mirror of
https://github.com/ovh/debian-cis.git
synced 2025-06-22 02:33:42 +02:00
IMP(shellcheck): quote variables (SC2086)
This commit is contained in:
Thibault Ayanides
@ -32,7 +32,7 @@ audit() {
|
||||
AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
|
||||
PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
||||
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
else
|
||||
@ -52,20 +52,20 @@ apply() {
|
||||
ok "$FILE exists"
|
||||
fi
|
||||
for AUDIT_OPTION in $OPTIONS; do
|
||||
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
||||
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
||||
AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
|
||||
AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
|
||||
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
||||
PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
|
||||
does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
|
||||
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
|
||||
add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
|
||||
else
|
||||
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file $FILE "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
|
||||
replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
|
||||
fi
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
|
||||
@ -81,7 +81,7 @@ EOF
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z $BANNER_FILE ]; then
|
||||
if [ -z "$BANNER_FILE" ]; then
|
||||
info "BANNER_FILE is not set, defaults to wildcard"
|
||||
BANNER_FILE='/etc/issue.net'
|
||||
fi
|
||||
|
||||
@ -32,17 +32,17 @@ audit() {
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
|
||||
does_pattern_exist_in_file "$FILE_COMMON" "$PATTERN_COMMON"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN_COMMON is present in $FILE_COMMON"
|
||||
else
|
||||
crit "$PATTERN_COMMON is not present in $FILE_COMMON"
|
||||
fi
|
||||
for PW_OPT in $OPTIONS; do
|
||||
PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
|
||||
PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
|
||||
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
|
||||
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
|
||||
PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE"
|
||||
does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
|
||||
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
|
||||
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE_QUALITY"
|
||||
@ -71,20 +71,20 @@ apply() {
|
||||
fi
|
||||
|
||||
for PW_OPT in $OPTIONS; do
|
||||
PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
|
||||
PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
|
||||
PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
|
||||
PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
|
||||
PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE"
|
||||
does_pattern_exist_in_file $FILE_QUALITY $PATTERN
|
||||
does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE_QUALITY"
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE_QUALITY, adding it"
|
||||
does_pattern_exist_in_file $FILE_QUALITY "^${PW_PARAM}"
|
||||
does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
|
||||
add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
|
||||
else
|
||||
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file $FILE_QUALITY "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
|
||||
replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
@ -29,8 +29,8 @@ audit() {
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SHADOW_OPTION in $OPTIONS; do
|
||||
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
|
||||
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
|
||||
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -52,20 +52,20 @@ apply() {
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
for SHADOW_OPTION in $OPTIONS; do
|
||||
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
|
||||
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
|
||||
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
|
||||
does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
else
|
||||
info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
@ -29,10 +29,10 @@ audit() {
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SHADOW_OPTION in $OPTIONS; do
|
||||
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
|
||||
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
|
||||
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
@ -52,20 +52,20 @@ apply() {
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
for SHADOW_OPTION in $OPTIONS; do
|
||||
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
|
||||
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
|
||||
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
else
|
||||
info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
@ -29,8 +29,8 @@ audit() {
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
for SHADOW_OPTION in $OPTIONS; do
|
||||
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
|
||||
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
|
||||
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -52,20 +52,20 @@ apply() {
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
for SHADOW_OPTION in $OPTIONS; do
|
||||
SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
|
||||
SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
|
||||
SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
|
||||
PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
|
||||
does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
else
|
||||
info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
|
||||
replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
@ -32,11 +32,11 @@ audit() {
|
||||
IFS=$'\n'
|
||||
for LINE in $RESULT; do
|
||||
debug "line : $LINE"
|
||||
ACCOUNT=$(echo $LINE | cut -d: -f 1)
|
||||
ACCOUNT=$(echo "$LINE" | cut -d: -f 1)
|
||||
debug "Account : $ACCOUNT"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||
else
|
||||
@ -59,11 +59,11 @@ apply() {
|
||||
IFS=$'\n'
|
||||
for LINE in $RESULT; do
|
||||
debug "line : $LINE"
|
||||
ACCOUNT=$(echo $LINE | cut -d: -f 1)
|
||||
ACCOUNT=$(echo "$LINE" | cut -d: -f 1)
|
||||
debug "Account : $ACCOUNT"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||
else
|
||||
|
||||
@ -35,7 +35,7 @@ apply() {
|
||||
ok "Root group GID is $EXPECTED_GID"
|
||||
else
|
||||
warn "Root group GID is not $EXPECTED_GID -- Fixing"
|
||||
usermod -g $EXPECTED_GID $USER
|
||||
usermod -g "$EXPECTED_GID" "$USER"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ FILE='/etc/profile.d/CIS_10.4_umask.sh'
|
||||
audit() {
|
||||
SEARCH_RES=0
|
||||
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||
if [ "$SEARCH_RES" = 1 ]; then break; fi
|
||||
if test -d "$FILE_SEARCHED"; then
|
||||
debug "$FILE_SEARCHED is a directory"
|
||||
for file_in_dir in $(ls "$FILE_SEARCHED"); do
|
||||
@ -49,7 +49,7 @@ audit() {
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ $SEARCH_RES = 0 ]; then
|
||||
if [ "$SEARCH_RES" = 0 ]; then
|
||||
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||
fi
|
||||
}
|
||||
@ -85,7 +85,7 @@ apply() {
|
||||
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||
touch "$FILE"
|
||||
chmod 644 "$FILE"
|
||||
add_end_of_file $FILE "$PATTERN"
|
||||
add_end_of_file "$FILE" "$PATTERN"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ audit() {
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
@ -46,7 +46,7 @@ apply() {
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
|
||||
@ -31,7 +31,7 @@ audit() {
|
||||
fi
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some ungrouped files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "No ungrouped files found"
|
||||
|
||||
@ -24,11 +24,11 @@ audit() {
|
||||
RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
|
||||
USERNAME=$(awk -F: '{print $2}' <<<$LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE")
|
||||
USERNAME=$(awk -F: '{print $2}' <<<"$LINE")
|
||||
if [ "$OCC_NUMBER" -gt 1 ]; then
|
||||
# shellcheck disable=2034
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERNAME" /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS + 1))
|
||||
crit "Duplicate username $USERNAME"
|
||||
fi
|
||||
|
||||
@ -24,11 +24,11 @@ audit() {
|
||||
RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
|
||||
GROUPNAME=$(awk -F: '{print $2}' <<<$LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE")
|
||||
GROUPNAME=$(awk -F: '{print $2}' <<<"$LINE")
|
||||
if [ "$OCC_NUMBER" -gt 1 ]; then
|
||||
# shellcheck disable=2034
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n="$GROUPNAME" /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS + 1))
|
||||
crit "Duplicate groupname $GROUPNAME"
|
||||
fi
|
||||
|
||||
@ -36,7 +36,7 @@ apply() {
|
||||
warn "Some accounts have an empty password"
|
||||
for ACCOUNT in $RESULT; do
|
||||
info "Locking $ACCOUNT"
|
||||
passwd -l $ACCOUNT >/dev/null 2>&1
|
||||
passwd -l "$ACCOUNT" >/dev/null 2>&1
|
||||
done
|
||||
else
|
||||
ok "All accounts have a password"
|
||||
|
||||
@ -22,7 +22,7 @@ PATTERN='^shadow:x:[[:digit:]]+:'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_pattern_exist_in_file $FILEGROUP $PATTERN
|
||||
does_pattern_exist_in_file "$FILEGROUP" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
info "shadow group exists"
|
||||
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
|
||||
@ -35,7 +35,7 @@ audit() {
|
||||
fi
|
||||
|
||||
info "Checking if a user has $GROUPID as primary group"
|
||||
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
|
||||
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid="$GROUPID" /etc/passwd)
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some users have shadow id as their primary group: $RESULT"
|
||||
else
|
||||
|
||||
@ -23,10 +23,10 @@ RESULT=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if accounts have a legacy password entry"
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
if grep '^+:' "$FILE" -q; then
|
||||
RESULT=$(grep '^+:' "$FILE")
|
||||
crit "Some accounts have a legacy password entry"
|
||||
crit $RESULT
|
||||
crit "$RESULT"
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
@ -34,12 +34,12 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
if grep '^+:' "$FILE" -q; then
|
||||
RESULT=$(grep '^+:' "$FILE")
|
||||
warn "Some accounts have a legacy password entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
delete_line_in_file "$FILE" "$LINE"
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
|
||||
@ -23,10 +23,10 @@ RESULT=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if accounts have a legacy password entry"
|
||||
if $SUDO_CMD grep '^+:' $FILE -q; then
|
||||
RESULT=$($SUDO_CMD grep '^+:' $FILE)
|
||||
if $SUDO_CMD grep '^+:' "$FILE" -q; then
|
||||
RESULT=$($SUDO_CMD grep '^+:' "$FILE")
|
||||
crit "Some accounts have a legacy password entry"
|
||||
crit $RESULT
|
||||
crit "$RESULT"
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
@ -39,7 +39,7 @@ apply() {
|
||||
warn "Some accounts have a legacy password entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
delete_line_in_file "$FILE" "$LINE"
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
|
||||
@ -23,10 +23,10 @@ RESULT=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if accounts have a legacy group entry"
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
if grep '^+:' "$FILE" -q; then
|
||||
RESULT=$(grep '^+:' "$FILE")
|
||||
crit "Some accounts have a legacy group entry"
|
||||
crit $RESULT
|
||||
crit "$RESULT"
|
||||
else
|
||||
ok "All accounts have a valid group entry format"
|
||||
fi
|
||||
@ -34,12 +34,12 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
if grep '^+:' "$FILE" -q; then
|
||||
RESULT=$(grep '^+:' "$FILE")
|
||||
warn "Some accounts have a legacy group entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
delete_line_in_file "$FILE" "$LINE"
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid group entry format"
|
||||
|
||||
@ -24,10 +24,10 @@ audit() {
|
||||
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on $LINE"
|
||||
USER=$(awk -F: '{print $1}' <<<$LINE)
|
||||
USERID=$(awk -F: '{print $2}' <<<$LINE)
|
||||
DIR=$(awk -F: '{print $3}' <<<$LINE)
|
||||
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
||||
USER=$(awk -F: '{print $1}' <<<"$LINE")
|
||||
USERID=$(awk -F: '{print $2}' <<<"$LINE")
|
||||
DIR=$(awk -F: '{print $3}' <<<"$LINE")
|
||||
if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
||||
crit "The home directory ($DIR) of user $USER does not exist."
|
||||
ERRORS=$((ERRORS + 1))
|
||||
fi
|
||||
|
||||
@ -27,10 +27,10 @@ audit() {
|
||||
RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on $LINE"
|
||||
USER=$(awk -F: '{print $1}' <<<$LINE)
|
||||
USERID=$(awk -F: '{print $2}' <<<$LINE)
|
||||
DIR=$(awk -F: '{print $3}' <<<$LINE)
|
||||
if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
||||
USER=$(awk -F: '{print $1}' <<<"$LINE")
|
||||
USERID=$(awk -F: '{print $2}' <<<"$LINE")
|
||||
DIR=$(awk -F: '{print $3}' <<<"$LINE")
|
||||
if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
|
||||
crit "The home directory ($DIR) of user $USER does not exist."
|
||||
ERRORS=$((ERRORS + 1))
|
||||
fi
|
||||
|
||||
@ -42,7 +42,7 @@ check_ip() {
|
||||
bad_ips=""
|
||||
for ip in $ips; do
|
||||
ip_escaped=$(sed 's/\./\\./g' <<<"$ip")
|
||||
if grep -qw "$ip_escaped" <<<$ALLOWED_IPS; then
|
||||
if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then
|
||||
debug "Line $linum of $file allows access from exused IP (${ip})."
|
||||
ok_ips_allowed+="$ip "
|
||||
else
|
||||
@ -93,7 +93,7 @@ check_dir() {
|
||||
return
|
||||
fi
|
||||
for file in $AUTHKEYFILE_PATTERN; do
|
||||
check_file "${directory}"/${file}
|
||||
check_file "${directory}"/"${file}"
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user