++ b/shellcheck/docker_build_and_run_shellcheck.sh
@ -7,4 +7,3 @@ set -e
 dockerfile="$(dirname "$0")/Dockerfile.shellcheck"
 docker build -f "$dockerfile" -t debiancis-shellcheck "$(dirname "$0")"/../
 docker run --rm debiancis-shellcheck "$@"
--- a/tests/docker_build_and_run_tests.sh
+++ b/tests/docker_build_and_run_tests.sh
@ -21,15 +21,12 @@ if [ -z "$target" ] ; then
    exit 1
 fi
 dockerfile="$(dirname "$0")"/docker/Dockerfile.${target}
 if [ ! -f "$dockerfile" ]; then
    echo "ERROR: No target available for $target" >&2
    exit 1
 fi
 docker build -f "$dockerfile" -t "debian_cis_test:${target}" "$(dirname "$0")"/../
 docker run --rm debian_cis_test:"${target}" "$@"
--- a/tests/hardening/1.1.1.5_disable_udf.sh
+++ b/tests/hardening/1.1.1.5_disable_udf.sh
@ -18,4 +18,3 @@ test_audit() {
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.1.7_disable_squashfs.sh
+++ b/tests/hardening/1.1.1.7_disable_squashfs.sh
@ -18,4 +18,3 @@ test_audit() {
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.1.1_use_time_sync.sh
+++ b/tests/hardening/2.2.1.1_use_time_sync.sh
@ -18,4 +18,3 @@ test_audit() {
    register_test contain "Time synchronization is available through"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.11_record_failed_access_file.sh
+++ b/tests/hardening/4.1.11_record_failed_access_file.sh
@ -7,7 +7,6 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
@ -21,4 +20,3 @@ test_audit() {
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.12_record_privileged_commands.sh
+++ b/tests/hardening/4.1.12_record_privileged_commands.sh
@ -7,7 +7,6 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
--- a/tests/hardening/4.1.8_record_login_logout.sh
+++ b/tests/hardening/4.1.8_record_login_logout.sh
@ -7,7 +7,6 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
--- a/tests/hardening/4.2.2.4_syslog-ng_remote_host.sh
+++ b/tests/hardening/4.2.2.4_syslog-ng_remote_host.sh
@ -16,7 +16,6 @@ test_audit() {
    register_test retvalshouldbe 0
    run oneline /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
    cat >>/etc/syslog-ng/syslog-ng.conf <<EOF
 destination mySyslog {
@ -34,13 +33,10 @@ EOF
    echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/conf.d/1_tcp_destination
    cat /etc/syslog-ng/conf.d/1_tcp_destination
    describe Checking file in subdirectory
    register_test retvalshouldbe 0
    run subfile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # Cleanup
    rm /etc/syslog-ng/conf.d/1_tcp_destination
--- a/tests/hardening/5.2.14_ssh_cry_mac.sh
+++ b/tests/hardening/5.2.14_ssh_cry_mac.sh
@ -20,4 +20,3 @@ test_audit() {
    register_test contain "[ OK ] ^MACs[[:space:]]*umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.15_ssh_cry_kex.sh
+++ b/tests/hardening/5.2.15_ssh_cry_kex.sh
@ -27,4 +27,3 @@ test_audit() {
    register_test retvalshouldbe 0
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.3.4_acc_pam_sha512.sh
+++ b/tests/hardening/5.3.4_acc_pam_sha512.sh
@ -7,4 +7,3 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/6.1.10_find_world_writable_file.sh
+++ b/tests/hardening/6.1.10_find_world_writable_file.sh
@ -30,4 +30,3 @@ test_audit() {
        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    fi
 }
--- a/tests/hardening/6.1.11_find_unowned_files.sh
+++ b/tests/hardening/6.1.11_find_unowned_files.sh
@ -24,4 +24,3 @@ test_audit() {
    register_test contain "No unowned files found"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/6.1.12_find_ungrouped_files.sh
+++ b/tests/hardening/6.1.12_find_ungrouped_files.sh
@ -24,4 +24,3 @@ test_audit() {
    register_test contain "No ungrouped files found"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/6.1.13_find_suid_files.sh
+++ b/tests/hardening/6.1.13_find_suid_files.sh
@ -29,4 +29,3 @@ test_audit() {
    register_test contain "No unknown suid files found"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/6.1.14_find_sgid_files.sh
+++ b/tests/hardening/6.1.14_find_sgid_files.sh
@ -30,4 +30,3 @@ test_audit() {
    register_test contain "No unknown sgid files found"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/6.2.16_check_duplicate_uid.sh
+++ b/tests/hardening/6.2.16_check_duplicate_uid.sh
@ -28,4 +28,3 @@ test_audit() {
    userdel usertest1
    userdel usertest2
 }
--- a/tests/hardening/6.2.17_check_duplicate_gid.sh
+++ b/tests/hardening/6.2.17_check_duplicate_gid.sh
@ -7,7 +7,6 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    groupadd -f -g 120 grouptest
    groupadd -fo -g 120 grouptest2
--- a/tests/hardening/6.2.5_find_0_uid_non_root_account.sh
+++ b/tests/hardening/6.2.5_find_0_uid_non_root_account.sh
@ -26,4 +26,3 @@ test_audit() {
    # Cleanup
    userdel -f usertest1
 }
--- a/tests/hardening/6.2.9_users_valid_homedir.sh
+++ b/tests/hardening/6.2.9_users_valid_homedir.sh
@ -24,7 +24,6 @@ test_audit() {
    describe correcting situation
    echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
--- a/tests/hardening/99.3.1_acc_shadow_sha512.sh
+++ b/tests/hardening/99.3.1_acc_shadow_sha512.sh
@ -30,4 +30,3 @@ EOF
    register_test contain "User secaudit has suitable SHA512 hashed password"
    run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.3.2_acc_sudoers_no_all.sh
+++ b/tests/hardening/99.3.2_acc_sudoers_no_all.sh
@ -21,7 +21,6 @@ test_audit() {
    register_test contain "[ KO ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser"
    run userallcmd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # shellcheck disable=2016
    echo 'EXCEPT="$EXCEPT debian jeantestuser"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
    describe Adding jeantestuser to exceptions
@ -32,4 +31,3 @@ test_audit() {
    rm -f /etc/sudoers.d/jeantestuser
    userdel jeantestuser
 }
--- a/tests/hardening/99.3.4_acc_logindefs_sha512.sh
+++ b/tests/hardening/99.3.4_acc_logindefs_sha512.sh
@ -36,4 +36,3 @@ test_audit() {
    register_test retvalshouldbe 0
    run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.5.1_ssh_auth_pubk_only.sh
+++ b/tests/hardening/99.5.1_ssh_auth_pubk_only.sh
@ -27,4 +27,3 @@ test_audit() {
    register_test contain "[ OK ] ^GSSAPIKeyExchange[[:space:]]+no is present in /etc/ssh/sshd_config"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.5.2.3_ssh_cry_rekey.sh
+++ b/tests/hardening/99.5.2.3_ssh_cry_rekey.sh
@ -20,4 +20,3 @@ test_audit() {
    register_test contain "[ OK ] ^RekeyLimit[[:space:]]*512M\s+6h is present in /etc/ssh/sshd_config"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.5.3_ssh_disable_features.sh
+++ b/tests/hardening/99.5.3_ssh_disable_features.sh
@ -26,4 +26,3 @@ test_audit() {
    register_test contain "[ OK ] ^GatewayPorts[[:space:]]*no is present in /etc/ssh/sshd_config"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.5.4_ssh_keys_from.sh
+++ b/tests/hardening/99.5.4_ssh_keys_from.sh
@ -31,8 +31,8 @@ test_audit()  {
    run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    {
-        echo -n 'from="127.0.0.1" ';
+        echo -n 'from="127.0.0.1" '
-        cat /tmp/key1.pub;
+        cat /tmp/key1.pub
    } >/home/secaudit/.ssh/authorized_keys2
    describe Key with from, no ip check
    register_test retvalshouldbe 0
@ -41,8 +41,8 @@ test_audit()  {
    # shellcheck disable=2016
    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
    {
-        echo -n 'from="10.0.1.2" ';
+        echo -n 'from="10.0.1.2" '
-        cat /tmp/key1.pub;
+        cat /tmp/key1.pub
    } >>/home/secaudit/.ssh/authorized_keys2
    describe Key with from, filled allowed IPs, one bad ip
    register_test retvalshouldbe 1
@ -57,10 +57,10 @@ test_audit()  {
    # shellcheck disable=2016
    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
    {
-        echo -n 'from="10.0.1.2",command="echo bla" ';
+        echo -n 'from="10.0.1.2",command="echo bla" '
-        cat /tmp/key1.pub;
+        cat /tmp/key1.pub
-        echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" ';
+        echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
-        cat /tmp/key1.pub;
+        cat /tmp/key1.pub
    } >>/home/secaudit/.ssh/authorized_keys2
    describe Key with from and command options
    register_test retvalshouldbe 0
@ -73,10 +73,8 @@ test_audit()  {
    register_test retvalshouldbe 0
    run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # Cleanup
    userdel jeantestuser
    userdel -r jeantest2
    rm -f /tmp/key1 /tmp/key1.pub
 }
--- a/tests/hardening/99.5.5_ssh_strict_modes.sh
+++ b/tests/hardening/99.5.5_ssh_strict_modes.sh
@ -21,4 +21,3 @@ test_audit() {
    register_test contain "[ OK ] ^StrictModes[[:space:]]*yes is present in /etc/ssh/sshd_config"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.5.6_ssh_sys_accept_env.sh
+++ b/tests/hardening/99.5.6_ssh_sys_accept_env.sh
@ -14,7 +14,6 @@ test_audit() {
    register_test contain "[ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config"
    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    describe Correcting situation
    # `apply` performs a service reload after each change in the config file
    # the service needs to be started for the reload to succeed
@ -28,4 +27,3 @@ test_audit() {
    register_test contain "[ OK ] ^\s*AcceptEnv\s+LANG LC_\* is present in /etc/ssh/sshd_config"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.5.7_ssh_sys_no_legacy.sh
+++ b/tests/hardening/99.5.7_ssh_sys_no_legacy.sh
@ -6,4 +6,3 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.5.8_ssh_sys_sandbox.sh
+++ b/tests/hardening/99.5.8_ssh_sys_sandbox.sh
@ -20,4 +20,3 @@ test_audit()  {
    register_test contain "[ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/99.5.9_ssh_loglevel.sh
+++ b/tests/hardening/99.5.9_ssh_loglevel.sh
@ -20,4 +20,3 @@ test_audit() {
    register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/launch_tests.sh
+++ b/tests/launch_tests.sh
@ -63,8 +63,7 @@ skip() {
    printf "%b %b\n" "\033[30m\e[43m[SKIP]\033[0m" "$*" >&2
 }
 # retrieves audit script logfile
-get_stdout()
+get_stdout() {
 {
    cat "$outdir"/"$usecase_name".log
 }
@ -133,12 +132,12 @@ play_consistency_tests() {
 }
 # Actually runs one signel audit script
-_run()
+_run() {
 {
    usecase_name=$1
    shift
    printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
-    bash -c "$*" >"$outdir/$usecase_name.log" && true; echo $? > "$outdir/$usecase_name.retval"
+    bash -c "$*" >"$outdir/$usecase_name.log" && true
    echo $? >"$outdir/$usecase_name.retval"
    ret=$(<"$outdir"/"$usecase_name".retval)
    get_stdout
 }
@ -164,7 +163,6 @@ else
    testcount=$#
 fi
 for test_file in $tests_list; do
    test_file_path=$(dirname "$0")/hardening/"$test_file"
    if [ ! -f "$test_file_path" ]; then
--- a/tests/lib.sh
+++ b/tests/lib.sh
@ -25,8 +25,7 @@ register_test() {
 # retvalshouldbe checks that the audit return value equals the one passed as parameter
 # retvalshoudbe <NUMBER>
-retvalshouldbe()
+retvalshouldbe() {
 {
    # shellcheck disable=2154
    retfile=$outdir/${usecase_name}.retval
    shouldbe=$1
@ -44,8 +43,7 @@ retvalshouldbe()
 # contain looks for a string in audit logfile
 # contain [REGEX] <STRING|regexSTRING>
-contain()
+contain() {
 {
    local specialoption=''
    if [ "$1" != "REGEX" ]; then
        specialoption='-F'
@ -95,4 +93,3 @@ run() {
    play_consistency_tests
    clear_registered_tests
 }
--- a/tests/run_all_targets.sh
+++ b/tests/run_all_targets.sh
@ -30,9 +30,18 @@ eval set -- "$OPTIONS"
 # Treating options
 while true; do
    case "$1" in
-        --nodel ) nodel=1; shift ;;
+    --nodel)
-        --nowait ) nowait=1; shift ;;
+        nodel=1
-        -- ) shift; break ;;
+        shift
        ;;
    --nowait)
        nowait=1
        shift
        ;;
    --)
        shift
        break
        ;;
    *) break ;;
    esac
 done
@ -49,8 +58,8 @@ fi
 # Loops over found targets and runs docker_build_and_run_tests
 for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Supported" | cut -d ':' -f 2); do
    echo "Running $target $*"
-    "$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 | \
+    "$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 |
-        tee "${tmpdir}"/"${target}" | \
+        tee "${tmpdir}"/"${target}" |
        grep -q "All tests succeeded"
    ret=$?
    if [[ 0 -eq $ret ]]; then