elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 13:07:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shellcheck): quote variables (SC2086)

Browse Source
This commit is contained in:
Thibault Ayanides 2020-12-07 17:11:32 +01:00
parent 6826f377e6
commit b09b75a51e
24 changed files with 142 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -32,7 +32,7 @@ audit() {
AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
@ -52,20 +52,20 @@ apply() {
ok "$FILE exists"
fi
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi
else
ok "$PATTERN is present in $FILE"

2
bin/hardening/5.2.19_ssh_banner.sh
View File

@ -81,7 +81,7 @@ EOF
# This function will check config parameters required
check_config() {
if [ -z $BANNER_FILE ]; then
if [ -z "$BANNER_FILE" ]; then
info "BANNER_FILE is not set, defaults to wildcard"
BANNER_FILE='/etc/issue.net'
fi

20
bin/hardening/5.3.1_enable_pwquality.sh
View File

@ -32,17 +32,17 @@ audit() {
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
does_pattern_exist_in_file "$FILE_COMMON" "$PATTERN_COMMON"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN_COMMON is present in $FILE_COMMON"
else
crit "$PATTERN_COMMON is not present in $FILE_COMMON"
fi
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE"
does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
@ -71,20 +71,20 @@ apply() {
fi
for PW_OPT in $OPTIONS; do
PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE"
does_pattern_exist_in_file $FILE_QUALITY $PATTERN
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE_QUALITY"
else
warn "$PATTERN is not present in $FILE_QUALITY, adding it"
does_pattern_exist_in_file $FILE_QUALITY "^${PW_PARAM}"
does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE_QUALITY "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
fi
fi
done

16
bin/hardening/5.4.1.1_set_password_exp_days.sh
View File

@ -29,8 +29,8 @@ audit() {
else
ok "$PACKAGE is installed"
for SHADOW_OPTION in $OPTIONS; do
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
@ -52,20 +52,20 @@ apply() {
apt_install "$PACKAGE"
fi
for SHADOW_OPTION in $OPTIONS; do
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
else
info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
fi
fi
done

16
bin/hardening/5.4.1.2_set_password_min_days_change.sh
View File

@ -29,10 +29,10 @@ audit() {
else
ok "$PACKAGE is installed"
for SHADOW_OPTION in $OPTIONS; do
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -52,20 +52,20 @@ apply() {
apt_install "$PACKAGE"
fi
for SHADOW_OPTION in $OPTIONS; do
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
else
info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
fi
fi
done

14
bin/hardening/5.4.1.3_set_password_exp_warning_days.sh
View File

@ -29,8 +29,8 @@ audit() {
else
ok "$PACKAGE is installed"
for SHADOW_OPTION in $OPTIONS; do
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
@ -52,20 +52,20 @@ apply() {
apt_install "$PACKAGE"
fi
for SHADOW_OPTION in $OPTIONS; do
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}"
if [ "$FNRET" != 0 ]; then
add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
else
info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
fi
fi
done

8
bin/hardening/5.4.2_disable_system_accounts.sh
View File

@ -32,11 +32,11 @@ audit() {
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
ACCOUNT=$(echo $LINE | cut -d: -f 1)
ACCOUNT=$(echo "$LINE" | cut -d: -f 1)
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
@ -59,11 +59,11 @@ apply() {
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
ACCOUNT=$(echo $LINE | cut -d: -f 1)
ACCOUNT=$(echo "$LINE" | cut -d: -f 1)
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else

2
bin/hardening/5.4.3_default_root_group.sh
View File

@ -35,7 +35,7 @@ apply() {
ok "Root group GID is $EXPECTED_GID"
else
warn "Root group GID is not $EXPECTED_GID -- Fixing"
usermod -g $EXPECTED_GID $USER
usermod -g "$EXPECTED_GID" "$USER"
fi
}

6
bin/hardening/5.4.4_default_umask.sh
View File

@ -26,7 +26,7 @@ FILE='/etc/profile.d/CIS_10.4_umask.sh'
audit() {
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if [ "$SEARCH_RES" = 1 ]; then break; fi
if test -d "$FILE_SEARCHED"; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls "$FILE_SEARCHED"); do
@ -49,7 +49,7 @@ audit() {
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
if [ "$SEARCH_RES" = 0 ]; then
crit "$PATTERN is not present in $FILES_TO_SEARCH"
fi
}
@ -85,7 +85,7 @@ apply() {
warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch "$FILE"
chmod 644 "$FILE"
add_end_of_file $FILE "$PATTERN"
add_end_of_file "$FILE" "$PATTERN"
fi
}

4
bin/hardening/5.6_restrict_su.sh
View File

@ -28,7 +28,7 @@ audit() {
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else
@ -46,7 +46,7 @@ apply() {
crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE"
fi
does_pattern_exist_in_file $FILE $PATTERN
does_pattern_exist_in_file "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
ok "$PATTERN is present in $FILE"
else

2
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -31,7 +31,7 @@ audit() {
fi
if [ -n "$RESULT" ]; then
crit "Some ungrouped files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No ungrouped files found"

8
bin/hardening/6.2.18_check_duplicate_username.sh
View File

@ -24,11 +24,11 @@ audit() {
RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
USERNAME=$(awk -F: '{print $2}' <<<$LINE)
if [ $OCC_NUMBER -gt 1 ]; then
OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE")
USERNAME=$(awk -F: '{print $2}' <<<"$LINE")
if [ "$OCC_NUMBER" -gt 1 ]; then
# shellcheck disable=2034
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERNAME" /etc/passwd | xargs)
ERRORS=$((ERRORS + 1))
crit "Duplicate username $USERNAME"
fi

8
bin/hardening/6.2.19_check_duplicate_groupname.sh
View File

@ -24,11 +24,11 @@ audit() {
RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
GROUPNAME=$(awk -F: '{print $2}' <<<$LINE)
if [ $OCC_NUMBER -gt 1 ]; then
OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE")
GROUPNAME=$(awk -F: '{print $2}' <<<"$LINE")
if [ "$OCC_NUMBER" -gt 1 ]; then
# shellcheck disable=2034
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
USERS=$(awk -F: '($3 == n) { print $1 }' n="$GROUPNAME" /etc/passwd | xargs)
ERRORS=$((ERRORS + 1))
crit "Duplicate groupname $GROUPNAME"
fi

2
bin/hardening/6.2.1_remove_empty_password_field.sh
View File

@ -36,7 +36,7 @@ apply() {
warn "Some accounts have an empty password"
for ACCOUNT in $RESULT; do
info "Locking $ACCOUNT"
passwd -l $ACCOUNT >/dev/null 2>&1
passwd -l "$ACCOUNT" >/dev/null 2>&1
done
else
ok "All accounts have a password"

4
bin/hardening/6.2.20_shadow_group_empty.sh
View File

@ -22,7 +22,7 @@ PATTERN='^shadow:x:[[:digit:]]+:'
# This function will be called if the script status is on enabled / audit mode
audit() {
does_pattern_exist_in_file $FILEGROUP $PATTERN
does_pattern_exist_in_file "$FILEGROUP" "$PATTERN"
if [ "$FNRET" = 0 ]; then
info "shadow group exists"
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
@ -35,7 +35,7 @@ audit() {
fi
info "Checking if a user has $GROUPID as primary group"
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid="$GROUPID" /etc/passwd)
if [ -n "$RESULT" ]; then
crit "Some users have shadow id as their primary group: $RESULT"
else

12
bin/hardening/6.2.2_remove_legacy_passwd_entries.sh
View File

@ -23,10 +23,10 @@ RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if accounts have a legacy password entry"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
if grep '^+:' "$FILE" -q; then
RESULT=$(grep '^+:' "$FILE")
crit "Some accounts have a legacy password entry"
crit $RESULT
crit "$RESULT"
else
ok "All accounts have a valid password entry format"
fi
@ -34,12 +34,12 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
if grep '^+:' "$FILE" -q; then
RESULT=$(grep '^+:' "$FILE")
warn "Some accounts have a legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
delete_line_in_file "$FILE" "$LINE"
done
else
ok "All accounts have a valid password entry format"

8
bin/hardening/6.2.3_remove_legacy_shadow_entries.sh
View File

@ -23,10 +23,10 @@ RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if accounts have a legacy password entry"
if $SUDO_CMD grep '^+:' $FILE -q; then
RESULT=$($SUDO_CMD grep '^+:' $FILE)
if $SUDO_CMD grep '^+:' "$FILE" -q; then
RESULT=$($SUDO_CMD grep '^+:' "$FILE")
crit "Some accounts have a legacy password entry"
crit $RESULT
crit "$RESULT"
else
ok "All accounts have a valid password entry format"
fi
@ -39,7 +39,7 @@ apply() {
warn "Some accounts have a legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
delete_line_in_file "$FILE" "$LINE"
done
else
ok "All accounts have a valid password entry format"

12
bin/hardening/6.2.4_remove_legacy_group_entries.sh
View File

@ -23,10 +23,10 @@ RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if accounts have a legacy group entry"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
if grep '^+:' "$FILE" -q; then
RESULT=$(grep '^+:' "$FILE")
crit "Some accounts have a legacy group entry"
crit $RESULT
crit "$RESULT"
else
ok "All accounts have a valid group entry format"
fi
@ -34,12 +34,12 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
if grep '^+:' "$FILE" -q; then
RESULT=$(grep '^+:' "$FILE")
warn "Some accounts have a legacy group entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
delete_line_in_file "$FILE" "$LINE"
done
else
ok "All accounts have a valid group entry format"

8
bin/hardening/6.2.7_users_valid_homedir.sh
View File

@ -24,10 +24,10 @@ audit() {
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: '{print $1}' <<<$LINE)
USERID=$(awk -F: '{print $2}' <<<$LINE)
DIR=$(awk -F: '{print $3}' <<<$LINE)
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
USER=$(awk -F: '{print $1}' <<<"$LINE")
USERID=$(awk -F: '{print $2}' <<<"$LINE")
DIR=$(awk -F: '{print $3}' <<<"$LINE")
if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS + 1))
fi

8
bin/hardening/6.2.9_users_valid_homedir.sh
View File

@ -27,10 +27,10 @@ audit() {
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: '{print $1}' <<<$LINE)
USERID=$(awk -F: '{print $2}' <<<$LINE)
DIR=$(awk -F: '{print $3}' <<<$LINE)
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
USER=$(awk -F: '{print $1}' <<<"$LINE")
USERID=$(awk -F: '{print $2}' <<<"$LINE")
DIR=$(awk -F: '{print $3}' <<<"$LINE")
if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS + 1))
fi

4
bin/hardening/99.5.4_ssh_keys_from.sh
View File

@ -42,7 +42,7 @@ check_ip() {
bad_ips=""
for ip in $ips; do
ip_escaped=$(sed 's/\./\\./g' <<<"$ip")
if grep -qw "$ip_escaped" <<<$ALLOWED_IPS; then
if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then
debug "Line $linum of $file allows access from exused IP (${ip})."
ok_ips_allowed+="$ip "
else
@ -93,7 +93,7 @@ check_dir() {
return
fi
for file in $AUTHKEYFILE_PATTERN; do
check_file "${directory}"/${file}
check_file "${directory}"/"${file}"
done
}

26
lib/common.sh
View File

@ -7,14 +7,14 @@
#
backup_file() {
FILE=$1
if [ ! -f $FILE ]; then
if [ ! -f "$FILE" ]; then
crit "Cannot backup $FILE, it's not a file"
FNRET=1
else
TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
TARGET=$(echo "$FILE" | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
TARGET="$BACKUPDIR/$TARGET"
debug "Backuping $FILE to $TARGET"
cp -a $FILE $TARGET
cp -a "$FILE" "$TARGET"
# shellcheck disable=2034
FNRET=0
fi
@ -48,10 +48,10 @@ esac
_logger() {
COLOR=$1
shift
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename "$0")
builtin echo "$*" | /usr/bin/logger -t "CIS_Hardening[$$] $SCRIPT_NAME" -p "user.info"
SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")
cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"
cecho "$COLOR" "$SCRIPT_NAME_FIXEDLEN $*"
}
becho() {
@ -67,37 +67,37 @@ cecho() {
}
crit() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}"
else
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger "$BRED" "[ KO ] $*"; fi
fi
# This variable incrementation is used to measure failure or success in tests
CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER + 1))
}
warn() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}"
else
if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi
if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger "$BYELLOW" "[WARN] $*"; fi
fi
}
ok() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}"
else
if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi
if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger "$BGREEN" "[ OK ] $*"; fi
fi
}
info() {
if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi
if [ "$MACHINE_LOG_LEVEL" -ge 4 ]; then _logger '' "[INFO] $*"; fi
}
debug() {
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi
}
#

32
lib/main.sh
View File

@ -1,7 +1,7 @@
# shellcheck shell=bash
# run-shellcheck
LONG_SCRIPT_NAME=$(basename $0)
LONG_SCRIPT_NAME=$(basename "$0")
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
# Variable initialization, to avoid crash
CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
@ -11,13 +11,13 @@ status=""
forcedstatus=""
SUDO_CMD=""
# shellcheck source=constants.sh
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
# shellcheck source=../lib/common.sh
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
# Environment Sanitizing
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@ -50,7 +50,7 @@ while [[ $# -gt 0 ]]; do
BATCH_MODE=1
LOGLEVEL=ok
# shellcheck source=../lib/common.sh
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
;;
*)
debug "Unknown option passed"
@ -63,15 +63,15 @@ info "Working on $SCRIPT_NAME"
info "[DESCRIPTION] $DESCRIPTION"
# Source specific configuration file
if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ]; then
if ! [ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ]; then
# If it doesn't exist, create it with default values
echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
# If create_config is a defined function, execute it.
# Otherwise, just disable the test by default.
if type -t create_config | grep -qw function; then
create_config >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
create_config >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
else
echo "status=audit" >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
echo "status=audit" >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
fi
fi
@ -81,7 +81,7 @@ if [ "$forcedstatus" = "createconfig" ]; then
exit 0
fi
# shellcheck source=/dev/null
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
[ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ] && . "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
# Now check configured value for status, and potential cmdline parameter
if [ "$forcedstatus" = "auditall" ]; then
@ -97,7 +97,7 @@ elif [ "$forcedstatus" = "audit" ]; then
fi
fi
if [ -z $status ]; then
if [ -z "$status" ]; then
crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
exit 2
@ -127,18 +127,18 @@ disabled | false)
;;
esac
if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then
if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
if [ $BATCH_MODE -eq 1 ]; then
BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"
becho $BATCH_OUTPUT
becho "$BATCH_OUTPUT"
else
ok "Check Passed"
fi
exit 0 # Means ok status
else
if [ $BATCH_MODE -eq 1 ]; then
if [ "$BATCH_MODE" -eq 1 ]; then
BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT"
becho $BATCH_OUTPUT
becho "$BATCH_OUTPUT"
else
crit "Check Failed"
fi

50
lib/utils.sh
View File

@ -11,7 +11,7 @@ has_sysctl_param_expected_result() {
local SYSCTL_PARAM=$1
local EXP_RESULT=$2
if [ "$($SUDO_CMD sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
FNRET=0
elif [ $? = 255 ]; then
debug "$SYSCTL_PARAM does not exist"
@ -35,7 +35,7 @@ set_sysctl_param() {
local SYSCTL_PARAM=$1
local VALUE=$2
debug "Setting $SYSCTL_PARAM to $VALUE"
if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
FNRET=0
elif [ $? = 255 ]; then
debug "$SYSCTL_PARAM does not exist"
@ -65,7 +65,7 @@ does_pattern_exist_in_dmesg() {
does_file_exist() {
local FILE=$1
if $SUDO_CMD [ -e $FILE ]; then
if $SUDO_CMD [ -e "$FILE" ]; then
FNRET=0
else
FNRET=1
@ -78,10 +78,10 @@ has_file_correct_ownership() {
local GROUP=$3
local USERID
local GROUPID
USERID=$(id -u $USER)
GROUPID=$(getent group $GROUP | cut -d: -f3)
USERID=$(id -u "$USER")
GROUPID=$(getent group "$GROUP" | cut -d: -f3)
debug "$SUDO_CMD stat -c '%u %g' $FILE"
if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
if [ "$($SUDO_CMD stat -c "%u %g" "$FILE")" = "$USERID $GROUPID" ]; then
FNRET=0
else
FNRET=1
@ -92,7 +92,7 @@ has_file_correct_permissions() {
local FILE=$1
local PERMISSIONS=$2
if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then
if [ $($SUDO_CMD stat -L -c "%a" "$FILE") = "$PERMISSIONS" ]; then
FNRET=0
else
FNRET=1
@ -117,7 +117,7 @@ _does_pattern_exist_in_file() {
debug "Checking if $PATTERN is present in $FILE"
if $SUDO_CMD [ -r "$FILE" ]; then
debug "$SUDO_CMD grep -q $OPTIONS -- '$PATTERN' $FILE"
if $($SUDO_CMD grep -q $OPTIONS -- "$PATTERN" $FILE); then
if $($SUDO_CMD grep -q "$OPTIONS" -- "$PATTERN" "$FILE"); then
debug "Pattern found in $FILE"
FNRET=0
else
@ -148,7 +148,7 @@ does_pattern_exist_in_file_multiline() {
debug "Checking if multiline pattern: $PATTERN is present in $FILE"
if $SUDO_CMD [ -r "$FILE" ]; then
debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN""
if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
if $($SUDO_CMD grep -v '^[[:space:]]*#' "$FILE" | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
debug "Pattern found in $FILE"
FNRET=0
else
@ -167,7 +167,7 @@ add_end_of_file() {
debug "Adding $LINE at the end of $FILE"
backup_file "$FILE"
echo "$LINE" >>$FILE
echo "$LINE" >>"$FILE"
}
add_line_file_before_pattern() {
@ -177,9 +177,9 @@ add_line_file_before_pattern() {
backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE"
PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
debug "sed -i '/$PATTERN/i $LINE' $FILE"
sed -i "/$PATTERN/i $LINE" $FILE
sed -i "/$PATTERN/i $LINE" "$FILE"
FNRET=0
}
@ -190,9 +190,9 @@ replace_in_file() {
backup_file "$FILE"
debug "Replacing $SOURCE to $DESTINATION in $FILE"
SOURCE=$(sed 's@/@\\\/@g' <<<$SOURCE)
SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
FNRET=0
}
@ -202,9 +202,9 @@ delete_line_in_file() {
backup_file "$FILE"
debug "Deleting lines from $FILE containing $PATTERN"
PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
debug "sed -i '/$PATTERN/d' $FILE"
sed -i "/$PATTERN/d" $FILE
sed -i "/$PATTERN/d" "$FILE"
FNRET=0
}
@ -214,7 +214,7 @@ delete_line_in_file() {
does_user_exist() {
local USER=$1
if $(getent passwd $USER >/dev/null 2>&1); then
if $(getent passwd "$USER" >/dev/null 2>&1); then
FNRET=0
else
FNRET=1
@ -223,7 +223,7 @@ does_user_exist() {
does_group_exist() {
local GROUP=$1
if $(getent group $GROUP >/dev/null 2>&1); then
if $(getent group "$GROUP" >/dev/null 2>&1); then
FNRET=0
else
FNRET=1
@ -370,7 +370,7 @@ add_option_to_fstab() {
remount_partition() {
local PARTITION=$1
debug "Remounting $PARTITION"
mount -o remount $PARTITION
mount -o remount "$PARTITION"
}
#
@ -393,23 +393,23 @@ apt_update_if_needed() {
apt_check_updates() {
local NAME="$1"
local DETAILS="/dev/shm/${NAME}"
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >$DETAILS || :
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >"$DETAILS" || :
local COUNT=$(wc -l <"$DETAILS")
FNRET=128 # Unknown function return result
RESULT="" # Result output for upgrade
if [ $COUNT -gt 0 ]; then
RESULT="There is $COUNT updates available :\n$(cat $DETAILS)"
if [ "$COUNT" -gt 0 ]; then
RESULT="There is $COUNT updates available :\n$(cat "$DETAILS")"
FNRET=1
else
RESULT="OK, no updates available"
FNRET=0
fi
rm $DETAILS
rm "$DETAILS"
}
apt_install() {
local PACKAGE=$1
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install "$PACKAGE" -y
FNRET=0
}
@ -419,7 +419,7 @@ apt_install() {
is_pkg_installed() {
PKG_NAME=$1
if $(dpkg -s $PKG_NAME 2>/dev/null | grep -q '^Status: install '); then
if $(dpkg -s "$PKG_NAME" 2>/dev/null | grep -q '^Status: install '); then
debug "$PKG_NAME is installed"
FNRET=0
else