IMP(shellcheck): fix harmless warnings

bin/hardening.sh

@@ -114,7 +114,7 @@ fi
 declare -a TEST_LIST ALLOWED_SERVICES_LIST
 
 # Arguments parsing
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
     ARG="$1"
     case $ARG in
     --audit)

bin/hardening/3.1.1_disable_ip_forwarding.sh

@@ -14,6 +14,7 @@ set -u # One variable unset, it's over
 
 # shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 HARDENING_EXCEPTION=gw
 # shellcheck disable=2034
 DESCRIPTION="Disable IP forwarding."

bin/hardening/4.2.2.2_configure_syslog-ng.sh

@@ -17,6 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ."
 
+# shellcheck disable=2034
 SERVICE_NAME="syslog-ng"
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/4.2.4_logs_permissions.sh

@@ -46,7 +46,7 @@ apply() {
         if [ "$FNRET" = 0 ]; then
             ok "$FILE permissions were set to $PERMISSIONS"
         else
-            warn "fixing $DIRlogs ownership to $PERMISSIONS"
+            warn "fixing $DIR logs ownership to $PERMISSIONS"
             chmod 0"$PERMISSIONS" "$FILE"
         fi
     done

bin/hardening/4.3_configure_logrotate.sh

@@ -16,6 +16,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable."
 
+# shellcheck disable=2034
 SERVICE_NAME="syslog-ng"
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh

@@ -59,27 +59,26 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
-        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        if [ "$FNRET" = 0 ]; then
-            ok "$FILE ownership was set to $USER:$GROUP"
-        else
-            warn "fixing $DIR SSH private keys permissions to $USER:$GROUP"
-            chown "$USER":"$GROUP" "$FILE"
-
-        fi
-    done
-
     for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
         has_file_correct_permissions "$FILE" "$PERMISSIONS"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE permissions were set to $PERMISSIONS"
         else
-            warn "fixing $DIR SSH private keys ownership to $PERMISSIONS"
+            warn "fixing $DIR SSH private keys permissions to $PERMISSIONS"
             chmod 0"$PERMISSIONS" "$FILE"
         fi
     done
 
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE ownership was set to $USER:$GROUP"
+        else
+            warn "fixing $DIR SSH private keys ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+
+        fi
+    done
 }
 
 # This function will check config parameters required

bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh

@@ -82,7 +82,7 @@ apply() {
                 if [ "$FNRET" = 0 ]; then
                     ok "$FILE permissions were set to $PERMISSIONS"
                 else
-                    warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
+                    warn "fixing $DIR SSH public keys permissions to $PERMISSIONS"
                     chmod 0"$PERMISSIONS" "$FILE"
                 fi
             fi
@@ -94,7 +94,7 @@ apply() {
         if [ "$FNRET" = 0 ]; then
             ok "$FILE ownership was set to $USER:$GROUP"
         else
-            warn "fixing $DIR SSH public keys ownership to $PERMISSIONS"
+            warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
             chown "$USER":"$GROUP" "$FILE"
         fi
     done

bin/hardening/6.2.18_check_duplicate_username.sh

@@ -27,6 +27,7 @@ audit() {
         OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
         USERNAME=$(awk -F: {'print $2'} <<<$LINE)
         if [ $OCC_NUMBER -gt 1 ]; then
+            # shellcheck disable=2034
             USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
             ERRORS=$((ERRORS + 1))
             crit "Duplicate username $USERNAME"

bin/hardening/6.2.19_check_duplicate_groupname.sh

@@ -27,6 +27,7 @@ audit() {
         OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
         GROUPNAME=$(awk -F: {'print $2'} <<<$LINE)
         if [ $OCC_NUMBER -gt 1 ]; then
+            # shellcheck disable=2034
             USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
             ERRORS=$((ERRORS + 1))
             crit "Duplicate groupname $GROUPNAME"

lib/common.sh

@@ -15,6 +15,7 @@ backup_file() {
         TARGET="$BACKUPDIR/$TARGET"
         debug "Backuping $FILE to $TARGET"
         cp -a $FILE $TARGET
+        # shellcheck disable=2034
         FNRET=0
     fi
 }

lib/constants.sh

@@ -8,16 +8,26 @@ export LANG=C
 #### Useful Color constants settings for loglevels
 
 # Reset Color (for syslog)
+# shellcheck disable=2034
 NC='\033[0m'
+# shellcheck disable=2034
 WHITE='\033[0m'
 # Colors
+# shellcheck disable=2034
 RED='\033[0;31m'
+# shellcheck disable=2034
 GREEN='\033[0;32m'
+# shellcheck disable=2034
 YELLOW='\033[0;33m'
+# shellcheck disable=2034
 GRAY='\033[0;40m' # Gray
 
 # Bold
-BRED='\033[1;31m'    # Red
-BGREEN='\033[1;32m'  # Green
+# shellcheck disable=2034
+BRED='\033[1;31m' # Red
+# shellcheck disable=2034
+BGREEN='\033[1;32m' # Green
+# shellcheck disable=2034
 BYELLOW='\033[1;33m' # Yellow
-BWHITE='\033[1;37m'  # White
+# shellcheck disable=2034
+BWHITE='\033[1;37m' # White

lib/main.sh

@@ -23,7 +23,7 @@ SUDO_CMD=""
 export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
 
 # Arguments parsing
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
     ARG="$1"
     case $ARG in
     --audit-all)

lib/utils.sh

@@ -76,8 +76,10 @@ has_file_correct_ownership() {
     local FILE=$1
     local USER=$2
     local GROUP=$3
-    local USERID=$(id -u $USER)
-    local GROUPID=$(getent group $GROUP | cut -d: -f3)
+    local USERID
+    local GROUPID
+    USERID=$(id -u $USER)
+    GROUPID=$(getent group $GROUP | cut -d: -f3)
     debug "$SUDO_CMD stat -c '%u %g' $FILE"
     if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
         FNRET=0
@@ -275,7 +277,8 @@ is_kernel_option_enabled() {
         # the admin compiled it separately later (or out-of-tree)
         # as a module (regardless of the fact that we have =m or not)
         debug "Checking if we have $MODULE_NAME.ko"
-        local modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
+        local modulefile
+        modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
         if $SUDO_CMD [ -n "$modulefile" ]; then
             debug "We do have $modulefile!"
             # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
@@ -433,6 +436,7 @@ get_debian_major_version() {
     if [ $FNRET ]; then
         DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
     else
+        # shellcheck disable=2034
         DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
     fi
 }

tests/launch_tests.sh

@@ -203,7 +203,7 @@ echo
 
 set +e
 set +u
-let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
+totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
 # leave `exit 255` for runtime errors
 [ $totalerrors -ge 255 ] && totalerrors=254
 exit $totalerrors