elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shellcheck): fix harmless warnings

Browse Source
This commit is contained in:
Thibault Ayanides 2020-12-07 14:53:10 +01:00
parent 63835dd10c
commit 8012234096
14 changed files with 43 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bin/hardening.sh
View File

@ -114,7 +114,7 @@ fi
declare -a TEST_LIST ALLOWED_SERVICES_LIST declare -a TEST_LIST ALLOWED_SERVICES_LIST
# Arguments parsing # Arguments parsing
while [[ $# > 0 ]]; do while [[ $# -gt 0 ]]; do
ARG="$1" ARG="$1"
case $ARG in case $ARG in
--audit) --audit)

1
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -14,6 +14,7 @@ set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034
HARDENING_EXCEPTION=gw HARDENING_EXCEPTION=gw
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable IP forwarding." DESCRIPTION="Disable IP forwarding."

1
bin/hardening/4.2.2.2_configure_syslog-ng.sh
View File

@ -17,6 +17,7 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ." DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ."
# shellcheck disable=2034
SERVICE_NAME="syslog-ng" SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode

1
bin/hardening/4.3_configure_logrotate.sh
View File

@ -16,6 +16,7 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable." DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable."
# shellcheck disable=2034
SERVICE_NAME="syslog-ng" SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode

23
bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
View File

@ -59,27 +59,26 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE ownership was set to $USER:$GROUP"
else
warn "fixing $DIR SSH private keys permissions to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
done
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS" ok "$FILE permissions were set to $PERMISSIONS"
else else
warn "fixing $DIR SSH private keys ownership to $PERMISSIONS" warn "fixing $DIR SSH private keys permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
done done
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE ownership was set to $USER:$GROUP"
else
warn "fixing $DIR SSH private keys ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
done
} }
# This function will check config parameters required # This function will check config parameters required

4
bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
View File

@ -82,7 +82,7 @@ apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS" ok "$FILE permissions were set to $PERMISSIONS"
else else
warn "fixing $DIR SSH public keys permissions to $USER:$GROUP" warn "fixing $DIR SSH public keys permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" chmod 0"$PERMISSIONS" "$FILE"
fi fi
fi fi
@ -94,7 +94,7 @@ apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE ownership was set to $USER:$GROUP" ok "$FILE ownership was set to $USER:$GROUP"
else else
warn "fixing $DIR SSH public keys ownership to $PERMISSIONS" warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE" chown "$USER":"$GROUP" "$FILE"
fi fi
done done

1
bin/hardening/6.2.18_check_duplicate_username.sh
View File

@ -27,6 +27,7 @@ audit() {
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE) OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
USERNAME=$(awk -F: {'print $2'} <<<$LINE) USERNAME=$(awk -F: {'print $2'} <<<$LINE)
if [ $OCC_NUMBER -gt 1 ]; then if [ $OCC_NUMBER -gt 1 ]; then
# shellcheck disable=2034
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs) USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
crit "Duplicate username $USERNAME" crit "Duplicate username $USERNAME"

1
bin/hardening/6.2.19_check_duplicate_groupname.sh
View File

@ -27,6 +27,7 @@ audit() {
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE) OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
GROUPNAME=$(awk -F: {'print $2'} <<<$LINE) GROUPNAME=$(awk -F: {'print $2'} <<<$LINE)
if [ $OCC_NUMBER -gt 1 ]; then if [ $OCC_NUMBER -gt 1 ]; then
# shellcheck disable=2034
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs) USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
crit "Duplicate groupname $GROUPNAME" crit "Duplicate groupname $GROUPNAME"

1
lib/common.sh
View File

@ -15,6 +15,7 @@ backup_file() {
TARGET="$BACKUPDIR/$TARGET" TARGET="$BACKUPDIR/$TARGET"
debug "Backuping $FILE to $TARGET" debug "Backuping $FILE to $TARGET"
cp -a $FILE $TARGET cp -a $FILE $TARGET
# shellcheck disable=2034
FNRET=0 FNRET=0
fi fi
} }

10
lib/constants.sh
View File

@ -8,16 +8,26 @@ export LANG=C
#### Useful Color constants settings for loglevels #### Useful Color constants settings for loglevels
# Reset Color (for syslog) # Reset Color (for syslog)
# shellcheck disable=2034
NC='\033[0m' NC='\033[0m'
# shellcheck disable=2034
WHITE='\033[0m' WHITE='\033[0m'
# Colors # Colors
# shellcheck disable=2034
RED='\033[0;31m' RED='\033[0;31m'
# shellcheck disable=2034
GREEN='\033[0;32m' GREEN='\033[0;32m'
# shellcheck disable=2034
YELLOW='\033[0;33m' YELLOW='\033[0;33m'
# shellcheck disable=2034
GRAY='\033[0;40m' # Gray GRAY='\033[0;40m' # Gray
# Bold # Bold
# shellcheck disable=2034
BRED='\033[1;31m' # Red BRED='\033[1;31m' # Red
# shellcheck disable=2034
BGREEN='\033[1;32m' # Green BGREEN='\033[1;32m' # Green
# shellcheck disable=2034
BYELLOW='\033[1;33m' # Yellow BYELLOW='\033[1;33m' # Yellow
# shellcheck disable=2034
BWHITE='\033[1;37m' # White BWHITE='\033[1;37m' # White

2
lib/main.sh
View File

@ -23,7 +23,7 @@ SUDO_CMD=""
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
# Arguments parsing # Arguments parsing
while [[ $# > 0 ]]; do while [[ $# -gt 0 ]]; do
ARG="$1" ARG="$1"
case $ARG in case $ARG in
--audit-all) --audit-all)

10
lib/utils.sh
View File

@ -76,8 +76,10 @@ has_file_correct_ownership() {
local FILE=$1 local FILE=$1
local USER=$2 local USER=$2
local GROUP=$3 local GROUP=$3
local USERID=$(id -u $USER) local USERID
local GROUPID=$(getent group $GROUP | cut -d: -f3) local GROUPID
USERID=$(id -u $USER)
GROUPID=$(getent group $GROUP | cut -d: -f3)
debug "$SUDO_CMD stat -c '%u %g' $FILE" debug "$SUDO_CMD stat -c '%u %g' $FILE"
if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
FNRET=0 FNRET=0
@ -275,7 +277,8 @@ is_kernel_option_enabled() {
# the admin compiled it separately later (or out-of-tree) # the admin compiled it separately later (or out-of-tree)
# as a module (regardless of the fact that we have =m or not) # as a module (regardless of the fact that we have =m or not)
debug "Checking if we have $MODULE_NAME.ko" debug "Checking if we have $MODULE_NAME.ko"
local modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko") local modulefile
modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
if $SUDO_CMD [ -n "$modulefile" ]; then if $SUDO_CMD [ -n "$modulefile" ]; then
debug "We do have $modulefile!" debug "We do have $modulefile!"
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz" # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
@ -433,6 +436,7 @@ get_debian_major_version() {
if [ $FNRET ]; then if [ $FNRET ]; then
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version) DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
else else
# shellcheck disable=2034
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1) DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
fi fi
} }

2
tests/launch_tests.sh
View File

@ -203,7 +203,7 @@ echo
set +e set +e
set +u set +u
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist)) totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
# leave `exit 255` for runtime errors # leave `exit 255` for runtime errors
[ $totalerrors -ge 255 ] && totalerrors=254 [ $totalerrors -ge 255 ] && totalerrors=254
exit $totalerrors exit $totalerrors