IMP(shellcheck): quote variables (SC2086)

bin/hardening/4.1.1.2_halt_when_audit_log_full.sh

@@ -32,7 +32,7 @@ audit() {
             AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
             PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
             debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 crit "$PATTERN is not present in $FILE"
             else
@@ -52,20 +52,20 @@ apply() {
         ok "$FILE exists"
     fi
     for AUDIT_OPTION in $OPTIONS; do
-        AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
+        AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
-        AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
+        AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
         debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
         PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" != 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
+            does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
+                add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
             else
                 info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
+                replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
             fi
         else
             ok "$PATTERN is present in $FILE"

bin/hardening/5.2.19_ssh_banner.sh

@@ -81,7 +81,7 @@ EOF
 
 # This function will check config parameters required
 check_config() {
-    if [ -z $BANNER_FILE ]; then
+    if [ -z "$BANNER_FILE" ]; then
         info "BANNER_FILE is not set, defaults to wildcard"
         BANNER_FILE='/etc/issue.net'
     fi

bin/hardening/5.3.1_enable_pwquality.sh

@@ -32,17 +32,17 @@ audit() {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
+        does_pattern_exist_in_file "$FILE_COMMON" "$PATTERN_COMMON"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN_COMMON is present in $FILE_COMMON"
         else
             crit "$PATTERN_COMMON is not present in $FILE_COMMON"
         fi
         for PW_OPT in $OPTIONS; do
-            PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+            PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
-            PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+            PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
             PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE"
-            does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
+            does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
 
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE_QUALITY"
@@ -71,20 +71,20 @@ apply() {
     fi
 
     for PW_OPT in $OPTIONS; do
-        PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+        PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
-        PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+        PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
         PATTERN="^${PW_PARAM}[[:space:]]+=[[:space:]]+$PW_VALUE"
-        does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE_QUALITY"
         else
             warn "$PATTERN is not present in $FILE_QUALITY, adding it"
-            does_pattern_exist_in_file $FILE_QUALITY "^${PW_PARAM}"
+            does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
+                add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE_QUALITY "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
+                replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
             fi
         fi
     done

bin/hardening/5.4.1.1_set_password_exp_days.sh

@@ -29,8 +29,8 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SHADOW_OPTION in $OPTIONS; do
-            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
-            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
             PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
@@ -52,20 +52,20 @@ apply() {
         apt_install "$PACKAGE"
     fi
     for SHADOW_OPTION in $OPTIONS; do
-        SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+        SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
-        SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+        SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
         PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
+                add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
             else
                 info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
+                replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
             fi
         fi
     done

bin/hardening/5.4.1.2_set_password_min_days_change.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SHADOW_OPTION in $OPTIONS; do
-            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
-            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
             PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -52,20 +52,20 @@ apply() {
         apt_install "$PACKAGE"
     fi
     for SHADOW_OPTION in $OPTIONS; do
-        SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+        SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
-        SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+        SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
         PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
             does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
+                add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
             else
                 info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
+                replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
             fi
         fi
     done

bin/hardening/5.4.1.3_set_password_exp_warning_days.sh

@@ -29,8 +29,8 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SHADOW_OPTION in $OPTIONS; do
-            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
-            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
             PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
@@ -52,20 +52,20 @@ apply() {
         apt_install "$PACKAGE"
     fi
     for SHADOW_OPTION in $OPTIONS; do
-        SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+        SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1)
-        SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+        SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2)
         PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
+                add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE"
             else
                 info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
+                replace_in_file "$FILE" "^${SHADOW_PARAM}[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
             fi
         fi
     done

bin/hardening/5.4.2_disable_system_accounts.sh

@@ -32,11 +32,11 @@ audit() {
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
-        ACCOUNT=$(echo $LINE | cut -d: -f 1)
+        ACCOUNT=$(echo "$LINE" | cut -d: -f 1)
         debug "Account : $ACCOUNT"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
-        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
+        if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
             debug "$ACCOUNT is confirmed as an exception"
             RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
         else
@@ -59,11 +59,11 @@ apply() {
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
-        ACCOUNT=$(echo $LINE | cut -d: -f 1)
+        ACCOUNT=$(echo "$LINE" | cut -d: -f 1)
         debug "Account : $ACCOUNT"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
-        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
+        if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
             debug "$ACCOUNT is confirmed as an exception"
             RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
         else

bin/hardening/5.4.3_default_root_group.sh

@@ -35,7 +35,7 @@ apply() {
         ok "Root group GID is $EXPECTED_GID"
     else
         warn "Root group GID is not $EXPECTED_GID -- Fixing"
-        usermod -g $EXPECTED_GID $USER
+        usermod -g "$EXPECTED_GID" "$USER"
     fi
 }
 

bin/hardening/5.4.4_default_umask.sh

@@ -26,7 +26,7 @@ FILE='/etc/profile.d/CIS_10.4_umask.sh'
 audit() {
     SEARCH_RES=0
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ $SEARCH_RES = 1 ]; then break; fi
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
         if test -d "$FILE_SEARCHED"; then
             debug "$FILE_SEARCHED is a directory"
             for file_in_dir in $(ls "$FILE_SEARCHED"); do
@@ -49,7 +49,7 @@ audit() {
             fi
         fi
     done
-    if [ $SEARCH_RES = 0 ]; then
+    if [ "$SEARCH_RES" = 0 ]; then
         crit "$PATTERN is not present in $FILES_TO_SEARCH"
     fi
 }
@@ -85,7 +85,7 @@ apply() {
         warn "$PATTERN is not present in $FILES_TO_SEARCH"
         touch "$FILE"
         chmod 644 "$FILE"
-        add_end_of_file $FILE "$PATTERN"
+        add_end_of_file "$FILE" "$PATTERN"
     fi
 }
 

bin/hardening/5.6_restrict_su.sh

@@ -28,7 +28,7 @@ audit() {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
@@ -46,7 +46,7 @@ apply() {
         crit "$PACKAGE is absent, installing it"
         apt_install "$PACKAGE"
     fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
     if [ "$FNRET" = 0 ]; then
         ok "$PATTERN is present in $FILE"
     else

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -31,7 +31,7 @@ audit() {
     fi
     if [ -n "$RESULT" ]; then
         crit "Some ungrouped files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
     else
         ok "No ungrouped files found"

bin/hardening/6.2.18_check_duplicate_username.sh

@@ -24,11 +24,11 @@ audit() {
     RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
     for LINE in $RESULT; do
         debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
+        OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE")
-        USERNAME=$(awk -F: '{print $2}' <<<$LINE)
+        USERNAME=$(awk -F: '{print $2}' <<<"$LINE")
-        if [ $OCC_NUMBER -gt 1 ]; then
+        if [ "$OCC_NUMBER" -gt 1 ]; then
             # shellcheck disable=2034
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
+            USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERNAME" /etc/passwd | xargs)
             ERRORS=$((ERRORS + 1))
             crit "Duplicate username $USERNAME"
         fi

bin/hardening/6.2.19_check_duplicate_groupname.sh

@@ -24,11 +24,11 @@ audit() {
     RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
     for LINE in $RESULT; do
         debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: '{print $1}' <<<$LINE)
+        OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE")
-        GROUPNAME=$(awk -F: '{print $2}' <<<$LINE)
+        GROUPNAME=$(awk -F: '{print $2}' <<<"$LINE")
-        if [ $OCC_NUMBER -gt 1 ]; then
+        if [ "$OCC_NUMBER" -gt 1 ]; then
             # shellcheck disable=2034
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
+            USERS=$(awk -F: '($3 == n) { print $1 }' n="$GROUPNAME" /etc/passwd | xargs)
             ERRORS=$((ERRORS + 1))
             crit "Duplicate groupname $GROUPNAME"
         fi

bin/hardening/6.2.1_remove_empty_password_field.sh

@@ -36,7 +36,7 @@ apply() {
         warn "Some accounts have an empty password"
         for ACCOUNT in $RESULT; do
             info "Locking $ACCOUNT"
-            passwd -l $ACCOUNT >/dev/null 2>&1
+            passwd -l "$ACCOUNT" >/dev/null 2>&1
         done
     else
         ok "All accounts have a password"

bin/hardening/6.2.20_shadow_group_empty.sh

@@ -22,7 +22,7 @@ PATTERN='^shadow:x:[[:digit:]]+:'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_file $FILEGROUP $PATTERN
+    does_pattern_exist_in_file "$FILEGROUP" "$PATTERN"
     if [ "$FNRET" = 0 ]; then
         info "shadow group exists"
         RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
@@ -35,7 +35,7 @@ audit() {
         fi
 
         info "Checking if a user has $GROUPID as primary group"
-        RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
+        RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid="$GROUPID" /etc/passwd)
         if [ -n "$RESULT" ]; then
             crit "Some users have shadow id as their primary group: $RESULT"
         else

bin/hardening/6.2.2_remove_legacy_passwd_entries.sh

@@ -23,10 +23,10 @@ RESULT=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if accounts have a legacy password entry"
-    if grep '^+:' $FILE -q; then
+    if grep '^+:' "$FILE" -q; then
-        RESULT=$(grep '^+:' $FILE)
+        RESULT=$(grep '^+:' "$FILE")
         crit "Some accounts have a legacy password entry"
-        crit $RESULT
+        crit "$RESULT"
     else
         ok "All accounts have a valid password entry format"
     fi
@@ -34,12 +34,12 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    if grep '^+:' $FILE -q; then
+    if grep '^+:' "$FILE" -q; then
-        RESULT=$(grep '^+:' $FILE)
+        RESULT=$(grep '^+:' "$FILE")
         warn "Some accounts have a legacy password entry"
         for LINE in $RESULT; do
             info "Removing $LINE from $FILE"
-            delete_line_in_file $FILE $LINE
+            delete_line_in_file "$FILE" "$LINE"
         done
     else
         ok "All accounts have a valid password entry format"

bin/hardening/6.2.3_remove_legacy_shadow_entries.sh

@@ -23,10 +23,10 @@ RESULT=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if accounts have a legacy password entry"
-    if $SUDO_CMD grep '^+:' $FILE -q; then
+    if $SUDO_CMD grep '^+:' "$FILE" -q; then
-        RESULT=$($SUDO_CMD grep '^+:' $FILE)
+        RESULT=$($SUDO_CMD grep '^+:' "$FILE")
         crit "Some accounts have a legacy password entry"
-        crit $RESULT
+        crit "$RESULT"
     else
         ok "All accounts have a valid password entry format"
     fi
@@ -39,7 +39,7 @@ apply() {
         warn "Some accounts have a legacy password entry"
         for LINE in $RESULT; do
             info "Removing $LINE from $FILE"
-            delete_line_in_file $FILE $LINE
+            delete_line_in_file "$FILE" "$LINE"
         done
     else
         ok "All accounts have a valid password entry format"

bin/hardening/6.2.4_remove_legacy_group_entries.sh

@@ -23,10 +23,10 @@ RESULT=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if accounts have a legacy group entry"
-    if grep '^+:' $FILE -q; then
+    if grep '^+:' "$FILE" -q; then
-        RESULT=$(grep '^+:' $FILE)
+        RESULT=$(grep '^+:' "$FILE")
         crit "Some accounts have a legacy group entry"
-        crit $RESULT
+        crit "$RESULT"
     else
         ok "All accounts have a valid group entry format"
     fi
@@ -34,12 +34,12 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    if grep '^+:' $FILE -q; then
+    if grep '^+:' "$FILE" -q; then
-        RESULT=$(grep '^+:' $FILE)
+        RESULT=$(grep '^+:' "$FILE")
         warn "Some accounts have a legacy group entry"
         for LINE in $RESULT; do
             info "Removing $LINE from $FILE"
-            delete_line_in_file $FILE $LINE
+            delete_line_in_file "$FILE" "$LINE"
         done
     else
         ok "All accounts have a valid group entry format"

bin/hardening/6.2.7_users_valid_homedir.sh

@@ -24,10 +24,10 @@ audit() {
     RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
     for LINE in $RESULT; do
         debug "Working on $LINE"
-        USER=$(awk -F: '{print $1}' <<<$LINE)
+        USER=$(awk -F: '{print $1}' <<<"$LINE")
-        USERID=$(awk -F: '{print $2}' <<<$LINE)
+        USERID=$(awk -F: '{print $2}' <<<"$LINE")
-        DIR=$(awk -F: '{print $3}' <<<$LINE)
+        DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
+        if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
             crit "The home directory ($DIR) of user $USER does not exist."
             ERRORS=$((ERRORS + 1))
         fi

bin/hardening/6.2.9_users_valid_homedir.sh

@@ -27,10 +27,10 @@ audit() {
     RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
     for LINE in $RESULT; do
         debug "Working on $LINE"
-        USER=$(awk -F: '{print $1}' <<<$LINE)
+        USER=$(awk -F: '{print $1}' <<<"$LINE")
-        USERID=$(awk -F: '{print $2}' <<<$LINE)
+        USERID=$(awk -F: '{print $2}' <<<"$LINE")
-        DIR=$(awk -F: '{print $3}' <<<$LINE)
+        DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ $USERID -ge 1000 ] && [ ! -d "$DIR" ] && [ $USER != "nfsnobody" ] && [ $USER != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
+        if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
             crit "The home directory ($DIR) of user $USER does not exist."
             ERRORS=$((ERRORS + 1))
         fi

bin/hardening/99.5.4_ssh_keys_from.sh

@@ -42,7 +42,7 @@ check_ip() {
         bad_ips=""
         for ip in $ips; do
             ip_escaped=$(sed 's/\./\\./g' <<<"$ip")
-            if grep -qw "$ip_escaped" <<<$ALLOWED_IPS; then
+            if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then
                 debug "Line $linum of $file allows access from exused IP (${ip})."
                 ok_ips_allowed+="$ip "
             else
@@ -93,7 +93,7 @@ check_dir() {
         return
     fi
     for file in $AUTHKEYFILE_PATTERN; do
-        check_file "${directory}"/${file}
+        check_file "${directory}"/"${file}"
     done
 }
 

lib/common.sh

@@ -7,14 +7,14 @@
 #
 backup_file() {
     FILE=$1
-    if [ ! -f $FILE ]; then
+    if [ ! -f "$FILE" ]; then
         crit "Cannot backup $FILE, it's not a file"
         FNRET=1
     else
-        TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
+        TARGET=$(echo "$FILE" | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/")
         TARGET="$BACKUPDIR/$TARGET"
         debug "Backuping $FILE to $TARGET"
-        cp -a $FILE $TARGET
+        cp -a "$FILE" "$TARGET"
         # shellcheck disable=2034
         FNRET=0
     fi
@@ -48,10 +48,10 @@ esac
 _logger() {
     COLOR=$1
     shift
-    test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
+    test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename "$0")
     builtin echo "$*" | /usr/bin/logger -t "CIS_Hardening[$$] $SCRIPT_NAME" -p "user.info"
     SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")
-    cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"
+    cecho "$COLOR" "$SCRIPT_NAME_FIXEDLEN $*"
 }
 
 becho() {
@@ -67,37 +67,37 @@ cecho() {
 }
 
 crit() {
-    if [ ${BATCH_MODE:-0} -eq 1 ]; then
+    if [ "${BATCH_MODE:-0}" -eq 1 ]; then
         BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}"
     else
-        if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi
+        if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger "$BRED" "[ KO ] $*"; fi
     fi
     # This variable incrementation is used to measure failure or success in tests
     CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER + 1))
 }
 
 warn() {
-    if [ ${BATCH_MODE:-0} -eq 1 ]; then
+    if [ "${BATCH_MODE:-0}" -eq 1 ]; then
         BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}"
     else
-        if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi
+        if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger "$BYELLOW" "[WARN] $*"; fi
     fi
 }
 
 ok() {
-    if [ ${BATCH_MODE:-0} -eq 1 ]; then
+    if [ "${BATCH_MODE:-0}" -eq 1 ]; then
         BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}"
     else
-        if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi
+        if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger "$BGREEN" "[ OK ] $*"; fi
     fi
 }
 
 info() {
-    if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi
+    if [ "$MACHINE_LOG_LEVEL" -ge 4 ]; then _logger '' "[INFO] $*"; fi
 }
 
 debug() {
-    if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
+    if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi
 }
 
 #

lib/main.sh

@@ -1,7 +1,7 @@
 # shellcheck shell=bash
 # run-shellcheck
 
-LONG_SCRIPT_NAME=$(basename $0)
+LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 # Variable initialization, to avoid crash
 CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed
@@ -11,13 +11,13 @@ status=""
 forcedstatus=""
 SUDO_CMD=""
 # shellcheck source=constants.sh
-[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
+[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # shellcheck source=../etc/hardening.cfg
-[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
+[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
 # shellcheck source=../lib/common.sh
-[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
+[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
-[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
+[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
 
 # Environment Sanitizing
 export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@@ -50,7 +50,7 @@ while [[ $# -gt 0 ]]; do
         BATCH_MODE=1
         LOGLEVEL=ok
         # shellcheck source=../lib/common.sh
-        [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
+        [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
         ;;
     *)
         debug "Unknown option passed"
@@ -63,15 +63,15 @@ info "Working on $SCRIPT_NAME"
 info "[DESCRIPTION] $DESCRIPTION"
 
 # Source specific configuration file
-if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ]; then
+if ! [ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ]; then
     # If it doesn't exist, create it with default values
-    echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+    echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
     # If create_config is a defined function, execute it.
     # Otherwise, just disable the test by default.
     if type -t create_config | grep -qw function; then
-        create_config >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+        create_config >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
     else
-        echo "status=audit" >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+        echo "status=audit" >>"$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
     fi
 
 fi
@@ -81,7 +81,7 @@ if [ "$forcedstatus" = "createconfig" ]; then
     exit 0
 fi
 # shellcheck source=/dev/null
-[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+[ -r "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg ] && . "$CIS_ROOT_DIR"/etc/conf.d/"$SCRIPT_NAME".cfg
 
 # Now check configured value for status, and potential cmdline parameter
 if [ "$forcedstatus" = "auditall" ]; then
@@ -97,7 +97,7 @@ elif [ "$forcedstatus" = "audit" ]; then
     fi
 fi
 
-if [ -z $status ]; then
+if [ -z "$status" ]; then
     crit "Could not find status variable for $SCRIPT_NAME, considered as disabled"
 
     exit 2
@@ -127,18 +127,18 @@ disabled | false)
     ;;
 esac
 
-if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then
+if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
     if [ $BATCH_MODE -eq 1 ]; then
         BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"
-        becho $BATCH_OUTPUT
+        becho "$BATCH_OUTPUT"
     else
         ok "Check Passed"
     fi
     exit 0 # Means ok status
 else
-    if [ $BATCH_MODE -eq 1 ]; then
+    if [ "$BATCH_MODE" -eq 1 ]; then
         BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT"
-        becho $BATCH_OUTPUT
+        becho "$BATCH_OUTPUT"
     else
         crit "Check Failed"
     fi

lib/utils.sh

@@ -11,7 +11,7 @@ has_sysctl_param_expected_result() {
     local SYSCTL_PARAM=$1
     local EXP_RESULT=$2
 
-    if [ "$($SUDO_CMD sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
+    if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
         FNRET=0
     elif [ $? = 255 ]; then
         debug "$SYSCTL_PARAM does not exist"
@@ -35,7 +35,7 @@ set_sysctl_param() {
     local SYSCTL_PARAM=$1
     local VALUE=$2
     debug "Setting $SYSCTL_PARAM to $VALUE"
-    if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
+    if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
         FNRET=0
     elif [ $? = 255 ]; then
         debug "$SYSCTL_PARAM does not exist"
@@ -65,7 +65,7 @@ does_pattern_exist_in_dmesg() {
 
 does_file_exist() {
     local FILE=$1
-    if $SUDO_CMD [ -e $FILE ]; then
+    if $SUDO_CMD [ -e "$FILE" ]; then
         FNRET=0
     else
         FNRET=1
@@ -78,10 +78,10 @@ has_file_correct_ownership() {
     local GROUP=$3
     local USERID
     local GROUPID
-    USERID=$(id -u $USER)
+    USERID=$(id -u "$USER")
-    GROUPID=$(getent group $GROUP | cut -d: -f3)
+    GROUPID=$(getent group "$GROUP" | cut -d: -f3)
     debug "$SUDO_CMD stat -c '%u %g' $FILE"
-    if [ "$($SUDO_CMD stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then
+    if [ "$($SUDO_CMD stat -c "%u %g" "$FILE")" = "$USERID $GROUPID" ]; then
         FNRET=0
     else
         FNRET=1
@@ -92,7 +92,7 @@ has_file_correct_permissions() {
     local FILE=$1
     local PERMISSIONS=$2
 
-    if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then
+    if [ $($SUDO_CMD stat -L -c "%a" "$FILE") = "$PERMISSIONS" ]; then
         FNRET=0
     else
         FNRET=1
@@ -117,7 +117,7 @@ _does_pattern_exist_in_file() {
     debug "Checking if $PATTERN is present in $FILE"
     if $SUDO_CMD [ -r "$FILE" ]; then
         debug "$SUDO_CMD grep -q $OPTIONS -- '$PATTERN' $FILE"
-        if $($SUDO_CMD grep -q $OPTIONS -- "$PATTERN" $FILE); then
+        if $($SUDO_CMD grep -q "$OPTIONS" -- "$PATTERN" "$FILE"); then
             debug "Pattern found in $FILE"
             FNRET=0
         else
@@ -148,7 +148,7 @@ does_pattern_exist_in_file_multiline() {
     debug "Checking if multiline pattern: $PATTERN is present in $FILE"
     if $SUDO_CMD [ -r "$FILE" ]; then
         debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN""
-        if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
+        if $($SUDO_CMD grep -v '^[[:space:]]*#' "$FILE" | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then
             debug "Pattern found in $FILE"
             FNRET=0
         else
@@ -167,7 +167,7 @@ add_end_of_file() {
 
     debug "Adding $LINE at the end of $FILE"
     backup_file "$FILE"
-    echo "$LINE" >>$FILE
+    echo "$LINE" >>"$FILE"
 }
 
 add_line_file_before_pattern() {
@@ -177,9 +177,9 @@ add_line_file_before_pattern() {
 
     backup_file "$FILE"
     debug "Inserting $LINE before $PATTERN in $FILE"
-    PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
+    PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
     debug "sed -i '/$PATTERN/i $LINE' $FILE"
-    sed -i "/$PATTERN/i $LINE" $FILE
+    sed -i "/$PATTERN/i $LINE" "$FILE"
     FNRET=0
 }
 
@@ -190,9 +190,9 @@ replace_in_file() {
 
     backup_file "$FILE"
     debug "Replacing $SOURCE to $DESTINATION in $FILE"
-    SOURCE=$(sed 's@/@\\\/@g' <<<$SOURCE)
+    SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
     debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
-    sed -i "s/$SOURCE/$DESTINATION/g" $FILE
+    sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
     FNRET=0
 }
 
@@ -202,9 +202,9 @@ delete_line_in_file() {
 
     backup_file "$FILE"
     debug "Deleting lines from $FILE containing $PATTERN"
-    PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN)
+    PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
     debug "sed -i '/$PATTERN/d' $FILE"
-    sed -i "/$PATTERN/d" $FILE
+    sed -i "/$PATTERN/d" "$FILE"
     FNRET=0
 }
 
@@ -214,7 +214,7 @@ delete_line_in_file() {
 
 does_user_exist() {
     local USER=$1
-    if $(getent passwd $USER >/dev/null 2>&1); then
+    if $(getent passwd "$USER" >/dev/null 2>&1); then
         FNRET=0
     else
         FNRET=1
@@ -223,7 +223,7 @@ does_user_exist() {
 
 does_group_exist() {
     local GROUP=$1
-    if $(getent group $GROUP >/dev/null 2>&1); then
+    if $(getent group "$GROUP" >/dev/null 2>&1); then
         FNRET=0
     else
         FNRET=1
@@ -370,7 +370,7 @@ add_option_to_fstab() {
 remount_partition() {
     local PARTITION=$1
     debug "Remounting $PARTITION"
-    mount -o remount $PARTITION
+    mount -o remount "$PARTITION"
 }
 
 #
@@ -393,23 +393,23 @@ apt_update_if_needed() {
 apt_check_updates() {
     local NAME="$1"
     local DETAILS="/dev/shm/${NAME}"
-    $SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >$DETAILS || :
+    $SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >"$DETAILS" || :
     local COUNT=$(wc -l <"$DETAILS")
     FNRET=128 # Unknown function return result
     RESULT="" # Result output for upgrade
-    if [ $COUNT -gt 0 ]; then
+    if [ "$COUNT" -gt 0 ]; then
-        RESULT="There is $COUNT updates available :\n$(cat $DETAILS)"
+        RESULT="There is $COUNT updates available :\n$(cat "$DETAILS")"
         FNRET=1
     else
         RESULT="OK, no updates available"
         FNRET=0
     fi
-    rm $DETAILS
+    rm "$DETAILS"
 }
 
 apt_install() {
     local PACKAGE=$1
-    DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y
+    DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install "$PACKAGE" -y
     FNRET=0
 }
 
@@ -419,7 +419,7 @@ apt_install() {
 
 is_pkg_installed() {
     PKG_NAME=$1
-    if $(dpkg -s $PKG_NAME 2>/dev/null | grep -q '^Status: install '); then
+    if $(dpkg -s "$PKG_NAME" 2>/dev/null | grep -q '^Status: install '); then
         debug "$PKG_NAME is installed"
         FNRET=0
     else