mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 14:05:23 +01:00
IMP(shellcheck): fix quote placement in awk (SC1083)
This commit is contained in:
parent
8012234096
commit
ac66cdacd0
@ -20,7 +20,7 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if setuid is set on world writable Directories"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable directories are not on sticky bit mode!"
|
||||
@ -33,9 +33,9 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ -n "$RESULT" ]; then
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
else
|
||||
ok "All world writable directories have a sticky bit, nothing to apply"
|
||||
fi
|
||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure no world writable files exist"
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are world writable files"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable files are present"
|
||||
@ -33,10 +33,10 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "chmoding o-w all files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
|
||||
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
|
||||
else
|
||||
ok "No world writable files found, nothing to apply"
|
||||
fi
|
||||
|
@ -23,7 +23,7 @@ EXCLUDED=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are unowned files"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||
else
|
||||
@ -41,13 +41,13 @@ audit() {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
fi
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "Applying chown on all unowned files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||
else
|
||||
ok "No unowned files found, nothing to apply"
|
||||
fi
|
||||
|
@ -23,7 +23,7 @@ EXCLUDED=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are ungrouped files"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||
else
|
||||
@ -41,13 +41,13 @@ audit() {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
fi
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "Applying chgrp on all ungrouped files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||
else
|
||||
ok "No ungrouped files found, nothing to apply"
|
||||
fi
|
||||
|
@ -21,11 +21,11 @@ ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'})
|
||||
RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
||||
USERNAME=$(awk -F: {'print $2'} <<<$LINE)
|
||||
OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
|
||||
USERNAME=$(awk -F: '{print $2}' <<<$LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
# shellcheck disable=2034
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
||||
|
@ -21,11 +21,11 @@ ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'})
|
||||
RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
||||
GROUPNAME=$(awk -F: {'print $2'} <<<$LINE)
|
||||
OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
|
||||
GROUPNAME=$(awk -F: '{print $2}' <<<$LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
# shellcheck disable=2034
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
||||
|
@ -24,9 +24,9 @@ audit() {
|
||||
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on $LINE"
|
||||
USER=$(awk -F: {'print $1'} <<<$LINE)
|
||||
USERID=$(awk -F: {'print $2'} <<<$LINE)
|
||||
DIR=$(awk -F: {'print $3'} <<<$LINE)
|
||||
USER=$(awk -F: '{print $1}' <<<$LINE)
|
||||
USERID=$(awk -F: '{print $2}' <<<$LINE)
|
||||
DIR=$(awk -F: '{print $3}' <<<$LINE)
|
||||
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
||||
crit "The home directory ($DIR) of user $USER does not exist."
|
||||
ERRORS=$((ERRORS + 1))
|
||||
|
@ -27,9 +27,9 @@ audit() {
|
||||
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on $LINE"
|
||||
USER=$(awk -F: {'print $1'} <<<$LINE)
|
||||
USERID=$(awk -F: {'print $2'} <<<$LINE)
|
||||
DIR=$(awk -F: {'print $3'} <<<$LINE)
|
||||
USER=$(awk -F: '{print $1}' <<<$LINE)
|
||||
USERID=$(awk -F: '{print $2}' <<<$LINE)
|
||||
DIR=$(awk -F: '{print $3}' <<<$LINE)
|
||||
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
||||
crit "The home directory ($DIR) of user $USER does not exist."
|
||||
ERRORS=$((ERRORS + 1))
|
||||
|
@ -327,12 +327,12 @@ is_mounted() {
|
||||
has_mount_option() {
|
||||
local PARTITION=$1
|
||||
local OPTION=$2
|
||||
if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "bind"); then
|
||||
local actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $1'})"
|
||||
if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"); then
|
||||
local actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')"
|
||||
debug "$PARTITION is a bind mount of $actual_partition"
|
||||
PARTITION="$actual_partition"
|
||||
fi
|
||||
if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$OPTION"); then
|
||||
if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"); then
|
||||
debug "$OPTION has been detected in fstab for partition $PARTITION"
|
||||
FNRET=0
|
||||
else
|
||||
@ -345,7 +345,7 @@ has_mount_option() {
|
||||
has_mounted_option() {
|
||||
local PARTITION=$1
|
||||
local OPTION=$2
|
||||
if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then
|
||||
if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk '{print $4}' | grep -q "$2"); then
|
||||
debug "$OPTION has been detected in /proc/mounts for partition $PARTITION"
|
||||
FNRET=0
|
||||
else
|
||||
|
Loading…
Reference in New Issue
Block a user