diff --git a/bin/hardening/1.1.15_run_shm_nodev.sh b/bin/hardening/1.1.15_run_shm_nodev.sh index bffe454..f8a1949 100755 --- a/bin/hardening/1.1.15_run_shm_nodev.sh +++ b/bin/hardening/1.1.15_run_shm_nodev.sh @@ -57,7 +57,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.16_run_shm_nosuid.sh b/bin/hardening/1.1.16_run_shm_nosuid.sh index 705fec8..6716140 100755 --- a/bin/hardening/1.1.16_run_shm_nosuid.sh +++ b/bin/hardening/1.1.16_run_shm_nosuid.sh @@ -57,7 +57,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.17_run_shm_noexec.sh b/bin/hardening/1.1.17_run_shm_noexec.sh index a3bc331..0338a55 100755 --- a/bin/hardening/1.1.17_run_shm_noexec.sh +++ b/bin/hardening/1.1.17_run_shm_noexec.sh @@ -57,7 +57,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.18_removable_device_nodev.sh b/bin/hardening/1.1.18_removable_device_nodev.sh index 5365205..36aa90b 100755 --- a/bin/hardening/1.1.18_removable_device_nodev.sh +++ b/bin/hardening/1.1.18_removable_device_nodev.sh @@ -49,7 +49,7 @@ apply() { ok "$PARTITION is correctly set" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" fi } diff --git a/bin/hardening/1.1.19_removable_device_nosuid.sh b/bin/hardening/1.1.19_removable_device_nosuid.sh index 0dc6a9e..e112b56 100755 --- a/bin/hardening/1.1.19_removable_device_nosuid.sh +++ b/bin/hardening/1.1.19_removable_device_nosuid.sh @@ -49,7 +49,7 @@ apply() { ok "$PARTITION is correctly set" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" fi } diff --git a/bin/hardening/1.1.20_removable_device_noexec.sh b/bin/hardening/1.1.20_removable_device_noexec.sh index ee64f67..e70d13a 100755 --- a/bin/hardening/1.1.20_removable_device_noexec.sh +++ b/bin/hardening/1.1.20_removable_device_noexec.sh @@ -49,7 +49,7 @@ apply() { ok "$PARTITION is correctly set" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" fi } diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 16fbae9..81662f7 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -24,7 +24,7 @@ audit() { RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "All world writable directories have a sticky bit" diff --git a/bin/hardening/1.4.3_root_password.sh b/bin/hardening/1.4.3_root_password.sh index d712e8f..cc44ef9 100755 --- a/bin/hardening/1.4.3_root_password.sh +++ b/bin/hardening/1.4.3_root_password.sh @@ -22,7 +22,7 @@ PATTERN="^root:[*\!]:" # This function will be called if the script status is on enabled / audit mode audit() { - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 1 ]; then crit "$PATTERN is present in $FILE" else @@ -32,7 +32,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 1 ]; then warn "$PATTERN is present in $FILE, please put a root password" else diff --git a/bin/hardening/1.5.1_restrict_core_dumps.sh b/bin/hardening/1.5.1_restrict_core_dumps.sh index 030851d..0e59d39 100755 --- a/bin/hardening/1.5.1_restrict_core_dumps.sh +++ b/bin/hardening/1.5.1_restrict_core_dumps.sh @@ -27,14 +27,14 @@ SYSCTL_EXP_RESULT=0 audit() { SEARCH_RES=0 LIMIT_FILES="" - if $SUDO_CMD [ -d $LIMIT_DIR ]; then + if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file" done fi debug "Files to search $LIMIT_FILE $LIMIT_FILES" for file in $LIMIT_FILE $LIMIT_FILES; do - does_pattern_exist_in_file $file $LIMIT_PATTERN + does_pattern_exist_in_file "$file" "$LIMIT_PATTERN" if [ "$FNRET" != 0 ]; then debug "$LIMIT_PATTERN not present in $file" else @@ -58,7 +58,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN + does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN" if [ "$FNRET" != 0 ]; then warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" add_end_of_file $LIMIT_FILE "* hard core 0" diff --git a/bin/hardening/1.5.2_enable_nx_support.sh b/bin/hardening/1.5.2_enable_nx_support.sh index be046b0..96159eb 100755 --- a/bin/hardening/1.5.2_enable_nx_support.sh +++ b/bin/hardening/1.5.2_enable_nx_support.sh @@ -35,7 +35,7 @@ nx_supported_and_enabled() { # This function will be called if the script status is on enabled / audit mode audit() { - does_pattern_exist_in_dmesg $PATTERN + does_pattern_exist_in_dmesg "$PATTERN" if [ "$FNRET" != 0 ]; then nx_supported_and_enabled if [ "$FNRET" != 0 ]; then @@ -50,7 +50,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_pattern_exist_in_dmesg $PATTERN + does_pattern_exist_in_dmesg "$PATTERN" if [ "$FNRET" != 0 ]; then nx_supported_and_enabled if [ "$FNRET" != 0 ]; then diff --git a/bin/hardening/2.2.1.2_configure_ntp.sh b/bin/hardening/2.2.1.2_configure_ntp.sh index 7e2b865..f718805 100755 --- a/bin/hardening/2.2.1.2_configure_ntp.sh +++ b/bin/hardening/2.2.1.2_configure_ntp.sh @@ -32,13 +32,13 @@ audit() { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed, checking configuration" - does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN" if [ "$FNRET" != 0 ]; then crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" else ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" fi - does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN" if [ "$FNRET" != 0 ]; then crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE" else @@ -54,10 +54,10 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" info "Checking $PACKAGE configuration" fi - does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN" if [ "$FNRET" != 0 ]; then warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" backup_file $NTP_CONF_FILE diff --git a/bin/hardening/3.1.1_disable_ip_forwarding.sh b/bin/hardening/3.1.1_disable_ip_forwarding.sh index 172a23f..deb5551 100755 --- a/bin/hardening/3.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh @@ -45,7 +45,7 @@ apply() { has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.1.2_disable_send_packet_redirects.sh b/bin/hardening/3.1.2_disable_send_packet_redirects.sh index aa4d2dc..1807d7b 100755 --- a/bin/hardening/3.1.2_disable_send_packet_redirects.sh +++ b/bin/hardening/3.1.2_disable_send_packet_redirects.sh @@ -24,8 +24,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_red # This function will be called if the script status is on enabled / audit mode audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -41,13 +41,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.1_disable_source_routed_packets.sh b/bin/hardening/3.2.1_disable_source_routed_packets.sh index b960f25..5c82463 100755 --- a/bin/hardening/3.2.1_disable_source_routed_packets.sh +++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh @@ -23,9 +23,9 @@ SYSCTL_PARAMS='' audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" - if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -42,13 +42,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.2_disable_icmp_redirect.sh b/bin/hardening/3.2.2_disable_icmp_redirect.sh index fd58e27..35f4770 100755 --- a/bin/hardening/3.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh @@ -24,8 +24,8 @@ audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" @@ -43,13 +43,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh index 597fc78..f733d42 100755 --- a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh +++ b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh @@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure # This function will be called if the script status is on enabled / audit mode audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -39,13 +39,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.4_log_martian_packets.sh b/bin/hardening/3.2.4_log_martian_packets.sh index 3292810..170966f 100755 --- a/bin/hardening/3.2.4_log_martian_packets.sh +++ b/bin/hardening/3.2.4_log_martian_packets.sh @@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martia # This function will be called if the script status is on enabled / audit mode audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -39,13 +39,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.5_ignore_broadcast_requests.sh b/bin/hardening/3.2.5_ignore_broadcast_requests.sh index 9d12a22..397ed2d 100755 --- a/bin/hardening/3.2.5_ignore_broadcast_requests.sh +++ b/bin/hardening/3.2.5_ignore_broadcast_requests.sh @@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1' # This function will be called if the script status is on enabled / audit mode audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -39,13 +39,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh index e66d3cd..9de2801 100755 --- a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh +++ b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh @@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' # This function will be called if the script status is on enabled / audit mode audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -45,7 +45,7 @@ apply() { has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.7_enable_source_route_validation.sh b/bin/hardening/3.2.7_enable_source_route_validation.sh index 908824e..b3d0635 100755 --- a/bin/hardening/3.2.7_enable_source_route_validation.sh +++ b/bin/hardening/3.2.7_enable_source_route_validation.sh @@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' # This function will be called if the script status is on enabled / audit mode audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -39,13 +39,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh index 68df5d2..e6cbd2d 100755 --- a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh @@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1' # This function will be called if the script status is on enabled / audit mode audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -45,7 +45,7 @@ apply() { has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh index f387d38..bcd99ab 100755 --- a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh +++ b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh @@ -26,8 +26,8 @@ audit() { ok "ipv6 is disabled" else for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -48,13 +48,13 @@ apply() { ok "ipv6 is disabled" else for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/3.3.1_install_tcp_wrapper.sh b/bin/hardening/3.3.1_install_tcp_wrapper.sh index 73b9432..b923327 100755 --- a/bin/hardening/3.3.1_install_tcp_wrapper.sh +++ b/bin/hardening/3.3.1_install_tcp_wrapper.sh @@ -36,7 +36,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi } diff --git a/bin/hardening/3.5_enable_firewall.sh b/bin/hardening/3.5_enable_firewall.sh index 5529961..9e7ec1c 100755 --- a/bin/hardening/3.5_enable_firewall.sh +++ b/bin/hardening/3.5_enable_firewall.sh @@ -39,7 +39,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi } diff --git a/bin/hardening/3.7_disable_ipv6.sh b/bin/hardening/3.7_disable_ipv6.sh index bf399fe..f25b555 100755 --- a/bin/hardening/3.7_disable_ipv6.sh +++ b/bin/hardening/3.7_disable_ipv6.sh @@ -26,8 +26,8 @@ audit() { ok "ipv6 is disabled" else for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then @@ -48,13 +48,13 @@ apply() { ok "ipv6 is disabled" else for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS" elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh index c01638e..282dcc3 100755 --- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -28,8 +28,8 @@ audit() { else ok "$FILE exists, checking configuration" for AUDIT_OPTION in $OPTIONS; do - AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) - AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1) + AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2) PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" diff --git a/bin/hardening/4.1.2_enable_auditd.sh b/bin/hardening/4.1.2_enable_auditd.sh index eaf46c0..87bf2b9 100755 --- a/bin/hardening/4.1.2_enable_auditd.sh +++ b/bin/hardening/4.1.2_enable_auditd.sh @@ -43,7 +43,7 @@ apply() { ok "$PACKAGE is installed" else warn "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi is_service_enabled "$SERVICE_NAME" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/4.1.3_audit_bootloader.sh b/bin/hardening/4.1.3_audit_bootloader.sh index e5de327..eefb27e 100755 --- a/bin/hardening/4.1.3_audit_bootloader.sh +++ b/bin/hardening/4.1.3_audit_bootloader.sh @@ -28,11 +28,11 @@ audit() { else ok "$FILE exists, checking configuration" for GRUB_OPTION in $OPTIONS; do - GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) - GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) + GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) PATTERN="^$GRUB_PARAM=$GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else @@ -47,25 +47,25 @@ apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" - touch $FILE + touch "$FILE" else ok "$FILE exists" fi for GRUB_OPTION in $OPTIONS; do - GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) - GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1) + GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3) debug "$GRUB_PARAM should be set to $GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$GRUB_PARAM" + does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM" if [ "$FNRET" != 0 ]; then info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" - add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" + add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE" else info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" + replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" fi else ok "$PATTERN is present in $FILE" diff --git a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh index d1457bf..8430c61 100755 --- a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh +++ b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh @@ -136,7 +136,7 @@ check_config() { crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/4.2.3_install_syslog-ng.sh b/bin/hardening/4.2.3_install_syslog-ng.sh index dffc773..7aeb4b7 100755 --- a/bin/hardening/4.2.3_install_syslog-ng.sh +++ b/bin/hardening/4.2.3_install_syslog-ng.sh @@ -37,7 +37,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi } diff --git a/bin/hardening/5.1.1_enable_cron.sh b/bin/hardening/5.1.1_enable_cron.sh index a908fa2..74ae378 100755 --- a/bin/hardening/5.1.1_enable_cron.sh +++ b/bin/hardening/5.1.1_enable_cron.sh @@ -43,7 +43,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" is_service_enabled "$SERVICE_NAME" if [ "$FNRET" != 0 ]; then info "Enabling $SERVICE_NAME" diff --git a/bin/hardening/5.1.8_cron_users.sh b/bin/hardening/5.1.8_cron_users.sh index 3c97225..ad3f1b6 100755 --- a/bin/hardening/5.1.8_cron_users.sh +++ b/bin/hardening/5.1.8_cron_users.sh @@ -26,7 +26,7 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit() { for FILE in $FILES_ABSENT; do - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" = 0 ]; then crit "$FILE exists" else @@ -34,7 +34,7 @@ audit() { fi done for FILE in $FILES_PRESENT; do - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE is absent" else @@ -57,19 +57,19 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for FILE in $FILES_ABSENT; do - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" = 0 ]; then warn "$FILE exists" - rm $FILE + rm "$FILE" else ok "$FILE is absent" fi done for FILE in $FILES_PRESENT; do - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then warn "$FILE is absent" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.2.10_disable_root_login.sh b/bin/hardening/5.2.10_disable_root_login.sh index de4de32..7c02be7 100755 --- a/bin/hardening/5.2.10_disable_root_login.sh +++ b/bin/hardening/5.2.10_disable_root_login.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file "$FILE" "^$SSH_PARAM" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh index 90a7805..4a164be 100755 --- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.12_disable_sshd_setenv.sh b/bin/hardening/5.2.12_disable_sshd_setenv.sh index 3e512f5..ff237f1 100755 --- a/bin/hardening/5.2.12_disable_sshd_setenv.sh +++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.13_sshd_ciphers.sh b/bin/hardening/5.2.13_sshd_ciphers.sh index 4e1a9df..9564456 100755 --- a/bin/hardening/5.2.13_sshd_ciphers.sh +++ b/bin/hardening/5.2.13_sshd_ciphers.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.14_ssh_cry_mac.sh b/bin/hardening/5.2.14_ssh_cry_mac.sh index 73328aa..e6d8537 100755 --- a/bin/hardening/5.2.14_ssh_cry_mac.sh +++ b/bin/hardening/5.2.14_ssh_cry_mac.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.15_ssh_cry_kex.sh b/bin/hardening/5.2.15_ssh_cry_kex.sh index b80ec0a..72eb636 100755 --- a/bin/hardening/5.2.15_ssh_cry_kex.sh +++ b/bin/hardening/5.2.15_ssh_cry_kex.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi @@ -76,9 +76,9 @@ create_config() { get_debian_major_version set +u debug "Debian version : $DEB_MAJ_VER " - if [[ -z $DEB_MAJ_VER ]] || [[ 7 -eq $DEB_MAJ_VER ]]; then + if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then KEX='diffie-hellman-group-exchange-sha256' - elif [[ 8 -eq $DEB_MAJ_VER ]] || [[ 9 -eq $DEB_MAJ_VER ]]; then + elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' else KEX='diffie-hellman-group-exchange-sha256' diff --git a/bin/hardening/5.2.16_sshd_idle_timeout.sh b/bin/hardening/5.2.16_sshd_idle_timeout.sh index 8bf06f2..c131525 100755 --- a/bin/hardening/5.2.16_sshd_idle_timeout.sh +++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh @@ -30,10 +30,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -50,23 +50,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.17_sshd_login_grace_time.sh b/bin/hardening/5.2.17_sshd_login_grace_time.sh index 6f2cc1c..59872fd 100755 --- a/bin/hardening/5.2.17_sshd_login_grace_time.sh +++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh @@ -29,8 +29,8 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh index 19ab0f0..f647260 100755 --- a/bin/hardening/5.2.18_sshd_limit_access.sh +++ b/bin/hardening/5.2.18_sshd_limit_access.sh @@ -29,9 +29,9 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - SSH_VALUE=$(sed "s/'//g" <<<$SSH_VALUE) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -50,24 +50,24 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - SSH_VALUE=$(sed "s/'//g" <<<$SSH_VALUE) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi @@ -89,19 +89,19 @@ EOF # This function will check config parameters required check_config() { - if [ -z $ALLOWED_USERS ]; then + if [ -z "$ALLOWED_USERS" ]; then info "ALLOWED_USERS is not set, defaults to wildcard" ALLOWED_USERS="*" fi - if [ -z $ALLOWED_GROUPS ]; then + if [ -z "$ALLOWED_GROUPS" ]; then info "ALLOWED_GROUPS is not set, defaults to wildcard" ALLOWED_GROUPS="*" fi - if [ -z $DENIED_USERS ]; then + if [ -z "$DENIED_USERS" ]; then info "DENIED_USERS is not set, defaults to nobody" DENIED_USERS="nobody" fi - if [ -z $DENIED_GROUPS ]; then + if [ -z "$DENIED_GROUPS" ]; then info "DENIED_GROUPS is not set, defaults to nobody" DENIED_GROUPS="nobody" fi diff --git a/bin/hardening/5.2.19_ssh_banner.sh b/bin/hardening/5.2.19_ssh_banner.sh index 4939c9d..e0a17c4 100755 --- a/bin/hardening/5.2.19_ssh_banner.sh +++ b/bin/hardening/5.2.19_ssh_banner.sh @@ -29,7 +29,7 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) PATTERN="^${SSH_PARAM}[[:space:]]*" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -48,20 +48,20 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present and activated" fi diff --git a/bin/hardening/5.2.4_sshd_protocol.sh b/bin/hardening/5.2.4_sshd_protocol.sh index 67d01bb..c6497bb 100755 --- a/bin/hardening/5.2.4_sshd_protocol.sh +++ b/bin/hardening/5.2.4_sshd_protocol.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.5_sshd_loglevel.sh b/bin/hardening/5.2.5_sshd_loglevel.sh index a9644f7..a69c62a 100755 --- a/bin/hardening/5.2.5_sshd_loglevel.sh +++ b/bin/hardening/5.2.5_sshd_loglevel.sh @@ -30,8 +30,8 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -50,23 +50,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS_TO_APPLY; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.6_disable_x11_forwarding.sh b/bin/hardening/5.2.6_disable_x11_forwarding.sh index 12538de..a26dfde 100755 --- a/bin/hardening/5.2.6_disable_x11_forwarding.sh +++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/5.2.7_sshd_maxauthtries.sh b/bin/hardening/5.2.7_sshd_maxauthtries.sh index cc95a99..a56c699 100755 --- a/bin/hardening/5.2.7_sshd_maxauthtries.sh +++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh index d4e49e0..97654fc 100755 --- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh index bd5414d..5495680 100755 --- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,23 +49,23 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.3.1_enable_pwquality.sh b/bin/hardening/5.3.1_enable_pwquality.sh index dc9b608..6d53d3c 100755 --- a/bin/hardening/5.3.1_enable_pwquality.sh +++ b/bin/hardening/5.3.1_enable_pwquality.sh @@ -60,7 +60,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.3.2_enable_lockout_failed_password.sh b/bin/hardening/5.3.2_enable_lockout_failed_password.sh index ee71fa3..d832091 100755 --- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh +++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh @@ -52,7 +52,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.3.3_limit_password_reuse.sh b/bin/hardening/5.3.3_limit_password_reuse.sh index cc95e47..e1eb350 100755 --- a/bin/hardening/5.3.3_limit_password_reuse.sh +++ b/bin/hardening/5.3.3_limit_password_reuse.sh @@ -44,7 +44,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.4.1.1_set_password_exp_days.sh b/bin/hardening/5.4.1.1_set_password_exp_days.sh index 0adc31d..1bb6f43 100755 --- a/bin/hardening/5.4.1.1_set_password_exp_days.sh +++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh @@ -49,7 +49,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) diff --git a/bin/hardening/5.4.1.2_set_password_min_days_change.sh b/bin/hardening/5.4.1.2_set_password_min_days_change.sh index 8009cf5..ffc505d 100755 --- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh +++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh @@ -49,7 +49,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) diff --git a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh index d930f4a..3fed978 100755 --- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh @@ -49,7 +49,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SHADOW_OPTION in $OPTIONS; do SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) diff --git a/bin/hardening/5.4.3_default_root_group.sh b/bin/hardening/5.4.3_default_root_group.sh index 60525dd..edc9fd9 100755 --- a/bin/hardening/5.4.3_default_root_group.sh +++ b/bin/hardening/5.4.3_default_root_group.sh @@ -22,7 +22,7 @@ EXPECTED_GID='0' # This function will be called if the script status is on enabled / audit mode audit() { - if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then + if [ "$(grep "^root:" /etc/passwd | cut -f4 -d:)" = 0 ]; then ok "Root group has GID $EXPECTED_GID" else crit "Root group GID should be $EXPECTED_GID" @@ -31,7 +31,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then + if [ "$(grep "^root:" /etc/passwd | cut -f4 -d:)" = 0 ]; then ok "Root group GID is $EXPECTED_GID" else warn "Root group GID is not $EXPECTED_GID -- Fixing" diff --git a/bin/hardening/5.6_restrict_su.sh b/bin/hardening/5.6_restrict_su.sh index f1c1f9b..e5bce45 100755 --- a/bin/hardening/5.6_restrict_su.sh +++ b/bin/hardening/5.6_restrict_su.sh @@ -44,7 +44,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi does_pattern_exist_in_file $FILE $PATTERN if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index b46b890..5634eb9 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -23,14 +23,14 @@ ERRORS=0 audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" - for FILE in $DIR/.[A-Za-z0-9]*; do + for FILE in "$DIR"/.[A-Za-z0-9]*; do if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then - FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") - if [ $(echo $FILEPERM | cut -c6) != "-" ]; then + FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") + if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then crit "Group Write permission set on FILE $FILE" ERRORS=$((ERRORS + 1)) fi - if [ $(echo $FILEPERM | cut -c9) != "-" ]; then + if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then crit "Other Write permission set on FILE $FILE" ERRORS=$((ERRORS + 1)) fi @@ -46,14 +46,14 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do - for FILE in $DIR/.[A-Za-z0-9]*; do + for FILE in "$DIR"/.[A-Za-z0-9]*; do if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then - FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") - if [ $(echo $FILEPERM | cut -c6) != "-" ]; then + FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") + if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then warn "Group Write permission set on FILE $FILE" chmod g-w "$FILE" fi - if [ $(echo $FILEPERM | cut -c9) != "-" ]; then + if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then warn "Other Write permission set on FILE $FILE" chmod o-w "$FILE" fi diff --git a/bin/hardening/6.2.6_sanitize_root_path.sh b/bin/hardening/6.2.6_sanitize_root_path.sh index 5d9f06c..967b9a3 100755 --- a/bin/hardening/6.2.6_sanitize_root_path.sh +++ b/bin/hardening/6.2.6_sanitize_root_path.sh @@ -25,32 +25,32 @@ ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit() { - if [ "$(echo $path | grep ::)" != "" ]; then + if [ "$(echo "$path" | grep ::)" != "" ]; then crit "Empty Directory in PATH (::)" ERRORS=$((ERRORS + 1)) fi - if [ "$(echo $path | grep :$)" != "" ]; then + if [ "$(echo "$path" | grep :$)" != "" ]; then crit "Trailing : in PATH $path" ERRORS=$((ERRORS + 1)) fi - FORMATTED_PATH=$(echo $path | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') + FORMATTED_PATH=$(echo "$path" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') set -- $FORMATTED_PATH while [ "${1:-}" != "" ]; do if [ "$1" = "." ]; then crit "PATH contains ." ERRORS=$((ERRORS + 1)) else - if [ -d $1 ]; then - dirperm=$(ls -ldH $1 | cut -f1 -d" ") - if [ $(echo $dirperm | cut -c6) != "-" ]; then + if [ -d "$1" ]; then + dirperm=$(ls -ldH "$1" | cut -f1 -d" ") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then crit "Group Write permission set on directory $1" ERRORS=$((ERRORS + 1)) fi - if [ $(echo $dirperm | cut -c9) != "-" ]; then + if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then crit "Other Write permission set on directory $1" ERRORS=$((ERRORS + 1)) fi - dirown=$(ls -ldH $1 | awk '{print $3}') + dirown=$(ls -ldH "$1" | awk '{print $3}') if [ "$dirown" != "root" ]; then crit "$1 is not owned by root" ERRORS=$((ERRORS + 1)) diff --git a/bin/hardening/6.2.8_check_user_dir_perm.sh b/bin/hardening/6.2.8_check_user_dir_perm.sh index de47ffe..49f1def 100755 --- a/bin/hardening/6.2.8_check_user_dir_perm.sh +++ b/bin/hardening/6.2.8_check_user_dir_perm.sh @@ -25,27 +25,27 @@ audit() { debug "Working on $dir" debug "Exceptions : $EXCEPTIONS" debug "echo \"$EXCEPTIONS\" | grep -q $dir" - if echo "$EXCEPTIONS" | grep -q $dir; then + if echo "$EXCEPTIONS" | grep -q "$dir"; then debug "$dir is confirmed as an exception" RESULT=$(sed "s!$dir!!" <<<"$RESULT") else debug "$dir not found in exceptions" fi - if [ -d $dir ]; then - dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") - if [ $(echo $dirperm | cut -c6) != "-" ]; then + if [ -d "$dir" ]; then + dirperm=$(/bin/ls -ld "$dir" | cut -f1 -d" ") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then crit "Group Write permission set on directory $dir" ERRORS=$((ERRORS + 1)) fi - if [ $(echo $dirperm | cut -c8) != "-" ]; then + if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then crit "Other Read permission set on directory $dir" ERRORS=$((ERRORS + 1)) fi - if [ $(echo $dirperm | cut -c9) != "-" ]; then + if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then crit "Other Write permission set on directory $dir" ERRORS=$((ERRORS + 1)) fi - if [ $(echo $dirperm | cut -c10) != "-" ]; then + if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then crit "Other Execute permission set on directory $dir" ERRORS=$((ERRORS + 1)) fi @@ -64,27 +64,27 @@ apply() { debug "Working on $dir" debug "Exceptions : $EXCEPTIONS" debug "echo \"$EXCEPTIONS\" | grep -q $dir" - if echo "$EXCEPTIONS" | grep -q $dir; then + if echo "$EXCEPTIONS" | grep -q "$dir"; then debug "$dir is confirmed as an exception" RESULT=$(sed "s!$dir!!" <<<"$RESULT") else debug "$dir not found in exceptions" fi - if [ -d $dir ]; then - dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") - if [ $(echo $dirperm | cut -c6) != "-" ]; then + if [ -d "$dir" ]; then + dirperm=$(/bin/ls -ld "$dir" | cut -f1 -d" ") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then warn "Group Write permission set on directory $dir" chmod g-w "$dir" fi - if [ $(echo $dirperm | cut -c8) != "-" ]; then + if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then warn "Other Read permission set on directory $dir" chmod o-r "$dir" fi - if [ $(echo $dirperm | cut -c9) != "-" ]; then + if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then warn "Other Write permission set on directory $dir" chmod o-w "$dir" fi - if [ $(echo $dirperm | cut -c10) != "-" ]; then + if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then warn "Other Execute permission set on directory $dir" chmod o-x "$dir" fi diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh index d617072..b622ded 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -37,7 +37,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" info "Tripwire is now installed but not fully functionnal, please see readme to go further" fi } diff --git a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh index ff2a103..23afd16 100755 --- a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh +++ b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh @@ -49,7 +49,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh index b79c99f..c5f9fb1 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -64,7 +64,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) diff --git a/bin/hardening/99.5.3_ssh_disable_features.sh b/bin/hardening/99.5.3_ssh_disable_features.sh index 0c63b2c..9988acc 100755 --- a/bin/hardening/99.5.3_ssh_disable_features.sh +++ b/bin/hardening/99.5.3_ssh_disable_features.sh @@ -48,7 +48,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) diff --git a/bin/hardening/99.5.5_ssh_strict_modes.sh b/bin/hardening/99.5.5_ssh_strict_modes.sh index a4d0bc4..341279a 100755 --- a/bin/hardening/99.5.5_ssh_strict_modes.sh +++ b/bin/hardening/99.5.5_ssh_strict_modes.sh @@ -47,7 +47,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.6_ssh_sys_accept_env.sh index 19a8429..75c31f7 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.6_ssh_sys_accept_env.sh @@ -44,7 +44,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi does_pattern_exist_in_file_nocase $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/99.5.8_ssh_sys_sandbox.sh b/bin/hardening/99.5.8_ssh_sys_sandbox.sh index fc422e8..99f5ee2 100755 --- a/bin/hardening/99.5.8_ssh_sys_sandbox.sh +++ b/bin/hardening/99.5.8_ssh_sys_sandbox.sh @@ -49,7 +49,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) diff --git a/bin/hardening/99.5.9_ssh_loglevel.sh b/bin/hardening/99.5.9_ssh_loglevel.sh index 227b076..99d0f3f 100755 --- a/bin/hardening/99.5.9_ssh_loglevel.sh +++ b/bin/hardening/99.5.9_ssh_loglevel.sh @@ -49,7 +49,7 @@ apply() { ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE + apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) diff --git a/bin/postinstall/tripwire.sh b/bin/postinstall/tripwire.sh index 5b83424..e51262a 100755 --- a/bin/postinstall/tripwire.sh +++ b/bin/postinstall/tripwire.sh @@ -10,7 +10,7 @@ echo "Generating Site key file..." twadmin -m G -S /etc/tripwire/site.key # Generates Site key file echo "Generating Local key file..." -twadmin -m G -S /etc/tripwire/$(hostname -f)-local.key # Generate local key file +twadmin -m G -S /etc/tripwire/"$(hostname -f)"-local.key # Generate local key file echo "Generating encrypted policy..." twadmin -m P /etc/tripwire/twpol.txt # Apply new policy with generated site key file echo "Generating Local database with newly created key..."