mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 05:27:01 +01:00
IMP(shellcheck): fix quote placement in awk (SC1083)
This commit is contained in:
parent
8012234096
commit
ac66cdacd0
@ -20,7 +20,7 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
info "Checking if setuid is set on world writable Directories"
|
info "Checking if setuid is set on world writable Directories"
|
||||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
crit "Some world writable directories are not on sticky bit mode!"
|
crit "Some world writable directories are not on sticky bit mode!"
|
||||||
@ -33,9 +33,9 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||||
else
|
else
|
||||||
ok "All world writable directories have a sticky bit, nothing to apply"
|
ok "All world writable directories have a sticky bit, nothing to apply"
|
||||||
fi
|
fi
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure no world writable files exist"
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
info "Checking if there are world writable files"
|
info "Checking if there are world writable files"
|
||||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
crit "Some world writable files are present"
|
crit "Some world writable files are present"
|
||||||
@ -33,10 +33,10 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
warn "chmoding o-w all files in the system"
|
warn "chmoding o-w all files in the system"
|
||||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
|
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
|
||||||
else
|
else
|
||||||
ok "No world writable files found, nothing to apply"
|
ok "No world writable files found, nothing to apply"
|
||||||
fi
|
fi
|
||||||
|
@ -23,7 +23,7 @@ EXCLUDED=''
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
info "Checking if there are unowned files"
|
info "Checking if there are unowned files"
|
||||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||||
if [ -n "$EXCLUDED" ]; then
|
if [ -n "$EXCLUDED" ]; then
|
||||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||||
else
|
else
|
||||||
@ -41,13 +41,13 @@ audit() {
|
|||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
if [ -n "$EXCLUDED" ]; then
|
if [ -n "$EXCLUDED" ]; then
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||||
else
|
else
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||||
fi
|
fi
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
warn "Applying chown on all unowned files in the system"
|
warn "Applying chown on all unowned files in the system"
|
||||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||||
else
|
else
|
||||||
ok "No unowned files found, nothing to apply"
|
ok "No unowned files found, nothing to apply"
|
||||||
fi
|
fi
|
||||||
|
@ -23,7 +23,7 @@ EXCLUDED=''
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
info "Checking if there are ungrouped files"
|
info "Checking if there are ungrouped files"
|
||||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||||
if [ -n "$EXCLUDED" ]; then
|
if [ -n "$EXCLUDED" ]; then
|
||||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||||
else
|
else
|
||||||
@ -41,13 +41,13 @@ audit() {
|
|||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
if [ -n "$EXCLUDED" ]; then
|
if [ -n "$EXCLUDED" ]; then
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||||
else
|
else
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||||
fi
|
fi
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
warn "Applying chgrp on all ungrouped files in the system"
|
warn "Applying chgrp on all ungrouped files in the system"
|
||||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||||
else
|
else
|
||||||
ok "No ungrouped files found, nothing to apply"
|
ok "No ungrouped files found, nothing to apply"
|
||||||
fi
|
fi
|
||||||
|
@ -21,11 +21,11 @@ ERRORS=0
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'})
|
RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
|
||||||
for LINE in $RESULT; do
|
for LINE in $RESULT; do
|
||||||
debug "Working on line $LINE"
|
debug "Working on line $LINE"
|
||||||
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
|
||||||
USERNAME=$(awk -F: {'print $2'} <<<$LINE)
|
USERNAME=$(awk -F: '{print $2}' <<<$LINE)
|
||||||
if [ $OCC_NUMBER -gt 1 ]; then
|
if [ $OCC_NUMBER -gt 1 ]; then
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
||||||
|
@ -21,11 +21,11 @@ ERRORS=0
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'})
|
RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
|
||||||
for LINE in $RESULT; do
|
for LINE in $RESULT; do
|
||||||
debug "Working on line $LINE"
|
debug "Working on line $LINE"
|
||||||
OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
|
OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
|
||||||
GROUPNAME=$(awk -F: {'print $2'} <<<$LINE)
|
GROUPNAME=$(awk -F: '{print $2}' <<<$LINE)
|
||||||
if [ $OCC_NUMBER -gt 1 ]; then
|
if [ $OCC_NUMBER -gt 1 ]; then
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
||||||
|
@ -24,9 +24,9 @@ audit() {
|
|||||||
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||||
for LINE in $RESULT; do
|
for LINE in $RESULT; do
|
||||||
debug "Working on $LINE"
|
debug "Working on $LINE"
|
||||||
USER=$(awk -F: {'print $1'} <<<$LINE)
|
USER=$(awk -F: '{print $1}' <<<$LINE)
|
||||||
USERID=$(awk -F: {'print $2'} <<<$LINE)
|
USERID=$(awk -F: '{print $2}' <<<$LINE)
|
||||||
DIR=$(awk -F: {'print $3'} <<<$LINE)
|
DIR=$(awk -F: '{print $3}' <<<$LINE)
|
||||||
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
||||||
crit "The home directory ($DIR) of user $USER does not exist."
|
crit "The home directory ($DIR) of user $USER does not exist."
|
||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
|
@ -27,9 +27,9 @@ audit() {
|
|||||||
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||||
for LINE in $RESULT; do
|
for LINE in $RESULT; do
|
||||||
debug "Working on $LINE"
|
debug "Working on $LINE"
|
||||||
USER=$(awk -F: {'print $1'} <<<$LINE)
|
USER=$(awk -F: '{print $1}' <<<$LINE)
|
||||||
USERID=$(awk -F: {'print $2'} <<<$LINE)
|
USERID=$(awk -F: '{print $2}' <<<$LINE)
|
||||||
DIR=$(awk -F: {'print $3'} <<<$LINE)
|
DIR=$(awk -F: '{print $3}' <<<$LINE)
|
||||||
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
||||||
crit "The home directory ($DIR) of user $USER does not exist."
|
crit "The home directory ($DIR) of user $USER does not exist."
|
||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
|
@ -327,12 +327,12 @@ is_mounted() {
|
|||||||
has_mount_option() {
|
has_mount_option() {
|
||||||
local PARTITION=$1
|
local PARTITION=$1
|
||||||
local OPTION=$2
|
local OPTION=$2
|
||||||
if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "bind"); then
|
if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"); then
|
||||||
local actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $1'})"
|
local actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')"
|
||||||
debug "$PARTITION is a bind mount of $actual_partition"
|
debug "$PARTITION is a bind mount of $actual_partition"
|
||||||
PARTITION="$actual_partition"
|
PARTITION="$actual_partition"
|
||||||
fi
|
fi
|
||||||
if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$OPTION"); then
|
if $(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"); then
|
||||||
debug "$OPTION has been detected in fstab for partition $PARTITION"
|
debug "$OPTION has been detected in fstab for partition $PARTITION"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
else
|
else
|
||||||
@ -345,7 +345,7 @@ has_mount_option() {
|
|||||||
has_mounted_option() {
|
has_mounted_option() {
|
||||||
local PARTITION=$1
|
local PARTITION=$1
|
||||||
local OPTION=$2
|
local OPTION=$2
|
||||||
if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then
|
if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk '{print $4}' | grep -q "$2"); then
|
||||||
debug "$OPTION has been detected in /proc/mounts for partition $PARTITION"
|
debug "$OPTION has been detected in /proc/mounts for partition $PARTITION"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
else
|
else
|
||||||
|
Loading…
Reference in New Issue
Block a user