mirror of
https://github.com/ovh/debian-cis.git
synced 2025-06-21 18:23:42 +02:00
IMP(shellcheck): quote variables (SC2086)
This commit is contained in:
Thibault Ayanides
@ -7,14 +7,14 @@
|
||||
#
|
||||
backup_file() {
|
||||
FILE=$1
|
||||
if [ ! -f $FILE ]; then
|
||||
if [ ! -f "$FILE" ]; then
|
||||
crit "Cannot backup $FILE, it's not a file"
|
||||
FNRET=1
|
||||
else
|
||||
TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
|
||||
TARGET=$(echo "$FILE" | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
|
||||
TARGET="$BACKUPDIR/$TARGET"
|
||||
debug "Backuping $FILE to $TARGET"
|
||||
cp -a $FILE $TARGET
|
||||
cp -a "$FILE" "$TARGET"
|
||||
# shellcheck disable=2034
|
||||
FNRET=0
|
||||
fi
|
||||
@ -48,10 +48,10 @@ esac
|
||||
_logger() {
|
||||
COLOR=$1
|
||||
shift
|
||||
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
|
||||
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename "$0")
|
||||
builtin echo "$*" | /usr/bin/logger -t "CIS_Hardening[$$] $SCRIPT_NAME" -p "user.info"
|
||||
SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")
|
||||
cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"
|
||||
cecho "$COLOR" "$SCRIPT_NAME_FIXEDLEN $*"
|
||||
}
|
||||
|
||||
becho() {
|
||||
@ -67,37 +67,37 @@ cecho() {
|
||||
}
|
||||
|
||||
crit() {
|
||||
if [ ${BATCH_MODE:-0} -eq 1 ]; then
|
||||
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
|
||||
BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}"
|
||||
else
|
||||
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi
|
||||
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger "$BRED" "[ KO ] $*"; fi
|
||||
fi
|
||||
# This variable incrementation is used to measure failure or success in tests
|
||||
CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER + 1))
|
||||
}
|
||||
|
||||
warn() {
|
||||
if [ ${BATCH_MODE:-0} -eq 1 ]; then
|
||||
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
|
||||
BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}"
|
||||
else
|
||||
if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi
|
||||
if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger "$BYELLOW" "[WARN] $*"; fi
|
||||
fi
|
||||
}
|
||||
|
||||
ok() {
|
||||
if [ ${BATCH_MODE:-0} -eq 1 ]; then
|
||||
if [ "${BATCH_MODE:-0}" -eq 1 ]; then
|
||||
BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}"
|
||||
else
|
||||
if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi
|
||||
if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger "$BGREEN" "[ OK ] $*"; fi
|
||||
fi
|
||||
}
|
||||
|
||||
info() {
|
||||
if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi
|
||||
if [ "$MACHINE_LOG_LEVEL" -ge 4 ]; then _logger '' "[INFO] $*"; fi
|
||||
}
|
||||
|
||||
debug() {
|
||||
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
|
||||
if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
32
lib/main.sh
32
lib/main.sh
@ -1,7 +1,7 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
|
||||
LONG_SCRIPT_NAME=$(basename $0)
|
||||
LONG_SCRIPT_NAME=$(basename "$0")
|
||||
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
|
||||
# Variable initialization, to avoid crash
|
||||
CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
|
||||
@ -11,13 +11,13 @@ status=""
|
||||
forcedstatus=""
|
||||
SUDO_CMD=""
|
||||
# shellcheck source=constants.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
|
||||
# shellcheck source=../etc/hardening.cfg
|
||||
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||||
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
|
||||
# shellcheck source=../lib/common.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
||||
# shellcheck source=../lib/utils.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
|
||||
|
||||
# Environment Sanitizing
|
||||
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
||||
@ -50,7 +50,7 @@ while [[ $# -gt 0 ]]; do
|
||||
BATCH_MODE=1
|
||||
LOGLEVEL=ok
|
||||
# shellcheck source=../lib/common.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
|
||||
;;
|
||||
*)
|
||||
debug "Unknown option passed"
|
||||
@ -63,15 +63,15 @@ info "Working on $SCRIPT_NAME"
|
||||
info "[DESCRIPTION] $DESCRIPTION"
|
||||
|
||||
# Source specific configuration file
|
||||
if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ]; then
|
||||
if ! [ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ]; then
|
||||
# If it doesn't exist, create it with default values
|
||||
echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||||
echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
|
||||
# If create_config is a defined function, execute it.
|
||||
# Otherwise, just disable the test by default.
|
||||
if type -t create_config | grep -qw function; then
|
||||
create_config >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||||
create_config >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
|
||||
else
|
||||
echo "status=audit" >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||||
echo "status=audit" >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
|
||||
fi
|
||||
|
||||
fi
|
||||
@ -81,7 +81,7 @@ if [ "$forcedstatus" = "createconfig" ]; then
|
||||
exit 0
|
||||
fi
|
||||
# shellcheck source=/dev/null
|
||||
[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
|
||||
[ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ] && . "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
|
||||
|
||||
# Now check configured value for status, and potential cmdline parameter
|
||||
if [ "$forcedstatus" = "auditall" ]; then
|
||||
@ -97,7 +97,7 @@ elif [ "$forcedstatus" = "audit" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z $status ]; then
|
||||
if [ -z "$status" ]; then
|
||||
crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
|
||||
|
||||
exit 2
|
||||
@ -127,18 +127,18 @@ disabled | false)
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then
|
||||
if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
|
||||
if [ $BATCH_MODE -eq 1 ]; then
|
||||
BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"
|
||||
becho $BATCH_OUTPUT
|
||||
becho "$BATCH_OUTPUT"
|
||||
else
|
||||
ok "Check Passed"
|
||||
fi
|
||||
exit 0 # Means ok status
|
||||
else
|
||||
if [ $BATCH_MODE -eq 1 ]; then
|
||||
if [ "$BATCH_MODE" -eq 1 ]; then
|
||||
BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT"
|
||||
becho $BATCH_OUTPUT
|
||||
becho "$BATCH_OUTPUT"
|
||||
else
|
||||
crit "Check Failed"
|
||||
fi
|
||||
|
||||
50
lib/utils.sh
50
lib/utils.sh
@ -11,7 +11,7 @@ has_sysctl_param_expected_result() {
|
||||
local SYSCTL_PARAM=$1
|
||||
local EXP_RESULT=$2
|
||||
|
||||
if [ "$($SUDO_CMD sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
|
||||
if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
|
||||
FNRET=0
|
||||
elif [ $? = 255 ]; then
|
||||
debug "$SYSCTL_PARAM does not exist"
|
||||
@ -35,7 +35,7 @@ set_sysctl_param() {
|
||||
local SYSCTL_PARAM=$1
|
||||
local VALUE=$2
|
||||
debug "Setting $SYSCTL_PARAM to $VALUE"
|
||||
if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
|
||||
if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
|
||||
FNRET=0
|
||||
elif [ $? = 255 ]; then
|
||||
debug "$SYSCTL_PARAM does not exist"
|
||||
@ -65,7 +65,7 @@ does_pattern_exist_in_dmesg() {
|
||||
|
||||
does_file_exist() {
|
||||
local FILE=$1
|
||||
if $SUDO_CMD [ -e $FILE ]; then
|
||||
if $SUDO_CMD [ -e "$FILE" ]; then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
@ -78,10 +78,10 @@ has_file_correct_ownership() {
|
||||
local GROUP=$3
|
||||
local USERID
|
||||
local GROUPID
|
||||
USERID=$(id -u $USER)
|
||||
GROUPID=$(getent group $GROUP | cut -d: -f3)
|
||||
USERID=$(id -u "$USER")
|
||||
GROUPID=$(getent group "$GROUP" | cut -d: -f3)
|
||||
debug "$SUDO_CMD stat -c '%u %g' $FILE"
|
||||
if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
|
||||
if [ "$($SUDO_CMD stat -c "%u %g" "$FILE")" = "$USERID $GROUPID" ]; then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
@ -92,7 +92,7 @@ has_file_correct_permissions() {
|
||||
local FILE=$1
|
||||
local PERMISSIONS=$2
|
||||
|
||||
if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then
|
||||
if [ $($SUDO_CMD stat -L -c "%a" "$FILE") = "$PERMISSIONS" ]; then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
@ -117,7 +117,7 @@ _does_pattern_exist_in_file() {
|
||||
debug "Checking if $PATTERN is present in $FILE"
|
||||
if $SUDO_CMD [ -r "$FILE" ]; then
|
||||
debug "$SUDO_CMD grep -q $OPTIONS -- '$PATTERN' $FILE"
|
||||
if $($SUDO_CMD grep -q $OPTIONS -- "$PATTERN" $FILE); then
|
||||
if $($SUDO_CMD grep -q "$OPTIONS" -- "$PATTERN" "$FILE"); then
|
||||
debug "Pattern found in $FILE"
|
||||
FNRET=0
|
||||
else
|
||||
@ -148,7 +148,7 @@ does_pattern_exist_in_file_multiline() {
|
||||
debug "Checking if multiline pattern: $PATTERN is present in $FILE"
|
||||
if $SUDO_CMD [ -r "$FILE" ]; then
|
||||
debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN""
|
||||
if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
|
||||
if $($SUDO_CMD grep -v '^[[:space:]]*#' "$FILE" | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
|
||||
debug "Pattern found in $FILE"
|
||||
FNRET=0
|
||||
else
|
||||
@ -167,7 +167,7 @@ add_end_of_file() {
|
||||
|
||||
debug "Adding $LINE at the end of $FILE"
|
||||
backup_file "$FILE"
|
||||
echo "$LINE" >>$FILE
|
||||
echo "$LINE" >>"$FILE"
|
||||
}
|
||||
|
||||
add_line_file_before_pattern() {
|
||||
@ -177,9 +177,9 @@ add_line_file_before_pattern() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Inserting $LINE before $PATTERN in $FILE"
|
||||
PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
|
||||
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
|
||||
debug "sed -i '/$PATTERN/i $LINE' $FILE"
|
||||
sed -i "/$PATTERN/i $LINE" $FILE
|
||||
sed -i "/$PATTERN/i $LINE" "$FILE"
|
||||
FNRET=0
|
||||
}
|
||||
|
||||
@ -190,9 +190,9 @@ replace_in_file() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Replacing $SOURCE to $DESTINATION in $FILE"
|
||||
SOURCE=$(sed 's@/@\\\/@g' <<<$SOURCE)
|
||||
SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
|
||||
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
|
||||
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
|
||||
sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
|
||||
FNRET=0
|
||||
}
|
||||
|
||||
@ -202,9 +202,9 @@ delete_line_in_file() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Deleting lines from $FILE containing $PATTERN"
|
||||
PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
|
||||
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
|
||||
debug "sed -i '/$PATTERN/d' $FILE"
|
||||
sed -i "/$PATTERN/d" $FILE
|
||||
sed -i "/$PATTERN/d" "$FILE"
|
||||
FNRET=0
|
||||
}
|
||||
|
||||
@ -214,7 +214,7 @@ delete_line_in_file() {
|
||||
|
||||
does_user_exist() {
|
||||
local USER=$1
|
||||
if $(getent passwd $USER >/dev/null 2>&1); then
|
||||
if $(getent passwd "$USER" >/dev/null 2>&1); then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
@ -223,7 +223,7 @@ does_user_exist() {
|
||||
|
||||
does_group_exist() {
|
||||
local GROUP=$1
|
||||
if $(getent group $GROUP >/dev/null 2>&1); then
|
||||
if $(getent group "$GROUP" >/dev/null 2>&1); then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
@ -370,7 +370,7 @@ add_option_to_fstab() {
|
||||
remount_partition() {
|
||||
local PARTITION=$1
|
||||
debug "Remounting $PARTITION"
|
||||
mount -o remount $PARTITION
|
||||
mount -o remount "$PARTITION"
|
||||
}
|
||||
|
||||
#
|
||||
@ -393,23 +393,23 @@ apt_update_if_needed() {
|
||||
apt_check_updates() {
|
||||
local NAME="$1"
|
||||
local DETAILS="/dev/shm/${NAME}"
|
||||
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >$DETAILS || :
|
||||
$SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >"$DETAILS" || :
|
||||
local COUNT=$(wc -l <"$DETAILS")
|
||||
FNRET=128 # Unknown function return result
|
||||
RESULT="" # Result output for upgrade
|
||||
if [ $COUNT -gt 0 ]; then
|
||||
RESULT="There is $COUNT updates available :\n$(cat $DETAILS)"
|
||||
if [ "$COUNT" -gt 0 ]; then
|
||||
RESULT="There is $COUNT updates available :\n$(cat "$DETAILS")"
|
||||
FNRET=1
|
||||
else
|
||||
RESULT="OK, no updates available"
|
||||
FNRET=0
|
||||
fi
|
||||
rm $DETAILS
|
||||
rm "$DETAILS"
|
||||
}
|
||||
|
||||
apt_install() {
|
||||
local PACKAGE=$1
|
||||
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y
|
||||
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install "$PACKAGE" -y
|
||||
FNRET=0
|
||||
}
|
||||
|
||||
@ -419,7 +419,7 @@ apt_install() {
|
||||
|
||||
is_pkg_installed() {
|
||||
PKG_NAME=$1
|
||||
if $(dpkg -s $PKG_NAME 2>/dev/null | grep -q '^Status: install '); then
|
||||
if $(dpkg -s "$PKG_NAME" 2>/dev/null | grep -q '^Status: install '); then
|
||||
debug "$PKG_NAME is installed"
|
||||
FNRET=0
|
||||
else
|
||||
|
||||
Reference in New Issue
Block a user