IMP(shellcheck): quote variables (SC2086)

This commit is contained in:
Thibault Ayanides
2020-12-07 17:11:32 +01:00
parent 6826f377e6
commit b09b75a51e
24 changed files with 142 additions and 142 deletions

View File

@ -7,14 +7,14 @@
#
backup_file() {
FILE=$1
if [ ! -f $FILE ]; then
if [ ! -f "$FILE" ]; then
crit "Cannot backup $FILE, it's not a file"
FNRET=1
else
TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
TARGET=$(echo "$FILE" | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
TARGET="$BACKUPDIR/$TARGET"
debug "Backuping $FILE to $TARGET"
cp -a $FILE $TARGET
cp -a "$FILE" "$TARGET"
# shellcheck disable=2034
FNRET=0
fi
@ -48,10 +48,10 @@ esac
_logger() {
COLOR=$1
shift
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename "$0")
builtin echo "$*" | /usr/bin/logger -t "CIS_Hardening[$$] $SCRIPT_NAME" -p "user.info"
SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")
cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"
cecho "$COLOR" "$SCRIPT_NAME_FIXEDLEN $*"
}
becho() {
@ -67,37 +67,37 @@ cecho() {
}
crit() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}"
else
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger "$BRED" "[ KO ] $*"; fi
fi
# This variable incrementation is used to measure failure or success in tests
CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER + 1))
}
warn() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}"
else
if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi
if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger "$BYELLOW" "[WARN] $*"; fi
fi
}
ok() {
if [ ${BATCH_MODE:-0} -eq 1 ]; then
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}"
else
if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi
if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger "$BGREEN" "[ OK ] $*"; fi
fi
}
info() {
if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi
if [ "$MACHINE_LOG_LEVEL" -ge 4 ]; then _logger '' "[INFO] $*"; fi
}
debug() {
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi
}
#

View File

@ -1,7 +1,7 @@
# shellcheck shell=bash
# run-shellcheck
LONG_SCRIPT_NAME=$(basename $0)
LONG_SCRIPT_NAME=$(basename "$0")
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
# Variable initialization, to avoid crash
CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
@ -11,13 +11,13 @@ status=""
forcedstatus=""
SUDO_CMD=""
# shellcheck source=constants.sh
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
# shellcheck source=../lib/common.sh
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
# Environment Sanitizing
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@ -50,7 +50,7 @@ while [[ $# -gt 0 ]]; do
BATCH_MODE=1
LOGLEVEL=ok
# shellcheck source=../lib/common.sh
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
;;
*)
debug "Unknown option passed"
@ -63,15 +63,15 @@ info "Working on $SCRIPT_NAME"
info "[DESCRIPTION] $DESCRIPTION"
# Source specific configuration file
if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ]; then
if ! [ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ]; then
# If it doesn't exist, create it with default values
echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
# If create_config is a defined function, execute it.
# Otherwise, just disable the test by default.
if type -t create_config | grep -qw function; then
create_config >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
create_config >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
else
echo "status=audit" >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
echo "status=audit" >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
fi
fi
@ -81,7 +81,7 @@ if [ "$forcedstatus" = "createconfig" ]; then
exit 0
fi
# shellcheck source=/dev/null
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
[ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ] && . "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
# Now check configured value for status, and potential cmdline parameter
if [ "$forcedstatus" = "auditall" ]; then
@ -97,7 +97,7 @@ elif [ "$forcedstatus" = "audit" ]; then
fi
fi
if [ -z $status ]; then
if [ -z "$status" ]; then
crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
exit 2
@ -127,18 +127,18 @@ disabled | false)
;;
esac
if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then
if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
if [ $BATCH_MODE -eq 1 ]; then
BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"
becho $BATCH_OUTPUT
becho "$BATCH_OUTPUT"
else
ok "Check Passed"
fi
exit 0 # Means ok status
else
if [ $BATCH_MODE -eq 1 ]; then
if [ "$BATCH_MODE" -eq 1 ]; then
BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT"
becho $BATCH_OUTPUT
becho "$BATCH_OUTPUT"
else
crit "Check Failed"
fi

View File

@ -11,7 +11,7 @@ has_sysctl_param_expected_result() {
local SYSCTL_PARAM=$1
local EXP_RESULT=$2
if [ "$($SUDO_CMD sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
FNRET=0
elif [ $? = 255 ]; then
debug "$SYSCTL_PARAM does not exist"
@ -35,7 +35,7 @@ set_sysctl_param() {
local SYSCTL_PARAM=$1
local VALUE=$2
debug "Setting $SYSCTL_PARAM to $VALUE"
if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
FNRET=0
elif [ $? = 255 ]; then
debug "$SYSCTL_PARAM does not exist"
@ -65,7 +65,7 @@ does_pattern_exist_in_dmesg() {
does_file_exist() {
local FILE=$1
if $SUDO_CMD [ -e $FILE ]; then
if $SUDO_CMD [ -e "$FILE" ]; then
FNRET=0
else
FNRET=1
@ -78,10 +78,10 @@ has_file_correct_ownership() {
local GROUP=$3
local USERID
local GROUPID
USERID=$(id -u $USER)
GROUPID=$(getent group $GROUP | cut -d: -f3)
USERID=$(id -u "$USER")
GROUPID=$(getent group "$GROUP" | cut -d: -f3)
debug "$SUDO_CMD stat -c '%u %g' $FILE"
if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
if [ "$($SUDO_CMD stat -c "%u %g" "$FILE")" = "$USERID $GROUPID" ]; then
FNRET=0
else
FNRET=1
@ -92,7 +92,7 @@ has_file_correct_permissions() {
local FILE=$1
local PERMISSIONS=$2
if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then
if [ $($SUDO_CMD stat -L -c "%a" "$FILE") = "$PERMISSIONS" ]; then
FNRET=0
else
FNRET=1
@ -117,7 +117,7 @@ _does_pattern_exist_in_file() {
debug "Checking if $PATTERN is present in $FILE"
if $SUDO_CMD [ -r "$FILE" ]; then
debug "$SUDO_CMD grep -q $OPTIONS -- '$PATTERN' $FILE"
if $($SUDO_CMD grep -q $OPTIONS -- "$PATTERN" $FILE); then
if $($SUDO_CMD grep -q "$OPTIONS" -- "$PATTERN" "$FILE"); then
debug "Pattern found in $FILE"
FNRET=0
else
@ -148,7 +148,7 @@ does_pattern_exist_in_file_multiline() {
debug "Checking if multiline pattern: $PATTERN is present in $FILE"
if $SUDO_CMD [ -r "$FILE" ]; then
debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN""
if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
if $($SUDO_CMD grep -v '^[[:space:]]*#' "$FILE" | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
debug "Pattern found in $FILE"
FNRET=0
else
@ -167,7 +167,7 @@ add_end_of_file() {
debug "Adding $LINE at the end of $FILE"
backup_file "$FILE"
echo "$LINE" >>$FILE
echo "$LINE" >>"$FILE"
}
add_line_file_before_pattern() {
@ -177,9 +177,9 @@ add_line_file_before_pattern() {
backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE"
PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
debug "sed -i '/$PATTERN/i $LINE' $FILE"
sed -i "/$PATTERN/i $LINE" $FILE
sed -i "/$PATTERN/i $LINE" "$FILE"
FNRET=0
}
@ -190,9 +190,9 @@ replace_in_file() {
backup_file "$FILE"
debug "Replacing $SOURCE to $DESTINATION in $FILE"
SOURCE=$(sed 's@/@\\\/@g' <<<$SOURCE)
SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
FNRET=0
}
@ -202,9 +202,9 @@ delete_line_in_file() {
backup_file "$FILE"
debug "Deleting lines from $FILE containing $PATTERN"
PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
debug "sed -i '/$PATTERN/d' $FILE"
sed -i "/$PATTERN/d" $FILE
sed -i "/$PATTERN/d" "$FILE"
FNRET=0
}
@ -214,7 +214,7 @@ delete_line_in_file() {
does_user_exist() {
local USER=$1
if $(getent passwd $USER >/dev/null 2>&1); then
if $(getent passwd "$USER" >/dev/null 2>&1); then
FNRET=0
else
FNRET=1
@ -223,7 +223,7 @@ does_user_exist() {
does_group_exist() {
local GROUP=$1
if $(getent group $GROUP >/dev/null 2>&1); then
if $(getent group "$GROUP" >/dev/null 2>&1); then
FNRET=0
else
FNRET=1
@ -370,7 +370,7 @@ add_option_to_fstab() {
remount_partition() {
local PARTITION=$1
debug "Remounting $PARTITION"
mount -o remount $PARTITION
mount -o remount "$PARTITION"
}
#
@ -393,23 +393,23 @@ apt_update_if_needed() {
apt_check_updates() {
local NAME="$1"
local DETAILS="/dev/shm/${NAME}"
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >$DETAILS || :
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >"$DETAILS" || :
local COUNT=$(wc -l <"$DETAILS")
FNRET=128 # Unknown function return result
RESULT="" # Result output for upgrade
if [ $COUNT -gt 0 ]; then
RESULT="There is $COUNT updates available :\n$(cat $DETAILS)"
if [ "$COUNT" -gt 0 ]; then
RESULT="There is $COUNT updates available :\n$(cat "$DETAILS")"
FNRET=1
else
RESULT="OK, no updates available"
FNRET=0
fi
rm $DETAILS
rm "$DETAILS"
}
apt_install() {
local PACKAGE=$1
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install "$PACKAGE" -y
FNRET=0
}
@ -419,7 +419,7 @@ apt_install() {
is_pkg_installed() {
PKG_NAME=$1
if $(dpkg -s $PKG_NAME 2>/dev/null | grep -q '^Status: install '); then
if $(dpkg -s "$PKG_NAME" 2>/dev/null | grep -q '^Status: install '); then
debug "$PKG_NAME is installed"
FNRET=0
else