From b9e129d8feb382bc2c63a0f76bd1a92527164229 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Thu, 10 Dec 2020 08:34:57 +0100 Subject: [PATCH] IMP(shellcheck): disable sed replacement (SC2001) Shellcheck recommands to replace sed by shell expansions in 'simple' cases. However, the replacement here is likely to lead to erros, so we disable this rule. Moreover, it does'nt really add readability. --- bin/hardening.sh | 1 + bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh | 1 + bin/hardening/2.2.18_disable_telnet_server.sh | 1 + bin/hardening/5.2.18_sshd_limit_access.sh | 2 ++ bin/hardening/5.3.4_acc_pam_sha512.sh | 2 ++ bin/hardening/5.4.2_disable_system_accounts.sh | 2 ++ bin/hardening/6.1.10_find_world_writable_file.sh | 1 + bin/hardening/6.1.11_find_unowned_files.sh | 1 + bin/hardening/6.1.12_find_ungrouped_files.sh | 1 + bin/hardening/6.1.13_find_suid_files.sh | 1 + bin/hardening/6.1.14_find_sgid_files.sh | 1 + bin/hardening/6.2.10_check_user_dot_file_perm.sh | 2 +- bin/hardening/6.2.5_find_0_uid_non_root_account.sh | 1 + bin/hardening/6.2.8_check_user_dir_perm.sh | 2 ++ bin/hardening/99.5.2.3_ssh_cry_rekey.sh | 1 + bin/hardening/99.5.4_ssh_keys_from.sh | 3 +++ bin/hardening/99.5.6_ssh_sys_accept_env.sh | 1 + lib/utils.sh | 3 +++ 18 files changed, 26 insertions(+), 1 deletion(-) diff --git a/bin/hardening.sh b/bin/hardening.sh index ffafa01..bd85e45 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -233,6 +233,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do if [ "${#TEST_LIST[@]}" -gt 0 ]; then # --only X has been specified at least once, is this script in my list ? SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")") + # shellcheck disable=SC2001 SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX") if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then # not in the list diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 81662f7..22a3122 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -24,6 +24,7 @@ audit() { RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/2.2.18_disable_telnet_server.sh b/bin/hardening/2.2.18_disable_telnet_server.sh index 17a5b8b..3fd3856 100755 --- a/bin/hardening/2.2.18_disable_telnet_server.sh +++ b/bin/hardening/2.2.18_disable_telnet_server.sh @@ -67,6 +67,7 @@ apply() { if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE, purging it" backup_file $FILE + # shellcheck disable=SC2001 ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh index f647260..160cc3f 100755 --- a/bin/hardening/5.2.18_sshd_limit_access.sh +++ b/bin/hardening/5.2.18_sshd_limit_access.sh @@ -31,6 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) + # shellcheck disable=SC2001 SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" @@ -55,6 +56,7 @@ apply() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) + # shellcheck disable=SC2001 SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file "$FILE" "$PATTERN" diff --git a/bin/hardening/5.3.4_acc_pam_sha512.sh b/bin/hardening/5.3.4_acc_pam_sha512.sh index 8e5ee7d..ec86c89 100755 --- a/bin/hardening/5.3.4_acc_pam_sha512.sh +++ b/bin/hardening/5.3.4_acc_pam_sha512.sh @@ -24,6 +24,7 @@ audit() { if $SUDO_CMD [ ! -r $CONF_FILE ]; then crit "$CONF_FILE is not readable" else + # shellcheck disable=SC2001 does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" @@ -38,6 +39,7 @@ apply() { if $SUDO_CMD [ ! -r $CONF_FILE ]; then crit "$CONF_FILE is not readable" else + # shellcheck disable=SC2001 does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" diff --git a/bin/hardening/5.4.2_disable_system_accounts.sh b/bin/hardening/5.4.2_disable_system_accounts.sh index af01f31..2aeb9b4 100755 --- a/bin/hardening/5.4.2_disable_system_accounts.sh +++ b/bin/hardening/5.4.2_disable_system_accounts.sh @@ -38,6 +38,7 @@ audit() { debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$LINE!!" <<<"$RESULT") else debug "$ACCOUNT not found in exceptions" @@ -65,6 +66,7 @@ apply() { debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$LINE!!" <<<"$RESULT") else debug "$ACCOUNT not found in exceptions" diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index 84b6fbe..8fc1d0e 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -24,6 +24,7 @@ audit() { RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$RESULT" ]; then crit "Some world writable files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index c972440..3f2d494 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -31,6 +31,7 @@ audit() { fi if [ -n "$RESULT" ]; then crit "Some unowned files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index da5a5f3..64639f3 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -31,6 +31,7 @@ audit() { fi if [ -n "$RESULT" ]; then crit "Some ungrouped files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index a6f3be6..5a22ac5 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -38,6 +38,7 @@ audit() { done if [ -n "$BAD_BINARIES" ]; then crit "Some suid files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index a5afa32..2793915 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -38,6 +38,7 @@ audit() { done if [ -n "$BAD_BINARIES" ]; then crit "Some sgid files are present" + # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index ea62cb1..f9d41ea 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -51,7 +51,7 @@ apply() { FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then warn "Group Write permission set on FILE $FILE" - chmod g-w "$FILE" + chmod g-w "$FILE" fi if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then warn "Other Write permission set on FILE $FILE" diff --git a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh index 06da46e..89a4e7e 100755 --- a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh @@ -34,6 +34,7 @@ audit() { debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT" if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT") FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT" else diff --git a/bin/hardening/6.2.8_check_user_dir_perm.sh b/bin/hardening/6.2.8_check_user_dir_perm.sh index ff34991..1ebdfdd 100755 --- a/bin/hardening/6.2.8_check_user_dir_perm.sh +++ b/bin/hardening/6.2.8_check_user_dir_perm.sh @@ -27,6 +27,7 @@ audit() { debug "echo \"$EXCEPTIONS\" | grep -q $dir" if echo "$EXCEPTIONS" | grep -q "$dir"; then debug "$dir is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$dir!!" <<<"$RESULT") else debug "$dir not found in exceptions" @@ -66,6 +67,7 @@ apply() { debug "echo \"$EXCEPTIONS\" | grep -q $dir" if echo "$EXCEPTIONS" | grep -q "$dir"; then debug "$dir is confirmed as an exception" + # shellcheck disable=SC2001 RESULT=$(sed "s!$dir!!" <<<"$RESULT") else debug "$dir not found in exceptions" diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh index c5f9fb1..63d52bb 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -77,6 +77,7 @@ apply() { warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then + # shellcheck disable=SC2001 SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE") add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index fdf7065..31d68f2 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -41,6 +41,7 @@ check_ip() { ok_ips_allowed="" bad_ips="" for ip in $ips; do + # shellcheck disable=SC2001 ip_escaped=$(sed 's/\./\\./g' <<<"$ip") if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then debug "Line $linum of $file allows access from exused IP (${ip})." @@ -50,7 +51,9 @@ check_ip() { bad_ips+="$ip " fi done + # shellcheck disable=SC2001 ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}") + # shellcheck disable=SC2001 bad_ips=$(sed 's/ $//' <<<"${bad_ips}") if [[ -z $bad_ips ]]; then if [[ -n $ok_ips ]]; then diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.6_ssh_sys_accept_env.sh index 75c31f7..d3ae5d7 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.6_ssh_sys_accept_env.sh @@ -52,6 +52,7 @@ apply() { else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file_nocase $FILE "^$PATTERN" + # shellcheck disable=SC2001 PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g') if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$PATTERN" diff --git a/lib/utils.sh b/lib/utils.sh index ca59dfc..6408655 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -177,6 +177,7 @@ add_line_file_before_pattern() { backup_file "$FILE" debug "Inserting $LINE before $PATTERN in $FILE" + # shellcheck disable=SC2001 PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN") debug "sed -i '/$PATTERN/i $LINE' $FILE" sed -i "/$PATTERN/i $LINE" "$FILE" @@ -190,6 +191,7 @@ replace_in_file() { backup_file "$FILE" debug "Replacing $SOURCE to $DESTINATION in $FILE" + # shellcheck disable=SC2001 SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE") debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" sed -i "s/$SOURCE/$DESTINATION/g" "$FILE" @@ -202,6 +204,7 @@ delete_line_in_file() { backup_file "$FILE" debug "Deleting lines from $FILE containing $PATTERN" + # shellcheck disable=SC2001 PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN") debug "sed -i '/$PATTERN/d' $FILE" sed -i "/$PATTERN/d" "$FILE"