mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-21 21:17:00 +01:00
IMP(shellcheck): fix harmless warnings
This commit is contained in:
parent
63835dd10c
commit
8012234096
@ -114,7 +114,7 @@ fi
|
||||
declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
||||
|
||||
# Arguments parsing
|
||||
while [[ $# > 0 ]]; do
|
||||
while [[ $# -gt 0 ]]; do
|
||||
ARG="$1"
|
||||
case $ARG in
|
||||
--audit)
|
||||
|
@ -14,6 +14,7 @@ set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
HARDENING_EXCEPTION=gw
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable IP forwarding."
|
||||
|
@ -17,6 +17,7 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ."
|
||||
|
||||
# shellcheck disable=2034
|
||||
SERVICE_NAME="syslog-ng"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
@ -46,7 +46,7 @@ apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
warn "fixing $DIRlogs ownership to $PERMISSIONS"
|
||||
warn "fixing $DIR logs ownership to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
done
|
||||
|
@ -16,6 +16,7 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable."
|
||||
|
||||
# shellcheck disable=2034
|
||||
SERVICE_NAME="syslog-ng"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
@ -59,27 +59,26 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE ownership was set to $USER:$GROUP"
|
||||
else
|
||||
warn "fixing $DIR SSH private keys permissions to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
|
||||
fi
|
||||
done
|
||||
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
warn "fixing $DIR SSH private keys ownership to $PERMISSIONS"
|
||||
warn "fixing $DIR SSH private keys permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
done
|
||||
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE ownership was set to $USER:$GROUP"
|
||||
else
|
||||
warn "fixing $DIR SSH private keys ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
@ -82,7 +82,7 @@ apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
|
||||
warn "fixing $DIR SSH public keys permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
@ -94,7 +94,7 @@ apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE ownership was set to $USER:$GROUP"
|
||||
else
|
||||
warn "fixing $DIR SSH public keys ownership to $PERMISSIONS"
|
||||
warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
done
|
||||
|
@ -27,6 +27,7 @@ audit() {
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
||||
USERNAME=$(awk -F: {'print $2'} <<<$LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
# shellcheck disable=2034
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS + 1))
|
||||
crit "Duplicate username $USERNAME"
|
||||
|
@ -27,6 +27,7 @@ audit() {
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
||||
GROUPNAME=$(awk -F: {'print $2'} <<<$LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
# shellcheck disable=2034
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS + 1))
|
||||
crit "Duplicate groupname $GROUPNAME"
|
||||
|
@ -15,6 +15,7 @@ backup_file() {
|
||||
TARGET="$BACKUPDIR/$TARGET"
|
||||
debug "Backuping $FILE to $TARGET"
|
||||
cp -a $FILE $TARGET
|
||||
# shellcheck disable=2034
|
||||
FNRET=0
|
||||
fi
|
||||
}
|
||||
|
@ -8,16 +8,26 @@ export LANG=C
|
||||
#### Useful Color constants settings for loglevels
|
||||
|
||||
# Reset Color (for syslog)
|
||||
# shellcheck disable=2034
|
||||
NC='\033[0m'
|
||||
# shellcheck disable=2034
|
||||
WHITE='\033[0m'
|
||||
# Colors
|
||||
# shellcheck disable=2034
|
||||
RED='\033[0;31m'
|
||||
# shellcheck disable=2034
|
||||
GREEN='\033[0;32m'
|
||||
# shellcheck disable=2034
|
||||
YELLOW='\033[0;33m'
|
||||
# shellcheck disable=2034
|
||||
GRAY='\033[0;40m' # Gray
|
||||
|
||||
# Bold
|
||||
# shellcheck disable=2034
|
||||
BRED='\033[1;31m' # Red
|
||||
# shellcheck disable=2034
|
||||
BGREEN='\033[1;32m' # Green
|
||||
# shellcheck disable=2034
|
||||
BYELLOW='\033[1;33m' # Yellow
|
||||
# shellcheck disable=2034
|
||||
BWHITE='\033[1;37m' # White
|
||||
|
@ -23,7 +23,7 @@ SUDO_CMD=""
|
||||
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
||||
|
||||
# Arguments parsing
|
||||
while [[ $# > 0 ]]; do
|
||||
while [[ $# -gt 0 ]]; do
|
||||
ARG="$1"
|
||||
case $ARG in
|
||||
--audit-all)
|
||||
|
10
lib/utils.sh
10
lib/utils.sh
@ -76,8 +76,10 @@ has_file_correct_ownership() {
|
||||
local FILE=$1
|
||||
local USER=$2
|
||||
local GROUP=$3
|
||||
local USERID=$(id -u $USER)
|
||||
local GROUPID=$(getent group $GROUP | cut -d: -f3)
|
||||
local USERID
|
||||
local GROUPID
|
||||
USERID=$(id -u $USER)
|
||||
GROUPID=$(getent group $GROUP | cut -d: -f3)
|
||||
debug "$SUDO_CMD stat -c '%u %g' $FILE"
|
||||
if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
|
||||
FNRET=0
|
||||
@ -275,7 +277,8 @@ is_kernel_option_enabled() {
|
||||
# the admin compiled it separately later (or out-of-tree)
|
||||
# as a module (regardless of the fact that we have =m or not)
|
||||
debug "Checking if we have $MODULE_NAME.ko"
|
||||
local modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
|
||||
local modulefile
|
||||
modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
|
||||
if $SUDO_CMD [ -n "$modulefile" ]; then
|
||||
debug "We do have $modulefile!"
|
||||
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
|
||||
@ -433,6 +436,7 @@ get_debian_major_version() {
|
||||
if [ $FNRET ]; then
|
||||
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
|
||||
else
|
||||
# shellcheck disable=2034
|
||||
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
|
||||
fi
|
||||
}
|
||||
|
@ -203,7 +203,7 @@ echo
|
||||
|
||||
set +e
|
||||
set +u
|
||||
let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
|
||||
totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist))
|
||||
# leave `exit 255` for runtime errors
|
||||
[ $totalerrors -ge 255 ] && totalerrors=254
|
||||
exit $totalerrors
|
||||
|
Loading…
Reference in New Issue
Block a user