mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 14:05:23 +01:00
IMP(shellcheck): disable sed replacement (SC2001)
Shellcheck recommands to replace sed by shell expansions in 'simple' cases. However, the replacement here is likely to lead to erros, so we disable this rule. Moreover, it does'nt really add readability.
This commit is contained in:
parent
36528b55e0
commit
b9e129d8fe
@ -233,6 +233,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
if [ "${#TEST_LIST[@]}" -gt 0 ]; then
|
||||
# --only X has been specified at least once, is this script in my list ?
|
||||
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
|
||||
# shellcheck disable=SC2001
|
||||
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
|
||||
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
|
||||
# not in the list
|
||||
|
@ -24,6 +24,7 @@ audit() {
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable directories are not on sticky bit mode!"
|
||||
# shellcheck disable=SC2001
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
|
@ -67,6 +67,7 @@ apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
# shellcheck disable=SC2001
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
|
@ -31,6 +31,7 @@ audit() {
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
||||
# shellcheck disable=SC2001
|
||||
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
|
||||
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
@ -55,6 +56,7 @@ apply() {
|
||||
for SSH_OPTION in $OPTIONS; do
|
||||
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
||||
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
||||
# shellcheck disable=SC2001
|
||||
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
|
||||
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
|
||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||
|
@ -24,6 +24,7 @@ audit() {
|
||||
if $SUDO_CMD [ ! -r $CONF_FILE ]; then
|
||||
crit "$CONF_FILE is not readable"
|
||||
else
|
||||
# shellcheck disable=SC2001
|
||||
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$CONF_LINE is present in $CONF_FILE"
|
||||
@ -38,6 +39,7 @@ apply() {
|
||||
if $SUDO_CMD [ ! -r $CONF_FILE ]; then
|
||||
crit "$CONF_FILE is not readable"
|
||||
else
|
||||
# shellcheck disable=SC2001
|
||||
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$CONF_LINE is present in $CONF_FILE"
|
||||
|
@ -38,6 +38,7 @@ audit() {
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
@ -65,6 +66,7 @@ apply() {
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
|
@ -24,6 +24,7 @@ audit() {
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable files are present"
|
||||
# shellcheck disable=SC2001
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
|
@ -31,6 +31,7 @@ audit() {
|
||||
fi
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some unowned files are present"
|
||||
# shellcheck disable=SC2001
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
|
@ -31,6 +31,7 @@ audit() {
|
||||
fi
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some ungrouped files are present"
|
||||
# shellcheck disable=SC2001
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
|
@ -38,6 +38,7 @@ audit() {
|
||||
done
|
||||
if [ -n "$BAD_BINARIES" ]; then
|
||||
crit "Some suid files are present"
|
||||
# shellcheck disable=SC2001
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
|
@ -38,6 +38,7 @@ audit() {
|
||||
done
|
||||
if [ -n "$BAD_BINARIES" ]; then
|
||||
crit "Some sgid files are present"
|
||||
# shellcheck disable=SC2001
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
|
@ -51,7 +51,7 @@ apply() {
|
||||
FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
|
||||
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
|
||||
warn "Group Write permission set on FILE $FILE"
|
||||
chmod g-w "$FILE"
|
||||
chmod g-w "$FILE"
|
||||
fi
|
||||
if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then
|
||||
warn "Other Write permission set on FILE $FILE"
|
||||
|
@ -34,6 +34,7 @@ audit() {
|
||||
debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT")
|
||||
FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT"
|
||||
else
|
||||
|
@ -27,6 +27,7 @@ audit() {
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
||||
if echo "$EXCEPTIONS" | grep -q "$dir"; then
|
||||
debug "$dir is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$dir!!" <<<"$RESULT")
|
||||
else
|
||||
debug "$dir not found in exceptions"
|
||||
@ -66,6 +67,7 @@ apply() {
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
||||
if echo "$EXCEPTIONS" | grep -q "$dir"; then
|
||||
debug "$dir is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$dir!!" <<<"$RESULT")
|
||||
else
|
||||
debug "$dir not found in exceptions"
|
||||
|
@ -77,6 +77,7 @@ apply() {
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
# shellcheck disable=SC2001
|
||||
SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE")
|
||||
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||
else
|
||||
|
@ -41,6 +41,7 @@ check_ip() {
|
||||
ok_ips_allowed=""
|
||||
bad_ips=""
|
||||
for ip in $ips; do
|
||||
# shellcheck disable=SC2001
|
||||
ip_escaped=$(sed 's/\./\\./g' <<<"$ip")
|
||||
if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then
|
||||
debug "Line $linum of $file allows access from exused IP (${ip})."
|
||||
@ -50,7 +51,9 @@ check_ip() {
|
||||
bad_ips+="$ip "
|
||||
fi
|
||||
done
|
||||
# shellcheck disable=SC2001
|
||||
ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}")
|
||||
# shellcheck disable=SC2001
|
||||
bad_ips=$(sed 's/ $//' <<<"${bad_ips}")
|
||||
if [[ -z $bad_ips ]]; then
|
||||
if [[ -n $ok_ips ]]; then
|
||||
|
@ -52,6 +52,7 @@ apply() {
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file_nocase $FILE "^$PATTERN"
|
||||
# shellcheck disable=SC2001
|
||||
PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g')
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
add_end_of_file $FILE "$PATTERN"
|
||||
|
@ -177,6 +177,7 @@ add_line_file_before_pattern() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Inserting $LINE before $PATTERN in $FILE"
|
||||
# shellcheck disable=SC2001
|
||||
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
|
||||
debug "sed -i '/$PATTERN/i $LINE' $FILE"
|
||||
sed -i "/$PATTERN/i $LINE" "$FILE"
|
||||
@ -190,6 +191,7 @@ replace_in_file() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Replacing $SOURCE to $DESTINATION in $FILE"
|
||||
# shellcheck disable=SC2001
|
||||
SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
|
||||
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
|
||||
sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
|
||||
@ -202,6 +204,7 @@ delete_line_in_file() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Deleting lines from $FILE containing $PATTERN"
|
||||
# shellcheck disable=SC2001
|
||||
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
|
||||
debug "sed -i '/$PATTERN/d' $FILE"
|
||||
sed -i "/$PATTERN/d" "$FILE"
|
||||
|
Loading…
Reference in New Issue
Block a user