diff --git a/bin/hardening.sh b/bin/hardening.sh index 2fb4339..88e9d26 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -165,7 +165,7 @@ while [[ $# > 0 ]]; do done # if no RUN_MODE was passed, usage and quit -if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then +if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then usage fi @@ -198,7 +198,7 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ]; then fi # If --set-hardening-level is specified, don't run anything, just apply config for each script -if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then +if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5" exit 1 diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index f37d208..b46b890 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -24,7 +24,7 @@ audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" for FILE in $DIR/.[A-Za-z0-9]*; do - if [ ! -h "$FILE" -a -f "$FILE" ]; then + if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") if [ $(echo $FILEPERM | cut -c6) != "-" ]; then crit "Group Write permission set on FILE $FILE" @@ -47,7 +47,7 @@ audit() { apply() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for FILE in $DIR/.[A-Za-z0-9]*; do - if [ ! -h "$FILE" -a -f "$FILE" ]; then + if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") if [ $(echo $FILEPERM | cut -c6) != "-" ]; then warn "Group Write permission set on FILE $FILE" diff --git a/bin/hardening/6.2.11_find_user_forward_files.sh b/bin/hardening/6.2.11_find_user_forward_files.sh index 86a085d..5cb2e72 100755 --- a/bin/hardening/6.2.11_find_user_forward_files.sh +++ b/bin/hardening/6.2.11_find_user_forward_files.sh @@ -25,7 +25,7 @@ audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" for FILE in $DIR/$FILENAME; do - if [ ! -h "$FILE" -a -f "$FILE" ]; then + if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then crit "$FILE present" ERRORS=$((ERRORS + 1)) fi diff --git a/bin/hardening/6.2.12_find_user_netrc_files.sh b/bin/hardening/6.2.12_find_user_netrc_files.sh index b653ed9..02726b8 100755 --- a/bin/hardening/6.2.12_find_user_netrc_files.sh +++ b/bin/hardening/6.2.12_find_user_netrc_files.sh @@ -25,7 +25,7 @@ audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" for FILE in $DIR/$FILENAME; do - if [ ! -h "$FILE" -a -f "$FILE" ]; then + if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then crit "$FILE present" ERRORS=$((ERRORS + 1)) fi diff --git a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh index f53e089..c304e1a 100755 --- a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh +++ b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh @@ -25,7 +25,7 @@ audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" for FILE in $DIR/.netrc; do - if [ ! -h "$FILE" -a -f "$FILE" ]; then + if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -48,7 +48,7 @@ apply() { for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" for FILE in $DIR/.netrc; do - if [ ! -h "$FILE" -a -f "$FILE" ]; then + if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" diff --git a/bin/hardening/6.2.14_find_user_rhosts_files.sh b/bin/hardening/6.2.14_find_user_rhosts_files.sh index a4e28ed..157f80e 100755 --- a/bin/hardening/6.2.14_find_user_rhosts_files.sh +++ b/bin/hardening/6.2.14_find_user_rhosts_files.sh @@ -25,7 +25,7 @@ audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" for FILE in $DIR/$FILENAME; do - if [ ! -h "$FILE" -a -f "$FILE" ]; then + if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then crit "$FILE present" ERRORS=$((ERRORS + 1)) fi diff --git a/bin/hardening/6.2.7_users_valid_homedir.sh b/bin/hardening/6.2.7_users_valid_homedir.sh index 923f473..141bf90 100755 --- a/bin/hardening/6.2.7_users_valid_homedir.sh +++ b/bin/hardening/6.2.7_users_valid_homedir.sh @@ -27,7 +27,7 @@ audit() { USER=$(awk -F: {'print $1'} <<<$LINE) USERID=$(awk -F: {'print $2'} <<<$LINE) DIR=$(awk -F: {'print $3'} <<<$LINE) - if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then + if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then crit "The home directory ($DIR) of user $USER does not exist." ERRORS=$((ERRORS + 1)) fi diff --git a/bin/hardening/6.2.9_users_valid_homedir.sh b/bin/hardening/6.2.9_users_valid_homedir.sh index 589eda9..5dbdce4 100755 --- a/bin/hardening/6.2.9_users_valid_homedir.sh +++ b/bin/hardening/6.2.9_users_valid_homedir.sh @@ -30,7 +30,7 @@ audit() { USER=$(awk -F: {'print $1'} <<<$LINE) USERID=$(awk -F: {'print $2'} <<<$LINE) DIR=$(awk -F: {'print $3'} <<<$LINE) - if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then + if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then crit "The home directory ($DIR) of user $USER does not exist." ERRORS=$((ERRORS + 1)) fi diff --git a/lib/main.sh b/lib/main.sh index 0a81ae8..cf26272 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -28,7 +28,7 @@ while [[ $# > 0 ]]; do forcedstatus=auditall ;; --audit) - if [ "$status" != 'disabled' -a "$status" != 'false' ]; then + if [ "$status" != 'disabled' ] && [ "$status" != 'false' ]; then debug "Audit argument detected, setting status to audit" forcedstatus=audit else @@ -85,7 +85,7 @@ if [ "$forcedstatus" = "auditall" ]; then status=audit elif [ "$forcedstatus" = "audit" ]; then # We want to audit only enabled scripts - if [ "$status" != 'disabled' -a "$status" != 'false' ]; then + if [ "$status" != 'disabled' ] && [ "$status" != 'false' ]; then debug "Audit argument detected, setting status to audit" status=audit else diff --git a/lib/utils.sh b/lib/utils.sh index a3828ed..5b968a0 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -270,7 +270,7 @@ is_kernel_option_enabled() { FNRET=2 # Not found fi - if $SUDO_CMD [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ]; then + if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then # also check in modules, because even if not =y, maybe # the admin compiled it separately later (or out-of-tree) # as a module (regardless of the fact that we have =m or not)