diff --git a/bin/hardening/4.1.1.1_audit_log_storage.sh b/bin/hardening/4.1.1.1_audit_log_storage.sh index f182ca8..11ea04b 100755 --- a/bin/hardening/4.1.1.1_audit_log_storage.sh +++ b/bin/hardening/4.1.1.1_audit_log_storage.sh @@ -28,7 +28,7 @@ audit() { crit "$FILE does not exist" else ok "$FILE exists, checking configuration" - does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" + does_pattern_exist_in_file $FILE "^${PATTERN}[[:space:]]" if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else @@ -46,7 +46,7 @@ apply() { else ok "$FILE exists" fi - does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" + does_pattern_exist_in_file $FILE "^${PATTERN}[[:space:]]" if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" add_end_of_file $FILE "$PATTERN = $VALUE" diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh index 2e33bc4..c01638e 100755 --- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -30,7 +30,7 @@ audit() { for AUDIT_OPTION in $OPTIONS; do AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) - PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" != 0 ]; then @@ -55,7 +55,7 @@ apply() { AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" - PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" @@ -65,7 +65,7 @@ apply() { add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" else info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + replace_in_file $FILE "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" fi else ok "$PATTERN is present in $FILE" diff --git a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh index 05c870d..05aa261 100755 --- a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh @@ -30,7 +30,7 @@ audit() { for AUDIT_OPTION in $OPTIONS; do AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) - PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" != 0 ]; then @@ -55,7 +55,7 @@ apply() { AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" - PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" @@ -65,7 +65,7 @@ apply() { add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" else info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + replace_in_file $FILE "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" fi else ok "$PATTERN is present in $FILE" diff --git a/bin/hardening/5.2.10_disable_root_login.sh b/bin/hardening/5.2.10_disable_root_login.sh index 727ca1d..de4de32 100755 --- a/bin/hardening/5.2.10_disable_root_login.sh +++ b/bin/hardening/5.2.10_disable_root_login.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,7 +54,7 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -65,7 +65,7 @@ apply() { add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh index b09088c..90a7805 100755 --- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.12_disable_sshd_setenv.sh b/bin/hardening/5.2.12_disable_sshd_setenv.sh index 06f69ca..3e512f5 100755 --- a/bin/hardening/5.2.12_disable_sshd_setenv.sh +++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.13_sshd_ciphers.sh b/bin/hardening/5.2.13_sshd_ciphers.sh index 64cc0d7..4e1a9df 100755 --- a/bin/hardening/5.2.13_sshd_ciphers.sh +++ b/bin/hardening/5.2.13_sshd_ciphers.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.14_ssh_cry_mac.sh b/bin/hardening/5.2.14_ssh_cry_mac.sh index 0807a12..73328aa 100755 --- a/bin/hardening/5.2.14_ssh_cry_mac.sh +++ b/bin/hardening/5.2.14_ssh_cry_mac.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.15_ssh_cry_kex.sh b/bin/hardening/5.2.15_ssh_cry_kex.sh index f901477..b80ec0a 100755 --- a/bin/hardening/5.2.15_ssh_cry_kex.sh +++ b/bin/hardening/5.2.15_ssh_cry_kex.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.16_sshd_idle_timeout.sh b/bin/hardening/5.2.16_sshd_idle_timeout.sh index d36907f..8bf06f2 100755 --- a/bin/hardening/5.2.16_sshd_idle_timeout.sh +++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh @@ -32,7 +32,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -55,18 +55,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.17_sshd_login_grace_time.sh b/bin/hardening/5.2.17_sshd_login_grace_time.sh index 5397842..6f2cc1c 100755 --- a/bin/hardening/5.2.17_sshd_login_grace_time.sh +++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh index 2085d3b..19ab0f0 100755 --- a/bin/hardening/5.2.18_sshd_limit_access.sh +++ b/bin/hardening/5.2.18_sshd_limit_access.sh @@ -32,7 +32,7 @@ audit() { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(sed "s/'//g" <<<$SSH_VALUE) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -56,18 +56,18 @@ apply() { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(sed "s/'//g" <<<$SSH_VALUE) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.19_ssh_banner.sh b/bin/hardening/5.2.19_ssh_banner.sh index fe1d466..4939c9d 100755 --- a/bin/hardening/5.2.19_ssh_banner.sh +++ b/bin/hardening/5.2.19_ssh_banner.sh @@ -30,7 +30,7 @@ audit() { ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - PATTERN="^$SSH_PARAM[[:space:]]*" + PATTERN="^${SSH_PARAM}[[:space:]]*" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -53,13 +53,13 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/5.2.4_sshd_protocol.sh b/bin/hardening/5.2.4_sshd_protocol.sh index 9cb3c6f..67d01bb 100755 --- a/bin/hardening/5.2.4_sshd_protocol.sh +++ b/bin/hardening/5.2.4_sshd_protocol.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.5_sshd_loglevel.sh b/bin/hardening/5.2.5_sshd_loglevel.sh index 2490767..a9644f7 100755 --- a/bin/hardening/5.2.5_sshd_loglevel.sh +++ b/bin/hardening/5.2.5_sshd_loglevel.sh @@ -32,7 +32,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -55,18 +55,18 @@ apply() { for SSH_OPTION in $OPTIONS_TO_APPLY; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.6_disable_x11_forwarding.sh b/bin/hardening/5.2.6_disable_x11_forwarding.sh index 93469dd..12538de 100755 --- a/bin/hardening/5.2.6_disable_x11_forwarding.sh +++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.7_sshd_maxauthtries.sh b/bin/hardening/5.2.7_sshd_maxauthtries.sh index 9dfc2fd..cc95a99 100755 --- a/bin/hardening/5.2.7_sshd_maxauthtries.sh +++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh index 54b4253..d4e49e0 100755 --- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh index 9d0198c..bd5414d 100755 --- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.3.1_enable_pwquality.sh b/bin/hardening/5.3.1_enable_pwquality.sh index 7310584..dc9b608 100755 --- a/bin/hardening/5.3.1_enable_pwquality.sh +++ b/bin/hardening/5.3.1_enable_pwquality.sh @@ -41,7 +41,7 @@ audit() { for PW_OPT in $OPTIONS; do PW_PARAM=$(echo $PW_OPT | cut -d= -f1) PW_VALUE=$(echo $PW_OPT | cut -d= -f2) - PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE" + PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE" does_pattern_exist_in_file $FILE_QUALITY "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -73,18 +73,18 @@ apply() { for PW_OPT in $OPTIONS; do PW_PARAM=$(echo $PW_OPT | cut -d= -f1) PW_VALUE=$(echo $PW_OPT | cut -d= -f2) - PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE" + PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE" does_pattern_exist_in_file $FILE_QUALITY $PATTERN if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE_QUALITY" else warn "$PATTERN is not present in $FILE_QUALITY, adding it" - does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM" + does_pattern_exist_in_file $FILE_QUALITY "^${PW_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE" + replace_in_file $FILE_QUALITY "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE" fi fi done diff --git a/bin/hardening/5.4.1.1_set_password_exp_days.sh b/bin/hardening/5.4.1.1_set_password_exp_days.sh index a221c62..0adc31d 100755 --- a/bin/hardening/5.4.1.1_set_password_exp_days.sh +++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh @@ -31,7 +31,7 @@ audit() { for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) - PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" + PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) - PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" + PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" + does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" + replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done diff --git a/bin/hardening/5.4.1.2_set_password_min_days_change.sh b/bin/hardening/5.4.1.2_set_password_min_days_change.sh index 0a0f134..8009cf5 100755 --- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh +++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh @@ -31,7 +31,7 @@ audit() { for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) - PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" + PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) - PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" + PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" + does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" + replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done diff --git a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh index aad0dc3..d930f4a 100755 --- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh @@ -31,7 +31,7 @@ audit() { for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) - PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" + PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) - PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" + PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" + does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" + replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index abb5e73..2acae0c 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -117,7 +117,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=../../lib/main.h + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh index 2f83342..ff2a103 100755 --- a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh +++ b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]+$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]+$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]+$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]+$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]+.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]+.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh index f9a6277..b79c99f 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -46,7 +46,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -69,19 +69,19 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE") add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.3_ssh_disable_features.sh b/bin/hardening/99.5.3_ssh_disable_features.sh index 86104c6..0c63b2c 100755 --- a/bin/hardening/99.5.3_ssh_disable_features.sh +++ b/bin/hardening/99.5.3_ssh_disable_features.sh @@ -30,7 +30,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -53,18 +53,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.5_ssh_strict_modes.sh b/bin/hardening/99.5.5_ssh_strict_modes.sh index 7ecc148..a4d0bc4 100755 --- a/bin/hardening/99.5.5_ssh_strict_modes.sh +++ b/bin/hardening/99.5.5_ssh_strict_modes.sh @@ -29,7 +29,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -52,18 +52,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.6_ssh_sys_accept_env.sh index 5c06c57..19a8429 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.6_ssh_sys_accept_env.sh @@ -57,7 +57,7 @@ apply() { add_end_of_file $FILE "$PATTERN" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$PATTERN" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$PATTERN" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.8_ssh_sys_sandbox.sh b/bin/hardening/99.5.8_ssh_sys_sandbox.sh index b4d994a..fc422e8 100755 --- a/bin/hardening/99.5.8_ssh_sys_sandbox.sh +++ b/bin/hardening/99.5.8_ssh_sys_sandbox.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.9_ssh_loglevel.sh b/bin/hardening/99.5.9_ssh_loglevel.sh index 1d33b22..227b076 100755 --- a/bin/hardening/99.5.9_ssh_loglevel.sh +++ b/bin/hardening/99.5.9_ssh_loglevel.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" @@ -54,18 +54,18 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/lib/utils.sh b/lib/utils.sh index 5b968a0..4ec4f29 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -324,12 +324,12 @@ is_mounted() { has_mount_option() { local PARTITION=$1 local OPTION=$2 - if $(grep "[[:space:]]$PARTITION[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "bind"); then - local actual_partition="$(grep "[[:space:]]$PARTITION[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $1'})" + if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "bind"); then + local actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $1'})" debug "$PARTITION is a bind mount of $actual_partition" PARTITION="$actual_partition" fi - if $(grep "[[:space:]]$PARTITION[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$OPTION"); then + if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$OPTION"); then debug "$OPTION has been detected in fstab for partition $PARTITION" FNRET=0 else