mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-24 14:31:24 +01:00
IMP(shellcheck): fix harmless warnings
This commit is contained in:
parent
63835dd10c
commit
8012234096
@ -114,7 +114,7 @@ fi
|
|||||||
declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
||||||
|
|
||||||
# Arguments parsing
|
# Arguments parsing
|
||||||
while [[ $# > 0 ]]; do
|
while [[ $# -gt 0 ]]; do
|
||||||
ARG="$1"
|
ARG="$1"
|
||||||
case $ARG in
|
case $ARG in
|
||||||
--audit)
|
--audit)
|
||||||
|
@ -14,6 +14,7 @@ set -u # One variable unset, it's over
|
|||||||
|
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
HARDENING_LEVEL=3
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
HARDENING_EXCEPTION=gw
|
HARDENING_EXCEPTION=gw
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Disable IP forwarding."
|
DESCRIPTION="Disable IP forwarding."
|
||||||
|
@ -17,6 +17,7 @@ HARDENING_LEVEL=3
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ."
|
DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ."
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
SERVICE_NAME="syslog-ng"
|
SERVICE_NAME="syslog-ng"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
@ -46,7 +46,7 @@ apply() {
|
|||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE permissions were set to $PERMISSIONS"
|
ok "$FILE permissions were set to $PERMISSIONS"
|
||||||
else
|
else
|
||||||
warn "fixing $DIRlogs ownership to $PERMISSIONS"
|
warn "fixing $DIR logs ownership to $PERMISSIONS"
|
||||||
chmod 0"$PERMISSIONS" "$FILE"
|
chmod 0"$PERMISSIONS" "$FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -16,6 +16,7 @@ HARDENING_LEVEL=3
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable."
|
DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable."
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
SERVICE_NAME="syslog-ng"
|
SERVICE_NAME="syslog-ng"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
@ -59,27 +59,26 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
|
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
|
||||||
if [ "$FNRET" = 0 ]; then
|
|
||||||
ok "$FILE ownership was set to $USER:$GROUP"
|
|
||||||
else
|
|
||||||
warn "fixing $DIR SSH private keys permissions to $USER:$GROUP"
|
|
||||||
chown "$USER":"$GROUP" "$FILE"
|
|
||||||
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
|
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE permissions were set to $PERMISSIONS"
|
ok "$FILE permissions were set to $PERMISSIONS"
|
||||||
else
|
else
|
||||||
warn "fixing $DIR SSH private keys ownership to $PERMISSIONS"
|
warn "fixing $DIR SSH private keys permissions to $PERMISSIONS"
|
||||||
chmod 0"$PERMISSIONS" "$FILE"
|
chmod 0"$PERMISSIONS" "$FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
|
||||||
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$FILE ownership was set to $USER:$GROUP"
|
||||||
|
else
|
||||||
|
warn "fixing $DIR SSH private keys ownership to $USER:$GROUP"
|
||||||
|
chown "$USER":"$GROUP" "$FILE"
|
||||||
|
|
||||||
|
fi
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -82,7 +82,7 @@ apply() {
|
|||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE permissions were set to $PERMISSIONS"
|
ok "$FILE permissions were set to $PERMISSIONS"
|
||||||
else
|
else
|
||||||
warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
|
warn "fixing $DIR SSH public keys permissions to $PERMISSIONS"
|
||||||
chmod 0"$PERMISSIONS" "$FILE"
|
chmod 0"$PERMISSIONS" "$FILE"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -94,7 +94,7 @@ apply() {
|
|||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE ownership was set to $USER:$GROUP"
|
ok "$FILE ownership was set to $USER:$GROUP"
|
||||||
else
|
else
|
||||||
warn "fixing $DIR SSH public keys ownership to $PERMISSIONS"
|
warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
|
||||||
chown "$USER":"$GROUP" "$FILE"
|
chown "$USER":"$GROUP" "$FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -27,6 +27,7 @@ audit() {
|
|||||||
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
||||||
USERNAME=$(awk -F: {'print $2'} <<<$LINE)
|
USERNAME=$(awk -F: {'print $2'} <<<$LINE)
|
||||||
if [ $OCC_NUMBER -gt 1 ]; then
|
if [ $OCC_NUMBER -gt 1 ]; then
|
||||||
|
# shellcheck disable=2034
|
||||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
crit "Duplicate username $USERNAME"
|
crit "Duplicate username $USERNAME"
|
||||||
|
@ -27,6 +27,7 @@ audit() {
|
|||||||
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
||||||
GROUPNAME=$(awk -F: {'print $2'} <<<$LINE)
|
GROUPNAME=$(awk -F: {'print $2'} <<<$LINE)
|
||||||
if [ $OCC_NUMBER -gt 1 ]; then
|
if [ $OCC_NUMBER -gt 1 ]; then
|
||||||
|
# shellcheck disable=2034
|
||||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
crit "Duplicate groupname $GROUPNAME"
|
crit "Duplicate groupname $GROUPNAME"
|
||||||
|
@ -15,6 +15,7 @@ backup_file() {
|
|||||||
TARGET="$BACKUPDIR/$TARGET"
|
TARGET="$BACKUPDIR/$TARGET"
|
||||||
debug "Backuping $FILE to $TARGET"
|
debug "Backuping $FILE to $TARGET"
|
||||||
cp -a $FILE $TARGET
|
cp -a $FILE $TARGET
|
||||||
|
# shellcheck disable=2034
|
||||||
FNRET=0
|
FNRET=0
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -8,16 +8,26 @@ export LANG=C
|
|||||||
#### Useful Color constants settings for loglevels
|
#### Useful Color constants settings for loglevels
|
||||||
|
|
||||||
# Reset Color (for syslog)
|
# Reset Color (for syslog)
|
||||||
|
# shellcheck disable=2034
|
||||||
NC='\033[0m'
|
NC='\033[0m'
|
||||||
|
# shellcheck disable=2034
|
||||||
WHITE='\033[0m'
|
WHITE='\033[0m'
|
||||||
# Colors
|
# Colors
|
||||||
|
# shellcheck disable=2034
|
||||||
RED='\033[0;31m'
|
RED='\033[0;31m'
|
||||||
|
# shellcheck disable=2034
|
||||||
GREEN='\033[0;32m'
|
GREEN='\033[0;32m'
|
||||||
|
# shellcheck disable=2034
|
||||||
YELLOW='\033[0;33m'
|
YELLOW='\033[0;33m'
|
||||||
|
# shellcheck disable=2034
|
||||||
GRAY='\033[0;40m' # Gray
|
GRAY='\033[0;40m' # Gray
|
||||||
|
|
||||||
# Bold
|
# Bold
|
||||||
BRED='\033[1;31m' # Red
|
# shellcheck disable=2034
|
||||||
BGREEN='\033[1;32m' # Green
|
BRED='\033[1;31m' # Red
|
||||||
|
# shellcheck disable=2034
|
||||||
|
BGREEN='\033[1;32m' # Green
|
||||||
|
# shellcheck disable=2034
|
||||||
BYELLOW='\033[1;33m' # Yellow
|
BYELLOW='\033[1;33m' # Yellow
|
||||||
BWHITE='\033[1;37m' # White
|
# shellcheck disable=2034
|
||||||
|
BWHITE='\033[1;37m' # White
|
||||||
|
@ -23,7 +23,7 @@ SUDO_CMD=""
|
|||||||
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
||||||
|
|
||||||
# Arguments parsing
|
# Arguments parsing
|
||||||
while [[ $# > 0 ]]; do
|
while [[ $# -gt 0 ]]; do
|
||||||
ARG="$1"
|
ARG="$1"
|
||||||
case $ARG in
|
case $ARG in
|
||||||
--audit-all)
|
--audit-all)
|
||||||
|
10
lib/utils.sh
10
lib/utils.sh
@ -76,8 +76,10 @@ has_file_correct_ownership() {
|
|||||||
local FILE=$1
|
local FILE=$1
|
||||||
local USER=$2
|
local USER=$2
|
||||||
local GROUP=$3
|
local GROUP=$3
|
||||||
local USERID=$(id -u $USER)
|
local USERID
|
||||||
local GROUPID=$(getent group $GROUP | cut -d: -f3)
|
local GROUPID
|
||||||
|
USERID=$(id -u $USER)
|
||||||
|
GROUPID=$(getent group $GROUP | cut -d: -f3)
|
||||||
debug "$SUDO_CMD stat -c '%u %g' $FILE"
|
debug "$SUDO_CMD stat -c '%u %g' $FILE"
|
||||||
if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
|
if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
|
||||||
FNRET=0
|
FNRET=0
|
||||||
@ -275,7 +277,8 @@ is_kernel_option_enabled() {
|
|||||||
# the admin compiled it separately later (or out-of-tree)
|
# the admin compiled it separately later (or out-of-tree)
|
||||||
# as a module (regardless of the fact that we have =m or not)
|
# as a module (regardless of the fact that we have =m or not)
|
||||||
debug "Checking if we have $MODULE_NAME.ko"
|
debug "Checking if we have $MODULE_NAME.ko"
|
||||||
local modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
|
local modulefile
|
||||||
|
modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
|
||||||
if $SUDO_CMD [ -n "$modulefile" ]; then
|
if $SUDO_CMD [ -n "$modulefile" ]; then
|
||||||
debug "We do have $modulefile!"
|
debug "We do have $modulefile!"
|
||||||
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
|
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
|
||||||
@ -433,6 +436,7 @@ get_debian_major_version() {
|
|||||||
if [ $FNRET ]; then
|
if [ $FNRET ]; then
|
||||||
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
|
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
|
||||||
else
|
else
|
||||||
|
# shellcheck disable=2034
|
||||||
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
|
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -203,7 +203,7 @@ echo
|
|||||||
|
|
||||||
set +e
|
set +e
|
||||||
set +u
|
set +u
|
||||||
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
|
totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
|
||||||
# leave `exit 255` for runtime errors
|
# leave `exit 255` for runtime errors
|
||||||
[ $totalerrors -ge 255 ] && totalerrors=254
|
[ $totalerrors -ge 255 ] && totalerrors=254
|
||||||
exit $totalerrors
|
exit $totalerrors
|
||||||
|
Loading…
Reference in New Issue
Block a user