diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 436aeb2..16fbae9 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -20,7 +20,7 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if setuid is set on world writable Directories" - FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" @@ -33,9 +33,9 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$RESULT" ]; then - df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t else ok "All world writable directories have a sticky bit, nothing to apply" fi diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index 4426181..84b6fbe 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure no world writable files exist" # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are world writable files" - FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$RESULT" ]; then crit "Some world writable files are present" @@ -33,10 +33,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$RESULT" ]; then warn "chmoding o-w all files in the system" - df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w else ok "No world writable files found, nothing to apply" fi diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index 3c464f6..c972440 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -23,7 +23,7 @@ EXCLUDED='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are unowned files" - FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCLUDED" ]; then RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) else @@ -41,13 +41,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { if [ -n "$EXCLUDED" ]; then - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) else - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) fi if [ -n "$RESULT" ]; then warn "Applying chown on all unowned files in the system" - df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER else ok "No unowned files found, nothing to apply" fi diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index 717fc16..a4ccdd9 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -23,7 +23,7 @@ EXCLUDED='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are ungrouped files" - FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCLUDED" ]; then RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) else @@ -41,13 +41,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { if [ -n "$EXCLUDED" ]; then - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) else - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) fi if [ -n "$RESULT" ]; then warn "Applying chgrp on all ungrouped files in the system" - df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP else ok "No ungrouped files found, nothing to apply" fi diff --git a/bin/hardening/6.2.18_check_duplicate_username.sh b/bin/hardening/6.2.18_check_duplicate_username.sh index b57771d..2e6cf99 100755 --- a/bin/hardening/6.2.18_check_duplicate_username.sh +++ b/bin/hardening/6.2.18_check_duplicate_username.sh @@ -21,11 +21,11 @@ ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit() { - RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'}) + RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}') for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE) - USERNAME=$(awk -F: {'print $2'} <<<$LINE) + OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE) + USERNAME=$(awk -F: '{print $2}' <<<$LINE) if [ $OCC_NUMBER -gt 1 ]; then # shellcheck disable=2034 USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs) diff --git a/bin/hardening/6.2.19_check_duplicate_groupname.sh b/bin/hardening/6.2.19_check_duplicate_groupname.sh index 03180f3..67fc9ad 100755 --- a/bin/hardening/6.2.19_check_duplicate_groupname.sh +++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh @@ -21,11 +21,11 @@ ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit() { - RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'}) + RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}') for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE) - GROUPNAME=$(awk -F: {'print $2'} <<<$LINE) + OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE) + GROUPNAME=$(awk -F: '{print $2}' <<<$LINE) if [ $OCC_NUMBER -gt 1 ]; then # shellcheck disable=2034 USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs) diff --git a/bin/hardening/6.2.7_users_valid_homedir.sh b/bin/hardening/6.2.7_users_valid_homedir.sh index 141bf90..1af3901 100755 --- a/bin/hardening/6.2.7_users_valid_homedir.sh +++ b/bin/hardening/6.2.7_users_valid_homedir.sh @@ -24,9 +24,9 @@ audit() { RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') for LINE in $RESULT; do debug "Working on $LINE" - USER=$(awk -F: {'print $1'} <<<$LINE) - USERID=$(awk -F: {'print $2'} <<<$LINE) - DIR=$(awk -F: {'print $3'} <<<$LINE) + USER=$(awk -F: '{print $1}' <<<$LINE) + USERID=$(awk -F: '{print $2}' <<<$LINE) + DIR=$(awk -F: '{print $3}' <<<$LINE) if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then crit "The home directory ($DIR) of user $USER does not exist." ERRORS=$((ERRORS + 1)) diff --git a/bin/hardening/6.2.9_users_valid_homedir.sh b/bin/hardening/6.2.9_users_valid_homedir.sh index 5dbdce4..527be79 100755 --- a/bin/hardening/6.2.9_users_valid_homedir.sh +++ b/bin/hardening/6.2.9_users_valid_homedir.sh @@ -27,9 +27,9 @@ audit() { RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') for LINE in $RESULT; do debug "Working on $LINE" - USER=$(awk -F: {'print $1'} <<<$LINE) - USERID=$(awk -F: {'print $2'} <<<$LINE) - DIR=$(awk -F: {'print $3'} <<<$LINE) + USER=$(awk -F: '{print $1}' <<<$LINE) + USERID=$(awk -F: '{print $2}' <<<$LINE) + DIR=$(awk -F: '{print $3}' <<<$LINE) if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then crit "The home directory ($DIR) of user $USER does not exist." ERRORS=$((ERRORS + 1)) diff --git a/lib/utils.sh b/lib/utils.sh index e2a2077..f477303 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -327,12 +327,12 @@ is_mounted() { has_mount_option() { local PARTITION=$1 local OPTION=$2 - if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "bind"); then - local actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $1'})" + if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"); then + local actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')" debug "$PARTITION is a bind mount of $actual_partition" PARTITION="$actual_partition" fi - if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$OPTION"); then + if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"); then debug "$OPTION has been detected in fstab for partition $PARTITION" FNRET=0 else @@ -345,7 +345,7 @@ has_mount_option() { has_mounted_option() { local PARTITION=$1 local OPTION=$2 - if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then + if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk '{print $4}' | grep -q "$2"); then debug "$OPTION has been detected in /proc/mounts for partition $PARTITION" FNRET=0 else