diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh index 282dcc3..354bb14 100755 --- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -32,7 +32,7 @@ audit() { AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2) PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else @@ -52,20 +52,20 @@ apply() { ok "$FILE exists" fi for AUDIT_OPTION in $OPTIONS; do - AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) - AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1) + AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2) debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" + does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM" if [ "$FNRET" != 0 ]; then info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" - add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" + add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE" else info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" fi else ok "$PATTERN is present in $FILE" diff --git a/bin/hardening/5.2.19_ssh_banner.sh b/bin/hardening/5.2.19_ssh_banner.sh index e0a17c4..3a50778 100755 --- a/bin/hardening/5.2.19_ssh_banner.sh +++ b/bin/hardening/5.2.19_ssh_banner.sh @@ -81,7 +81,7 @@ EOF # This function will check config parameters required check_config() { - if [ -z $BANNER_FILE ]; then + if [ -z "$BANNER_FILE" ]; then info "BANNER_FILE is not set, defaults to wildcard" BANNER_FILE='/etc/issue.net' fi diff --git a/bin/hardening/5.3.1_enable_pwquality.sh b/bin/hardening/5.3.1_enable_pwquality.sh index 6d53d3c..2099dff 100755 --- a/bin/hardening/5.3.1_enable_pwquality.sh +++ b/bin/hardening/5.3.1_enable_pwquality.sh @@ -32,17 +32,17 @@ audit() { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON + does_pattern_exist_in_file "$FILE_COMMON" "$PATTERN_COMMON" if [ "$FNRET" = 0 ]; then ok "$PATTERN_COMMON is present in $FILE_COMMON" else crit "$PATTERN_COMMON is not present in $FILE_COMMON" fi for PW_OPT in $OPTIONS; do - PW_PARAM=$(echo $PW_OPT | cut -d= -f1) - PW_VALUE=$(echo $PW_OPT | cut -d= -f2) + PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1) + PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2) PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE" - does_pattern_exist_in_file $FILE_QUALITY "$PATTERN" + does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE_QUALITY" @@ -71,20 +71,20 @@ apply() { fi for PW_OPT in $OPTIONS; do - PW_PARAM=$(echo $PW_OPT | cut -d= -f1) - PW_VALUE=$(echo $PW_OPT | cut -d= -f2) + PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1) + PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2) PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE" - does_pattern_exist_in_file $FILE_QUALITY $PATTERN + does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE_QUALITY" else warn "$PATTERN is not present in $FILE_QUALITY, adding it" - does_pattern_exist_in_file $FILE_QUALITY "^${PW_PARAM}" + does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE" + add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE_QUALITY "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE" + replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE" fi fi done diff --git a/bin/hardening/5.4.1.1_set_password_exp_days.sh b/bin/hardening/5.4.1.1_set_password_exp_days.sh index 1bb6f43..1ef273e 100755 --- a/bin/hardening/5.4.1.1_set_password_exp_days.sh +++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh @@ -29,8 +29,8 @@ audit() { else ok "$PACKAGE is installed" for SHADOW_OPTION in $OPTIONS; do - SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) - SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1) + SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2) PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -52,20 +52,20 @@ apply() { apt_install "$PACKAGE" fi for SHADOW_OPTION in $OPTIONS; do - SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) - SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1) + SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2) PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" + add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" + replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done diff --git a/bin/hardening/5.4.1.2_set_password_min_days_change.sh b/bin/hardening/5.4.1.2_set_password_min_days_change.sh index ffc505d..3c81992 100755 --- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh +++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SHADOW_OPTION in $OPTIONS; do - SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) - SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1) + SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2) PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -52,20 +52,20 @@ apply() { apt_install "$PACKAGE" fi for SHADOW_OPTION in $OPTIONS; do - SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) - SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1) + SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2) PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" + add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" + replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done diff --git a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh index 3fed978..ab523ef 100755 --- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh @@ -29,8 +29,8 @@ audit() { else ok "$PACKAGE is installed" for SHADOW_OPTION in $OPTIONS; do - SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) - SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1) + SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2) PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -52,20 +52,20 @@ apply() { apt_install "$PACKAGE" fi for SHADOW_OPTION in $OPTIONS; do - SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) - SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1) + SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2) PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" + add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" + replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done diff --git a/bin/hardening/5.4.2_disable_system_accounts.sh b/bin/hardening/5.4.2_disable_system_accounts.sh index a6f00cd..12a0d65 100755 --- a/bin/hardening/5.4.2_disable_system_accounts.sh +++ b/bin/hardening/5.4.2_disable_system_accounts.sh @@ -32,11 +32,11 @@ audit() { IFS=$'\n' for LINE in $RESULT; do debug "line : $LINE" - ACCOUNT=$(echo $LINE | cut -d: -f 1) + ACCOUNT=$(echo "$LINE" | cut -d: -f 1) debug "Account : $ACCOUNT" debug "Exceptions : $EXCEPTIONS" debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" - if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then + if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" RESULT=$(sed "s!$LINE!!" <<<"$RESULT") else @@ -59,11 +59,11 @@ apply() { IFS=$'\n' for LINE in $RESULT; do debug "line : $LINE" - ACCOUNT=$(echo $LINE | cut -d: -f 1) + ACCOUNT=$(echo "$LINE" | cut -d: -f 1) debug "Account : $ACCOUNT" debug "Exceptions : $EXCEPTIONS" debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" - if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then + if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" RESULT=$(sed "s!$LINE!!" <<<"$RESULT") else diff --git a/bin/hardening/5.4.3_default_root_group.sh b/bin/hardening/5.4.3_default_root_group.sh index edc9fd9..a807e3b 100755 --- a/bin/hardening/5.4.3_default_root_group.sh +++ b/bin/hardening/5.4.3_default_root_group.sh @@ -35,7 +35,7 @@ apply() { ok "Root group GID is $EXPECTED_GID" else warn "Root group GID is not $EXPECTED_GID -- Fixing" - usermod -g $EXPECTED_GID $USER + usermod -g "$EXPECTED_GID" "$USER" fi } diff --git a/bin/hardening/5.4.4_default_umask.sh b/bin/hardening/5.4.4_default_umask.sh index 18df5f7..9f29ca0 100755 --- a/bin/hardening/5.4.4_default_umask.sh +++ b/bin/hardening/5.4.4_default_umask.sh @@ -26,7 +26,7 @@ FILE='/etc/profile.d/CIS_10.4_umask.sh' audit() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do - if [ $SEARCH_RES = 1 ]; then break; fi + if [ "$SEARCH_RES" = 1 ]; then break; fi if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" for file_in_dir in $(ls "$FILE_SEARCHED"); do @@ -49,7 +49,7 @@ audit() { fi fi done - if [ $SEARCH_RES = 0 ]; then + if [ "$SEARCH_RES" = 0 ]; then crit "$PATTERN is not present in $FILES_TO_SEARCH" fi } @@ -85,7 +85,7 @@ apply() { warn "$PATTERN is not present in $FILES_TO_SEARCH" touch "$FILE" chmod 644 "$FILE" - add_end_of_file $FILE "$PATTERN" + add_end_of_file "$FILE" "$PATTERN" fi } diff --git a/bin/hardening/5.6_restrict_su.sh b/bin/hardening/5.6_restrict_su.sh index e5bce45..c34d6fb 100755 --- a/bin/hardening/5.6_restrict_su.sh +++ b/bin/hardening/5.6_restrict_su.sh @@ -28,7 +28,7 @@ audit() { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -46,7 +46,7 @@ apply() { crit "$PACKAGE is absent, installing it" apt_install "$PACKAGE" fi - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index a4ccdd9..da5a5f3 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -31,7 +31,7 @@ audit() { fi if [ -n "$RESULT" ]; then crit "Some ungrouped files are present" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No ungrouped files found" diff --git a/bin/hardening/6.2.18_check_duplicate_username.sh b/bin/hardening/6.2.18_check_duplicate_username.sh index 2e6cf99..e819915 100755 --- a/bin/hardening/6.2.18_check_duplicate_username.sh +++ b/bin/hardening/6.2.18_check_duplicate_username.sh @@ -24,11 +24,11 @@ audit() { RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}') for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE) - USERNAME=$(awk -F: '{print $2}' <<<$LINE) - if [ $OCC_NUMBER -gt 1 ]; then + OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE") + USERNAME=$(awk -F: '{print $2}' <<<"$LINE") + if [ "$OCC_NUMBER" -gt 1 ]; then # shellcheck disable=2034 - USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs) + USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERNAME" /etc/passwd | xargs) ERRORS=$((ERRORS + 1)) crit "Duplicate username $USERNAME" fi diff --git a/bin/hardening/6.2.19_check_duplicate_groupname.sh b/bin/hardening/6.2.19_check_duplicate_groupname.sh index 67fc9ad..dd4053a 100755 --- a/bin/hardening/6.2.19_check_duplicate_groupname.sh +++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh @@ -24,11 +24,11 @@ audit() { RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}') for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE) - GROUPNAME=$(awk -F: '{print $2}' <<<$LINE) - if [ $OCC_NUMBER -gt 1 ]; then + OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE") + GROUPNAME=$(awk -F: '{print $2}' <<<"$LINE") + if [ "$OCC_NUMBER" -gt 1 ]; then # shellcheck disable=2034 - USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs) + USERS=$(awk -F: '($3 == n) { print $1 }' n="$GROUPNAME" /etc/passwd | xargs) ERRORS=$((ERRORS + 1)) crit "Duplicate groupname $GROUPNAME" fi diff --git a/bin/hardening/6.2.1_remove_empty_password_field.sh b/bin/hardening/6.2.1_remove_empty_password_field.sh index c2b7373..d3d404e 100755 --- a/bin/hardening/6.2.1_remove_empty_password_field.sh +++ b/bin/hardening/6.2.1_remove_empty_password_field.sh @@ -36,7 +36,7 @@ apply() { warn "Some accounts have an empty password" for ACCOUNT in $RESULT; do info "Locking $ACCOUNT" - passwd -l $ACCOUNT >/dev/null 2>&1 + passwd -l "$ACCOUNT" >/dev/null 2>&1 done else ok "All accounts have a password" diff --git a/bin/hardening/6.2.20_shadow_group_empty.sh b/bin/hardening/6.2.20_shadow_group_empty.sh index 3bab01a..4d5322d 100755 --- a/bin/hardening/6.2.20_shadow_group_empty.sh +++ b/bin/hardening/6.2.20_shadow_group_empty.sh @@ -22,7 +22,7 @@ PATTERN='^shadow:x:[[:digit:]]+:' # This function will be called if the script status is on enabled / audit mode audit() { - does_pattern_exist_in_file $FILEGROUP $PATTERN + does_pattern_exist_in_file "$FILEGROUP" "$PATTERN" if [ "$FNRET" = 0 ]; then info "shadow group exists" RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4) @@ -35,7 +35,7 @@ audit() { fi info "Checking if a user has $GROUPID as primary group" - RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd) + RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid="$GROUPID" /etc/passwd) if [ -n "$RESULT" ]; then crit "Some users have shadow id as their primary group: $RESULT" else diff --git a/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh b/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh index d388b72..71bcace 100755 --- a/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh +++ b/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh @@ -23,10 +23,10 @@ RESULT='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if accounts have a legacy password entry" - if grep '^+:' $FILE -q; then - RESULT=$(grep '^+:' $FILE) + if grep '^+:' "$FILE" -q; then + RESULT=$(grep '^+:' "$FILE") crit "Some accounts have a legacy password entry" - crit $RESULT + crit "$RESULT" else ok "All accounts have a valid password entry format" fi @@ -34,12 +34,12 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - if grep '^+:' $FILE -q; then - RESULT=$(grep '^+:' $FILE) + if grep '^+:' "$FILE" -q; then + RESULT=$(grep '^+:' "$FILE") warn "Some accounts have a legacy password entry" for LINE in $RESULT; do info "Removing $LINE from $FILE" - delete_line_in_file $FILE $LINE + delete_line_in_file "$FILE" "$LINE" done else ok "All accounts have a valid password entry format" diff --git a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh index 9d96b86..f430fac 100755 --- a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh @@ -23,10 +23,10 @@ RESULT='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if accounts have a legacy password entry" - if $SUDO_CMD grep '^+:' $FILE -q; then - RESULT=$($SUDO_CMD grep '^+:' $FILE) + if $SUDO_CMD grep '^+:' "$FILE" -q; then + RESULT=$($SUDO_CMD grep '^+:' "$FILE") crit "Some accounts have a legacy password entry" - crit $RESULT + crit "$RESULT" else ok "All accounts have a valid password entry format" fi @@ -39,7 +39,7 @@ apply() { warn "Some accounts have a legacy password entry" for LINE in $RESULT; do info "Removing $LINE from $FILE" - delete_line_in_file $FILE $LINE + delete_line_in_file "$FILE" "$LINE" done else ok "All accounts have a valid password entry format" diff --git a/bin/hardening/6.2.4_remove_legacy_group_entries.sh b/bin/hardening/6.2.4_remove_legacy_group_entries.sh index 697de06..f3b6db0 100755 --- a/bin/hardening/6.2.4_remove_legacy_group_entries.sh +++ b/bin/hardening/6.2.4_remove_legacy_group_entries.sh @@ -23,10 +23,10 @@ RESULT='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if accounts have a legacy group entry" - if grep '^+:' $FILE -q; then - RESULT=$(grep '^+:' $FILE) + if grep '^+:' "$FILE" -q; then + RESULT=$(grep '^+:' "$FILE") crit "Some accounts have a legacy group entry" - crit $RESULT + crit "$RESULT" else ok "All accounts have a valid group entry format" fi @@ -34,12 +34,12 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - if grep '^+:' $FILE -q; then - RESULT=$(grep '^+:' $FILE) + if grep '^+:' "$FILE" -q; then + RESULT=$(grep '^+:' "$FILE") warn "Some accounts have a legacy group entry" for LINE in $RESULT; do info "Removing $LINE from $FILE" - delete_line_in_file $FILE $LINE + delete_line_in_file "$FILE" "$LINE" done else ok "All accounts have a valid group entry format" diff --git a/bin/hardening/6.2.7_users_valid_homedir.sh b/bin/hardening/6.2.7_users_valid_homedir.sh index 1af3901..e84f100 100755 --- a/bin/hardening/6.2.7_users_valid_homedir.sh +++ b/bin/hardening/6.2.7_users_valid_homedir.sh @@ -24,10 +24,10 @@ audit() { RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') for LINE in $RESULT; do debug "Working on $LINE" - USER=$(awk -F: '{print $1}' <<<$LINE) - USERID=$(awk -F: '{print $2}' <<<$LINE) - DIR=$(awk -F: '{print $3}' <<<$LINE) - if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then + USER=$(awk -F: '{print $1}' <<<"$LINE") + USERID=$(awk -F: '{print $2}' <<<"$LINE") + DIR=$(awk -F: '{print $3}' <<<"$LINE") + if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then crit "The home directory ($DIR) of user $USER does not exist." ERRORS=$((ERRORS + 1)) fi diff --git a/bin/hardening/6.2.9_users_valid_homedir.sh b/bin/hardening/6.2.9_users_valid_homedir.sh index 527be79..715f81d 100755 --- a/bin/hardening/6.2.9_users_valid_homedir.sh +++ b/bin/hardening/6.2.9_users_valid_homedir.sh @@ -27,10 +27,10 @@ audit() { RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') for LINE in $RESULT; do debug "Working on $LINE" - USER=$(awk -F: '{print $1}' <<<$LINE) - USERID=$(awk -F: '{print $2}' <<<$LINE) - DIR=$(awk -F: '{print $3}' <<<$LINE) - if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then + USER=$(awk -F: '{print $1}' <<<"$LINE") + USERID=$(awk -F: '{print $2}' <<<"$LINE") + DIR=$(awk -F: '{print $3}' <<<"$LINE") + if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then crit "The home directory ($DIR) of user $USER does not exist." ERRORS=$((ERRORS + 1)) fi diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index 7d97cf7..fdf7065 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -42,7 +42,7 @@ check_ip() { bad_ips="" for ip in $ips; do ip_escaped=$(sed 's/\./\\./g' <<<"$ip") - if grep -qw "$ip_escaped" <<<$ALLOWED_IPS; then + if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then debug "Line $linum of $file allows access from exused IP (${ip})." ok_ips_allowed+="$ip " else @@ -93,7 +93,7 @@ check_dir() { return fi for file in $AUTHKEYFILE_PATTERN; do - check_file "${directory}"/${file} + check_file "${directory}"/"${file}" done } diff --git a/lib/common.sh b/lib/common.sh index 69213e7..a5e34f4 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -7,14 +7,14 @@ # backup_file() { FILE=$1 - if [ ! -f $FILE ]; then + if [ ! -f "$FILE" ]; then crit "Cannot backup $FILE, it's not a file" FNRET=1 else - TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/") + TARGET=$(echo "$FILE" | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/") TARGET="$BACKUPDIR/$TARGET" debug "Backuping $FILE to $TARGET" - cp -a $FILE $TARGET + cp -a "$FILE" "$TARGET" # shellcheck disable=2034 FNRET=0 fi @@ -48,10 +48,10 @@ esac _logger() { COLOR=$1 shift - test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0) + test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename "$0") builtin echo "$*" | /usr/bin/logger -t "CIS_Hardening[$$] $SCRIPT_NAME" -p "user.info" SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME") - cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*" + cecho "$COLOR" "$SCRIPT_NAME_FIXEDLEN $*" } becho() { @@ -67,37 +67,37 @@ cecho() { } crit() { - if [ ${BATCH_MODE:-0} -eq 1 ]; then + if [ "${BATCH_MODE:-0}" -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}" else - if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi + if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger "$BRED" "[ KO ] $*"; fi fi # This variable incrementation is used to measure failure or success in tests CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER + 1)) } warn() { - if [ ${BATCH_MODE:-0} -eq 1 ]; then + if [ "${BATCH_MODE:-0}" -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}" else - if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi + if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger "$BYELLOW" "[WARN] $*"; fi fi } ok() { - if [ ${BATCH_MODE:-0} -eq 1 ]; then + if [ "${BATCH_MODE:-0}" -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}" else - if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi + if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger "$BGREEN" "[ OK ] $*"; fi fi } info() { - if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi + if [ "$MACHINE_LOG_LEVEL" -ge 4 ]; then _logger '' "[INFO] $*"; fi } debug() { - if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi + if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi } # diff --git a/lib/main.sh b/lib/main.sh index c90bc2b..6a81b6b 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -1,7 +1,7 @@ # shellcheck shell=bash # run-shellcheck -LONG_SCRIPT_NAME=$(basename $0) +LONG_SCRIPT_NAME=$(basename "$0") SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} # Variable initialization, to avoid crash CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed @@ -11,13 +11,13 @@ status="" forcedstatus="" SUDO_CMD="" # shellcheck source=constants.sh -[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh # shellcheck source=../etc/hardening.cfg -[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg +[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg # shellcheck source=../lib/common.sh -[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh # shellcheck source=../lib/utils.sh -[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh # Environment Sanitizing export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' @@ -50,7 +50,7 @@ while [[ $# -gt 0 ]]; do BATCH_MODE=1 LOGLEVEL=ok # shellcheck source=../lib/common.sh - [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh + [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh ;; *) debug "Unknown option passed" @@ -63,15 +63,15 @@ info "Working on $SCRIPT_NAME" info "[DESCRIPTION] $DESCRIPTION" # Source specific configuration file -if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ]; then +if ! [ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ]; then # If it doesn't exist, create it with default values - echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg # If create_config is a defined function, execute it. # Otherwise, just disable the test by default. if type -t create_config | grep -qw function; then - create_config >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + create_config >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg else - echo "status=audit" >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + echo "status=audit" >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg fi fi @@ -81,7 +81,7 @@ if [ "$forcedstatus" = "createconfig" ]; then exit 0 fi # shellcheck source=/dev/null -[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg +[ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ] && . "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg # Now check configured value for status, and potential cmdline parameter if [ "$forcedstatus" = "auditall" ]; then @@ -97,7 +97,7 @@ elif [ "$forcedstatus" = "audit" ]; then fi fi -if [ -z $status ]; then +if [ -z "$status" ]; then crit "Could not find status variable for $SCRIPT_NAME, considered as disabled" exit 2 @@ -127,18 +127,18 @@ disabled | false) ;; esac -if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then +if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then if [ $BATCH_MODE -eq 1 ]; then BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT" - becho $BATCH_OUTPUT + becho "$BATCH_OUTPUT" else ok "Check Passed" fi exit 0 # Means ok status else - if [ $BATCH_MODE -eq 1 ]; then + if [ "$BATCH_MODE" -eq 1 ]; then BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT" - becho $BATCH_OUTPUT + becho "$BATCH_OUTPUT" else crit "Check Failed" fi diff --git a/lib/utils.sh b/lib/utils.sh index f477303..bdadfd8 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -11,7 +11,7 @@ has_sysctl_param_expected_result() { local SYSCTL_PARAM=$1 local EXP_RESULT=$2 - if [ "$($SUDO_CMD sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then + if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then FNRET=0 elif [ $? = 255 ]; then debug "$SYSCTL_PARAM does not exist" @@ -35,7 +35,7 @@ set_sysctl_param() { local SYSCTL_PARAM=$1 local VALUE=$2 debug "Setting $SYSCTL_PARAM to $VALUE" - if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then + if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then FNRET=0 elif [ $? = 255 ]; then debug "$SYSCTL_PARAM does not exist" @@ -65,7 +65,7 @@ does_pattern_exist_in_dmesg() { does_file_exist() { local FILE=$1 - if $SUDO_CMD [ -e $FILE ]; then + if $SUDO_CMD [ -e "$FILE" ]; then FNRET=0 else FNRET=1 @@ -78,10 +78,10 @@ has_file_correct_ownership() { local GROUP=$3 local USERID local GROUPID - USERID=$(id -u $USER) - GROUPID=$(getent group $GROUP | cut -d: -f3) + USERID=$(id -u "$USER") + GROUPID=$(getent group "$GROUP" | cut -d: -f3) debug "$SUDO_CMD stat -c '%u %g' $FILE" - if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then + if [ "$($SUDO_CMD stat -c "%u %g" "$FILE")" = "$USERID $GROUPID" ]; then FNRET=0 else FNRET=1 @@ -92,7 +92,7 @@ has_file_correct_permissions() { local FILE=$1 local PERMISSIONS=$2 - if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then + if [ $($SUDO_CMD stat -L -c "%a" "$FILE") = "$PERMISSIONS" ]; then FNRET=0 else FNRET=1 @@ -117,7 +117,7 @@ _does_pattern_exist_in_file() { debug "Checking if $PATTERN is present in $FILE" if $SUDO_CMD [ -r "$FILE" ]; then debug "$SUDO_CMD grep -q $OPTIONS -- '$PATTERN' $FILE" - if $($SUDO_CMD grep -q $OPTIONS -- "$PATTERN" $FILE); then + if $($SUDO_CMD grep -q "$OPTIONS" -- "$PATTERN" "$FILE"); then debug "Pattern found in $FILE" FNRET=0 else @@ -148,7 +148,7 @@ does_pattern_exist_in_file_multiline() { debug "Checking if multiline pattern: $PATTERN is present in $FILE" if $SUDO_CMD [ -r "$FILE" ]; then debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"" - if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then + if $($SUDO_CMD grep -v '^[[:space:]]*#' "$FILE" | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then debug "Pattern found in $FILE" FNRET=0 else @@ -167,7 +167,7 @@ add_end_of_file() { debug "Adding $LINE at the end of $FILE" backup_file "$FILE" - echo "$LINE" >>$FILE + echo "$LINE" >>"$FILE" } add_line_file_before_pattern() { @@ -177,9 +177,9 @@ add_line_file_before_pattern() { backup_file "$FILE" debug "Inserting $LINE before $PATTERN in $FILE" - PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN) + PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN") debug "sed -i '/$PATTERN/i $LINE' $FILE" - sed -i "/$PATTERN/i $LINE" $FILE + sed -i "/$PATTERN/i $LINE" "$FILE" FNRET=0 } @@ -190,9 +190,9 @@ replace_in_file() { backup_file "$FILE" debug "Replacing $SOURCE to $DESTINATION in $FILE" - SOURCE=$(sed 's@/@\\\/@g' <<<$SOURCE) + SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE") debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" - sed -i "s/$SOURCE/$DESTINATION/g" $FILE + sed -i "s/$SOURCE/$DESTINATION/g" "$FILE" FNRET=0 } @@ -202,9 +202,9 @@ delete_line_in_file() { backup_file "$FILE" debug "Deleting lines from $FILE containing $PATTERN" - PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN) + PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN") debug "sed -i '/$PATTERN/d' $FILE" - sed -i "/$PATTERN/d" $FILE + sed -i "/$PATTERN/d" "$FILE" FNRET=0 } @@ -214,7 +214,7 @@ delete_line_in_file() { does_user_exist() { local USER=$1 - if $(getent passwd $USER >/dev/null 2>&1); then + if $(getent passwd "$USER" >/dev/null 2>&1); then FNRET=0 else FNRET=1 @@ -223,7 +223,7 @@ does_user_exist() { does_group_exist() { local GROUP=$1 - if $(getent group $GROUP >/dev/null 2>&1); then + if $(getent group "$GROUP" >/dev/null 2>&1); then FNRET=0 else FNRET=1 @@ -370,7 +370,7 @@ add_option_to_fstab() { remount_partition() { local PARTITION=$1 debug "Remounting $PARTITION" - mount -o remount $PARTITION + mount -o remount "$PARTITION" } # @@ -393,23 +393,23 @@ apt_update_if_needed() { apt_check_updates() { local NAME="$1" local DETAILS="/dev/shm/${NAME}" - $SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >$DETAILS || : + $SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >"$DETAILS" || : local COUNT=$(wc -l <"$DETAILS") FNRET=128 # Unknown function return result RESULT="" # Result output for upgrade - if [ $COUNT -gt 0 ]; then - RESULT="There is $COUNT updates available :\n$(cat $DETAILS)" + if [ "$COUNT" -gt 0 ]; then + RESULT="There is $COUNT updates available :\n$(cat "$DETAILS")" FNRET=1 else RESULT="OK, no updates available" FNRET=0 fi - rm $DETAILS + rm "$DETAILS" } apt_install() { local PACKAGE=$1 - DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y + DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install "$PACKAGE" -y FNRET=0 } @@ -419,7 +419,7 @@ apt_install() { is_pkg_installed() { PKG_NAME=$1 - if $(dpkg -s $PKG_NAME 2>/dev/null | grep -q '^Status: install '); then + if $(dpkg -s "$PKG_NAME" 2>/dev/null | grep -q '^Status: install '); then debug "$PKG_NAME is installed" FNRET=0 else