From 8012234096742f42345b219df123c90b62a4fcb1 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Mon, 7 Dec 2020 14:53:10 +0100 Subject: [PATCH] IMP(shellcheck): fix harmless warnings --- bin/hardening.sh | 2 +- bin/hardening/3.1.1_disable_ip_forwarding.sh | 1 + bin/hardening/4.2.2.2_configure_syslog-ng.sh | 1 + bin/hardening/4.2.4_logs_permissions.sh | 2 +- bin/hardening/4.3_configure_logrotate.sh | 1 + ....2_ssh_host_private_keys_perm_ownership.sh | 23 +++++++++---------- ...2.3_ssh_host_public_keys_perm_ownership.sh | 4 ++-- .../6.2.18_check_duplicate_username.sh | 1 + .../6.2.19_check_duplicate_groupname.sh | 1 + lib/common.sh | 1 + lib/constants.sh | 16 ++++++++++--- lib/main.sh | 2 +- lib/utils.sh | 10 +++++--- tests/launch_tests.sh | 2 +- 14 files changed, 43 insertions(+), 24 deletions(-) diff --git a/bin/hardening.sh b/bin/hardening.sh index 7ea4c00..f5b5806 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -114,7 +114,7 @@ fi declare -a TEST_LIST ALLOWED_SERVICES_LIST # Arguments parsing -while [[ $# > 0 ]]; do +while [[ $# -gt 0 ]]; do ARG="$1" case $ARG in --audit) diff --git a/bin/hardening/3.1.1_disable_ip_forwarding.sh b/bin/hardening/3.1.1_disable_ip_forwarding.sh index 6721066..172a23f 100755 --- a/bin/hardening/3.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh @@ -14,6 +14,7 @@ set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 HARDENING_EXCEPTION=gw # shellcheck disable=2034 DESCRIPTION="Disable IP forwarding." diff --git a/bin/hardening/4.2.2.2_configure_syslog-ng.sh b/bin/hardening/4.2.2.2_configure_syslog-ng.sh index db2f82f..50930e0 100755 --- a/bin/hardening/4.2.2.2_configure_syslog-ng.sh +++ b/bin/hardening/4.2.2.2_configure_syslog-ng.sh @@ -17,6 +17,7 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ." +# shellcheck disable=2034 SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh index 3d6e979..eb74183 100755 --- a/bin/hardening/4.2.4_logs_permissions.sh +++ b/bin/hardening/4.2.4_logs_permissions.sh @@ -46,7 +46,7 @@ apply() { if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - warn "fixing $DIRlogs ownership to $PERMISSIONS" + warn "fixing $DIR logs ownership to $PERMISSIONS" chmod 0"$PERMISSIONS" "$FILE" fi done diff --git a/bin/hardening/4.3_configure_logrotate.sh b/bin/hardening/4.3_configure_logrotate.sh index 72c58aa..903c5dd 100755 --- a/bin/hardening/4.3_configure_logrotate.sh +++ b/bin/hardening/4.3_configure_logrotate.sh @@ -16,6 +16,7 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable." +# shellcheck disable=2034 SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh index 9ba57b7..e38ca42 100755 --- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh +++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh @@ -59,27 +59,26 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE ownership was set to $USER:$GROUP" - else - warn "fixing $DIR SSH private keys permissions to $USER:$GROUP" - chown "$USER":"$GROUP" "$FILE" - - fi - done - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - warn "fixing $DIR SSH private keys ownership to $PERMISSIONS" + warn "fixing $DIR SSH private keys permissions to $PERMISSIONS" chmod 0"$PERMISSIONS" "$FILE" fi done + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE ownership was set to $USER:$GROUP" + else + warn "fixing $DIR SSH private keys ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + + fi + done } # This function will check config parameters required diff --git a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh index 9b4f113..446ce9f 100755 --- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh +++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh @@ -82,7 +82,7 @@ apply() { if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - warn "fixing $DIR SSH public keys permissions to $USER:$GROUP" + warn "fixing $DIR SSH public keys permissions to $PERMISSIONS" chmod 0"$PERMISSIONS" "$FILE" fi fi @@ -94,7 +94,7 @@ apply() { if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" else - warn "fixing $DIR SSH public keys ownership to $PERMISSIONS" + warn "fixing $DIR SSH public keys ownership to $USER:$GROUP" chown "$USER":"$GROUP" "$FILE" fi done diff --git a/bin/hardening/6.2.18_check_duplicate_username.sh b/bin/hardening/6.2.18_check_duplicate_username.sh index 11defe9..b57771d 100755 --- a/bin/hardening/6.2.18_check_duplicate_username.sh +++ b/bin/hardening/6.2.18_check_duplicate_username.sh @@ -27,6 +27,7 @@ audit() { OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE) USERNAME=$(awk -F: {'print $2'} <<<$LINE) if [ $OCC_NUMBER -gt 1 ]; then + # shellcheck disable=2034 USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs) ERRORS=$((ERRORS + 1)) crit "Duplicate username $USERNAME" diff --git a/bin/hardening/6.2.19_check_duplicate_groupname.sh b/bin/hardening/6.2.19_check_duplicate_groupname.sh index f2dbb1f..03180f3 100755 --- a/bin/hardening/6.2.19_check_duplicate_groupname.sh +++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh @@ -27,6 +27,7 @@ audit() { OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE) GROUPNAME=$(awk -F: {'print $2'} <<<$LINE) if [ $OCC_NUMBER -gt 1 ]; then + # shellcheck disable=2034 USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs) ERRORS=$((ERRORS + 1)) crit "Duplicate groupname $GROUPNAME" diff --git a/lib/common.sh b/lib/common.sh index c5458bc..69213e7 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -15,6 +15,7 @@ backup_file() { TARGET="$BACKUPDIR/$TARGET" debug "Backuping $FILE to $TARGET" cp -a $FILE $TARGET + # shellcheck disable=2034 FNRET=0 fi } diff --git a/lib/constants.sh b/lib/constants.sh index 1d12301..3226d82 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -8,16 +8,26 @@ export LANG=C #### Useful Color constants settings for loglevels # Reset Color (for syslog) +# shellcheck disable=2034 NC='\033[0m' +# shellcheck disable=2034 WHITE='\033[0m' # Colors +# shellcheck disable=2034 RED='\033[0;31m' +# shellcheck disable=2034 GREEN='\033[0;32m' +# shellcheck disable=2034 YELLOW='\033[0;33m' +# shellcheck disable=2034 GRAY='\033[0;40m' # Gray # Bold -BRED='\033[1;31m' # Red -BGREEN='\033[1;32m' # Green +# shellcheck disable=2034 +BRED='\033[1;31m' # Red +# shellcheck disable=2034 +BGREEN='\033[1;32m' # Green +# shellcheck disable=2034 BYELLOW='\033[1;33m' # Yellow -BWHITE='\033[1;37m' # White +# shellcheck disable=2034 +BWHITE='\033[1;37m' # White diff --git a/lib/main.sh b/lib/main.sh index e18d3a3..c90bc2b 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -23,7 +23,7 @@ SUDO_CMD="" export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' # Arguments parsing -while [[ $# > 0 ]]; do +while [[ $# -gt 0 ]]; do ARG="$1" case $ARG in --audit-all) diff --git a/lib/utils.sh b/lib/utils.sh index 4ec4f29..e2a2077 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -76,8 +76,10 @@ has_file_correct_ownership() { local FILE=$1 local USER=$2 local GROUP=$3 - local USERID=$(id -u $USER) - local GROUPID=$(getent group $GROUP | cut -d: -f3) + local USERID + local GROUPID + USERID=$(id -u $USER) + GROUPID=$(getent group $GROUP | cut -d: -f3) debug "$SUDO_CMD stat -c '%u %g' $FILE" if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then FNRET=0 @@ -275,7 +277,8 @@ is_kernel_option_enabled() { # the admin compiled it separately later (or out-of-tree) # as a module (regardless of the fact that we have =m or not) debug "Checking if we have $MODULE_NAME.ko" - local modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko") + local modulefile + modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko") if $SUDO_CMD [ -n "$modulefile" ]; then debug "We do have $modulefile!" # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz" @@ -433,6 +436,7 @@ get_debian_major_version() { if [ $FNRET ]; then DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version) else + # shellcheck disable=2034 DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1) fi } diff --git a/tests/launch_tests.sh b/tests/launch_tests.sh index 7935436..8bb4405 100755 --- a/tests/launch_tests.sh +++ b/tests/launch_tests.sh @@ -203,7 +203,7 @@ echo set +e set +u -let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist)) +totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist)) # leave `exit 255` for runtime errors [ $totalerrors -ge 255 ] && totalerrors=254 exit $totalerrors