elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-24 06:21:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shellcheck): replace -a in condition by && (SC2166)

Browse Source
This commit is contained in:
Thibault Ayanides 2020-12-04 15:29:19 +01:00
parent d371b8d057
commit 72bb3e2b84
10 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bin/hardening.sh
View File

@ -165,7 +165,7 @@ while [[ $# > 0 ]]; do
done done
# if no RUN_MODE was passed, usage and quit # if no RUN_MODE was passed, usage and quit
if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
usage usage
fi fi
@ -198,7 +198,7 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
fi fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script # If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5" echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1 exit 1

4
bin/hardening/6.2.10_check_user_dot_file_perm.sh
View File

@ -24,7 +24,7 @@ audit() {
for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/.[A-Za-z0-9]*; do for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
crit "Group Write permission set on FILE $FILE" crit "Group Write permission set on FILE $FILE"
@ -47,7 +47,7 @@ audit() {
apply() { apply() {
for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
for FILE in $DIR/.[A-Za-z0-9]*; do for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
warn "Group Write permission set on FILE $FILE" warn "Group Write permission set on FILE $FILE"

2
bin/hardening/6.2.11_find_user_forward_files.sh
View File

@ -25,7 +25,7 @@ audit() {
for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
crit "$FILE present" crit "$FILE present"
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
fi fi

2
bin/hardening/6.2.12_find_user_netrc_files.sh
View File

@ -25,7 +25,7 @@ audit() {
for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
crit "$FILE present" crit "$FILE present"
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
fi fi

4
bin/hardening/6.2.13_set_perm_on_user_netrc.sh
View File

@ -25,7 +25,7 @@ audit() {
for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/.netrc; do for FILE in $DIR/.netrc; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -48,7 +48,7 @@ apply() {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/.netrc; do for FILE in $DIR/.netrc; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"

2
bin/hardening/6.2.14_find_user_rhosts_files.sh
View File

@ -25,7 +25,7 @@ audit() {
for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR" debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
crit "$FILE present" crit "$FILE present"
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
fi fi

2
bin/hardening/6.2.7_users_valid_homedir.sh
View File

@ -27,7 +27,7 @@ audit() {
USER=$(awk -F: {'print $1'} <<<$LINE) USER=$(awk -F: {'print $1'} <<<$LINE)
USERID=$(awk -F: {'print $2'} <<<$LINE) USERID=$(awk -F: {'print $2'} <<<$LINE)
DIR=$(awk -F: {'print $3'} <<<$LINE) DIR=$(awk -F: {'print $3'} <<<$LINE)
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
crit "The home directory ($DIR) of user $USER does not exist." crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
fi fi

2
bin/hardening/6.2.9_users_valid_homedir.sh
View File

@ -30,7 +30,7 @@ audit() {
USER=$(awk -F: {'print $1'} <<<$LINE) USER=$(awk -F: {'print $1'} <<<$LINE)
USERID=$(awk -F: {'print $2'} <<<$LINE) USERID=$(awk -F: {'print $2'} <<<$LINE)
DIR=$(awk -F: {'print $3'} <<<$LINE) DIR=$(awk -F: {'print $3'} <<<$LINE)
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
crit "The home directory ($DIR) of user $USER does not exist." crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
fi fi

4
lib/main.sh
View File

@ -28,7 +28,7 @@ while [[ $# > 0 ]]; do
forcedstatus=auditall forcedstatus=auditall
;; ;;
--audit) --audit)
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then if [ "$status" != 'disabled' ] && [ "$status" != 'false' ]; then
debug "Audit argument detected, setting status to audit" debug "Audit argument detected, setting status to audit"
forcedstatus=audit forcedstatus=audit
else else
@ -85,7 +85,7 @@ if [ "$forcedstatus" = "auditall" ]; then
status=audit status=audit
elif [ "$forcedstatus" = "audit" ]; then elif [ "$forcedstatus" = "audit" ]; then
# We want to audit only enabled scripts # We want to audit only enabled scripts
if [ "$status" != 'disabled' -a "$status" != 'false' ]; then if [ "$status" != 'disabled' ] && [ "$status" != 'false' ]; then
debug "Audit argument detected, setting status to audit" debug "Audit argument detected, setting status to audit"
status=audit status=audit
else else

2
lib/utils.sh
View File

@ -270,7 +270,7 @@ is_kernel_option_enabled() {
FNRET=2 # Not found FNRET=2 # Not found
fi fi
if $SUDO_CMD [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ]; then if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then
# also check in modules, because even if not =y, maybe # also check in modules, because even if not =y, maybe
# the admin compiled it separately later (or out-of-tree) # the admin compiled it separately later (or out-of-tree)
# as a module (regardless of the fact that we have =m or not) # as a module (regardless of the fact that we have =m or not)