diff --git a/bin/hardening.sh b/bin/hardening.sh index ffafa01..bd85e45 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -233,6 +233,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do if [ "${#TEST_LIST[@]}" -gt 0 ]; then # --only X has been specified at least once, is this script in my list ? SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")") + # shellcheck disable=SC2001 SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX") if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then # not in the list diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 81662f7..22a3122 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -24,6 +24,7 @@ audit() { RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/2.2.18_disable_telnet_server.sh b/bin/hardening/2.2.18_disable_telnet_server.sh index 17a5b8b..3fd3856 100755 --- a/bin/hardening/2.2.18_disable_telnet_server.sh +++ b/bin/hardening/2.2.18_disable_telnet_server.sh @@ -67,6 +67,7 @@ apply() { if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE, purging it" backup_file $FILE + # shellcheck disable=SC2001 ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh index f647260..160cc3f 100755 --- a/bin/hardening/5.2.18_sshd_limit_access.sh +++ b/bin/hardening/5.2.18_sshd_limit_access.sh @@ -31,6 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) + # shellcheck disable=SC2001 SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" @@ -55,6 +56,7 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) + # shellcheck disable=SC2001 SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file "$FILE" "$PATTERN" diff --git a/bin/hardening/5.3.4_acc_pam_sha512.sh b/bin/hardening/5.3.4_acc_pam_sha512.sh index 8e5ee7d..ec86c89 100755 --- a/bin/hardening/5.3.4_acc_pam_sha512.sh +++ b/bin/hardening/5.3.4_acc_pam_sha512.sh @@ -24,6 +24,7 @@ audit() { if $SUDO_CMD [ ! -r $CONF_FILE ]; then crit "$CONF_FILE is not readable" else + # shellcheck disable=SC2001 does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" @@ -38,6 +39,7 @@ apply() { if $SUDO_CMD [ ! -r $CONF_FILE ]; then crit "$CONF_FILE is not readable" else + # shellcheck disable=SC2001 does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" diff --git a/bin/hardening/5.4.2_disable_system_accounts.sh b/bin/hardening/5.4.2_disable_system_accounts.sh index af01f31..2aeb9b4 100755 --- a/bin/hardening/5.4.2_disable_system_accounts.sh +++ b/bin/hardening/5.4.2_disable_system_accounts.sh @@ -38,6 +38,7 @@ audit() { debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$LINE!!" <<<"$RESULT") else debug "$ACCOUNT not found in exceptions" @@ -65,6 +66,7 @@ apply() { debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$LINE!!" <<<"$RESULT") else debug "$ACCOUNT not found in exceptions" diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index 84b6fbe..8fc1d0e 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -24,6 +24,7 @@ audit() { RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$RESULT" ]; then crit "Some world writable files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index c972440..3f2d494 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -31,6 +31,7 @@ audit() { fi if [ -n "$RESULT" ]; then crit "Some unowned files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index da5a5f3..64639f3 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -31,6 +31,7 @@ audit() { fi if [ -n "$RESULT" ]; then crit "Some ungrouped files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index a6f3be6..5a22ac5 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -38,6 +38,7 @@ audit() { done if [ -n "$BAD_BINARIES" ]; then crit "Some suid files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index a5afa32..2793915 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -38,6 +38,7 @@ audit() { done if [ -n "$BAD_BINARIES" ]; then crit "Some sgid files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index ea62cb1..f9d41ea 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -51,7 +51,7 @@ apply() { FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then warn "Group Write permission set on FILE $FILE" - chmod g-w "$FILE" + chmod g-w "$FILE" fi if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then warn "Other Write permission set on FILE $FILE" diff --git a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh index 06da46e..89a4e7e 100755 --- a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh @@ -34,6 +34,7 @@ audit() { debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT" if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT") FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT" else diff --git a/bin/hardening/6.2.8_check_user_dir_perm.sh b/bin/hardening/6.2.8_check_user_dir_perm.sh index ff34991..1ebdfdd 100755 --- a/bin/hardening/6.2.8_check_user_dir_perm.sh +++ b/bin/hardening/6.2.8_check_user_dir_perm.sh @@ -27,6 +27,7 @@ audit() { debug "echo \"$EXCEPTIONS\" | grep -q $dir" if echo "$EXCEPTIONS" | grep -q "$dir"; then debug "$dir is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$dir!!" <<<"$RESULT") else debug "$dir not found in exceptions" @@ -66,6 +67,7 @@ apply() { debug "echo \"$EXCEPTIONS\" | grep -q $dir" if echo "$EXCEPTIONS" | grep -q "$dir"; then debug "$dir is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$dir!!" <<<"$RESULT") else debug "$dir not found in exceptions" diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh index c5f9fb1..63d52bb 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -77,6 +77,7 @@ apply() { warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then + # shellcheck disable=SC2001 SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE") add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index fdf7065..31d68f2 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -41,6 +41,7 @@ check_ip() { ok_ips_allowed="" bad_ips="" for ip in $ips; do + # shellcheck disable=SC2001 ip_escaped=$(sed 's/\./\\./g' <<<"$ip") if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then debug "Line $linum of $file allows access from exused IP (${ip})." @@ -50,7 +51,9 @@ check_ip() { bad_ips+="$ip " fi done + # shellcheck disable=SC2001 ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}") + # shellcheck disable=SC2001 bad_ips=$(sed 's/ $//' <<<"${bad_ips}") if [[ -z $bad_ips ]]; then if [[ -n $ok_ips ]]; then diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.6_ssh_sys_accept_env.sh index 75c31f7..d3ae5d7 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.6_ssh_sys_accept_env.sh @@ -52,6 +52,7 @@ apply() { else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file_nocase $FILE "^$PATTERN" + # shellcheck disable=SC2001 PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g') if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$PATTERN" diff --git a/lib/utils.sh b/lib/utils.sh index ca59dfc..6408655 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -177,6 +177,7 @@ add_line_file_before_pattern() { backup_file "$FILE" debug "Inserting $LINE before $PATTERN in $FILE" + # shellcheck disable=SC2001 PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN") debug "sed -i '/$PATTERN/i $LINE' $FILE" sed -i "/$PATTERN/i $LINE" "$FILE" @@ -190,6 +191,7 @@ replace_in_file() { backup_file "$FILE" debug "Replacing $SOURCE to $DESTINATION in $FILE" + # shellcheck disable=SC2001 SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE") debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" sed -i "s/$SOURCE/$DESTINATION/g" "$FILE" @@ -202,6 +204,7 @@ delete_line_in_file() { backup_file "$FILE" debug "Deleting lines from $FILE containing $PATTERN" + # shellcheck disable=SC2001 PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN") debug "sed -i '/$PATTERN/d' $FILE" sed -i "/$PATTERN/d" "$FILE"