elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 13:07:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shellcheck): disable sed replacement (SC2001)

Browse Source 
Shellcheck recommands to replace sed by shell expansions in 'simple' cases.
However, the replacement here is likely to lead to erros, so we disable this rule.
Moreover, it does'nt really add readability.
This commit is contained in:
Thibault Ayanides 2020-12-10 08:34:57 +01:00
parent 36528b55e0
commit b9e129d8fe
18 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bin/hardening.sh
View File

@ -233,6 +233,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ "${#TEST_LIST[@]}" -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
# shellcheck disable=SC2001
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list

1
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -24,6 +24,7 @@ audit() {
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else

1
bin/hardening/2.2.18_disable_telnet_server.sh
View File

@ -67,6 +67,7 @@ apply() {
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
# shellcheck disable=SC2001
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else

2
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -31,6 +31,7 @@ audit() {
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
@ -55,6 +56,7 @@ apply() {
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN"

2
bin/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -24,6 +24,7 @@ audit() {
if $SUDO_CMD [ ! -r $CONF_FILE ]; then
crit "$CONF_FILE is not readable"
else
# shellcheck disable=SC2001
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
if [ "$FNRET" = 0 ]; then
ok "$CONF_LINE is present in $CONF_FILE"
@ -38,6 +39,7 @@ apply() {
if $SUDO_CMD [ ! -r $CONF_FILE ]; then
crit "$CONF_FILE is not readable"
else
# shellcheck disable=SC2001
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
if [ "$FNRET" = 0 ]; then
ok "$CONF_LINE is present in $CONF_FILE"

2
bin/hardening/5.4.2_disable_system_accounts.sh
View File

@ -38,6 +38,7 @@ audit() {
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$ACCOUNT not found in exceptions"
@ -65,6 +66,7 @@ apply() {
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$ACCOUNT not found in exceptions"

1
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -24,6 +24,7 @@ audit() {
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
if [ -n "$RESULT" ]; then
crit "Some world writable files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else

1
bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -31,6 +31,7 @@ audit() {
fi
if [ -n "$RESULT" ]; then
crit "Some unowned files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else

1
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -31,6 +31,7 @@ audit() {
fi
if [ -n "$RESULT" ]; then
crit "Some ungrouped files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else

1
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -38,6 +38,7 @@ audit() {
done
if [ -n "$BAD_BINARIES" ]; then
crit "Some suid files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else

1
bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -38,6 +38,7 @@ audit() {
done
if [ -n "$BAD_BINARIES" ]; then
crit "Some sgid files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else

2
bin/hardening/6.2.10_check_user_dot_file_perm.sh
View File

@ -51,7 +51,7 @@ apply() {
FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
warn "Group Write permission set on FILE $FILE"
chmod g-w "$FILE"
chmod g-w "$FILE"
fi
if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then
warn "Other Write permission set on FILE $FILE"

1
bin/hardening/6.2.5_find_0_uid_non_root_account.sh
View File

@ -34,6 +34,7 @@ audit() {
debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT"
if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT")
FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT"
else

2
bin/hardening/6.2.8_check_user_dir_perm.sh
View File

@ -27,6 +27,7 @@ audit() {
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
if echo "$EXCEPTIONS" | grep -q "$dir"; then
debug "$dir is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$dir!!" <<<"$RESULT")
else
debug "$dir not found in exceptions"
@ -66,6 +67,7 @@ apply() {
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
if echo "$EXCEPTIONS" | grep -q "$dir"; then
debug "$dir is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$dir!!" <<<"$RESULT")
else
debug "$dir not found in exceptions"

1
bin/hardening/99.5.2.3_ssh_cry_rekey.sh
View File

@ -77,6 +77,7 @@ apply() {
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then
# shellcheck disable=SC2001
SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE")
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else

3
bin/hardening/99.5.4_ssh_keys_from.sh
View File

@ -41,6 +41,7 @@ check_ip() {
ok_ips_allowed=""
bad_ips=""
for ip in $ips; do
# shellcheck disable=SC2001
ip_escaped=$(sed 's/\./\\./g' <<<"$ip")
if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then
debug "Line $linum of $file allows access from exused IP (${ip})."
@ -50,7 +51,9 @@ check_ip() {
bad_ips+="$ip "
fi
done
# shellcheck disable=SC2001
ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}")
# shellcheck disable=SC2001
bad_ips=$(sed 's/ $//' <<<"${bad_ips}")
if [[ -z $bad_ips ]]; then
if [[ -n $ok_ips ]]; then

1
bin/hardening/99.5.6_ssh_sys_accept_env.sh
View File

@ -52,6 +52,7 @@ apply() {
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file_nocase $FILE "^$PATTERN"
# shellcheck disable=SC2001
PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g')
if [ "$FNRET" != 0 ]; then
add_end_of_file $FILE "$PATTERN"

3
lib/utils.sh
View File

@ -177,6 +177,7 @@ add_line_file_before_pattern() {
backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE"
# shellcheck disable=SC2001
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
debug "sed -i '/$PATTERN/i $LINE' $FILE"
sed -i "/$PATTERN/i $LINE" "$FILE"
@ -190,6 +191,7 @@ replace_in_file() {
backup_file "$FILE"
debug "Replacing $SOURCE to $DESTINATION in $FILE"
# shellcheck disable=SC2001
SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
@ -202,6 +204,7 @@ delete_line_in_file() {
backup_file "$FILE"
debug "Deleting lines from $FILE containing $PATTERN"
# shellcheck disable=SC2001
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
debug "sed -i '/$PATTERN/d' $FILE"
sed -i "/$PATTERN/d" "$FILE"