mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 05:27:01 +01:00
IMP(shellcheck): disable sed replacement (SC2001)
Shellcheck recommands to replace sed by shell expansions in 'simple' cases. However, the replacement here is likely to lead to erros, so we disable this rule. Moreover, it does'nt really add readability.
This commit is contained in:
parent
36528b55e0
commit
b9e129d8fe
@ -233,6 +233,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
|||||||
if [ "${#TEST_LIST[@]}" -gt 0 ]; then
|
if [ "${#TEST_LIST[@]}" -gt 0 ]; then
|
||||||
# --only X has been specified at least once, is this script in my list ?
|
# --only X has been specified at least once, is this script in my list ?
|
||||||
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
|
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
|
||||||
|
# shellcheck disable=SC2001
|
||||||
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
|
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
|
||||||
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
|
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
|
||||||
# not in the list
|
# not in the list
|
||||||
|
@ -24,6 +24,7 @@ audit() {
|
|||||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
crit "Some world writable directories are not on sticky bit mode!"
|
crit "Some world writable directories are not on sticky bit mode!"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
|
||||||
crit "$FORMATTED_RESULT"
|
crit "$FORMATTED_RESULT"
|
||||||
else
|
else
|
||||||
|
@ -67,6 +67,7 @@ apply() {
|
|||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is present in $FILE, purging it"
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
backup_file $FILE
|
backup_file $FILE
|
||||||
|
# shellcheck disable=SC2001
|
||||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
|
||||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
else
|
else
|
||||||
|
@ -31,6 +31,7 @@ audit() {
|
|||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
||||||
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
||||||
|
# shellcheck disable=SC2001
|
||||||
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
|
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
|
||||||
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
|
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
@ -55,6 +56,7 @@ apply() {
|
|||||||
for SSH_OPTION in $OPTIONS; do
|
for SSH_OPTION in $OPTIONS; do
|
||||||
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
||||||
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
||||||
|
# shellcheck disable=SC2001
|
||||||
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
|
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
|
||||||
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
|
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
|
||||||
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
does_pattern_exist_in_file "$FILE" "$PATTERN"
|
||||||
|
@ -24,6 +24,7 @@ audit() {
|
|||||||
if $SUDO_CMD [ ! -r $CONF_FILE ]; then
|
if $SUDO_CMD [ ! -r $CONF_FILE ]; then
|
||||||
crit "$CONF_FILE is not readable"
|
crit "$CONF_FILE is not readable"
|
||||||
else
|
else
|
||||||
|
# shellcheck disable=SC2001
|
||||||
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
|
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$CONF_LINE is present in $CONF_FILE"
|
ok "$CONF_LINE is present in $CONF_FILE"
|
||||||
@ -38,6 +39,7 @@ apply() {
|
|||||||
if $SUDO_CMD [ ! -r $CONF_FILE ]; then
|
if $SUDO_CMD [ ! -r $CONF_FILE ]; then
|
||||||
crit "$CONF_FILE is not readable"
|
crit "$CONF_FILE is not readable"
|
||||||
else
|
else
|
||||||
|
# shellcheck disable=SC2001
|
||||||
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
|
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$CONF_LINE is present in $CONF_FILE"
|
ok "$CONF_LINE is present in $CONF_FILE"
|
||||||
|
@ -38,6 +38,7 @@ audit() {
|
|||||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||||
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
||||||
debug "$ACCOUNT is confirmed as an exception"
|
debug "$ACCOUNT is confirmed as an exception"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||||
else
|
else
|
||||||
debug "$ACCOUNT not found in exceptions"
|
debug "$ACCOUNT not found in exceptions"
|
||||||
@ -65,6 +66,7 @@ apply() {
|
|||||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||||
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
||||||
debug "$ACCOUNT is confirmed as an exception"
|
debug "$ACCOUNT is confirmed as an exception"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||||
else
|
else
|
||||||
debug "$ACCOUNT not found in exceptions"
|
debug "$ACCOUNT not found in exceptions"
|
||||||
|
@ -24,6 +24,7 @@ audit() {
|
|||||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
crit "Some world writable files are present"
|
crit "Some world writable files are present"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||||
crit "$FORMATTED_RESULT"
|
crit "$FORMATTED_RESULT"
|
||||||
else
|
else
|
||||||
|
@ -31,6 +31,7 @@ audit() {
|
|||||||
fi
|
fi
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
crit "Some unowned files are present"
|
crit "Some unowned files are present"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||||
crit "$FORMATTED_RESULT"
|
crit "$FORMATTED_RESULT"
|
||||||
else
|
else
|
||||||
|
@ -31,6 +31,7 @@ audit() {
|
|||||||
fi
|
fi
|
||||||
if [ -n "$RESULT" ]; then
|
if [ -n "$RESULT" ]; then
|
||||||
crit "Some ungrouped files are present"
|
crit "Some ungrouped files are present"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
|
||||||
crit "$FORMATTED_RESULT"
|
crit "$FORMATTED_RESULT"
|
||||||
else
|
else
|
||||||
|
@ -38,6 +38,7 @@ audit() {
|
|||||||
done
|
done
|
||||||
if [ -n "$BAD_BINARIES" ]; then
|
if [ -n "$BAD_BINARIES" ]; then
|
||||||
crit "Some suid files are present"
|
crit "Some suid files are present"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
|
||||||
crit "$FORMATTED_RESULT"
|
crit "$FORMATTED_RESULT"
|
||||||
else
|
else
|
||||||
|
@ -38,6 +38,7 @@ audit() {
|
|||||||
done
|
done
|
||||||
if [ -n "$BAD_BINARIES" ]; then
|
if [ -n "$BAD_BINARIES" ]; then
|
||||||
crit "Some sgid files are present"
|
crit "Some sgid files are present"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
|
||||||
crit "$FORMATTED_RESULT"
|
crit "$FORMATTED_RESULT"
|
||||||
else
|
else
|
||||||
|
@ -34,6 +34,7 @@ audit() {
|
|||||||
debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT"
|
debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT"
|
||||||
if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then
|
if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then
|
||||||
debug "$ACCOUNT is confirmed as an exception"
|
debug "$ACCOUNT is confirmed as an exception"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT")
|
RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT")
|
||||||
FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT"
|
FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT"
|
||||||
else
|
else
|
||||||
|
@ -27,6 +27,7 @@ audit() {
|
|||||||
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
||||||
if echo "$EXCEPTIONS" | grep -q "$dir"; then
|
if echo "$EXCEPTIONS" | grep -q "$dir"; then
|
||||||
debug "$dir is confirmed as an exception"
|
debug "$dir is confirmed as an exception"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
RESULT=$(sed "s!$dir!!" <<<"$RESULT")
|
RESULT=$(sed "s!$dir!!" <<<"$RESULT")
|
||||||
else
|
else
|
||||||
debug "$dir not found in exceptions"
|
debug "$dir not found in exceptions"
|
||||||
@ -66,6 +67,7 @@ apply() {
|
|||||||
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
|
||||||
if echo "$EXCEPTIONS" | grep -q "$dir"; then
|
if echo "$EXCEPTIONS" | grep -q "$dir"; then
|
||||||
debug "$dir is confirmed as an exception"
|
debug "$dir is confirmed as an exception"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
RESULT=$(sed "s!$dir!!" <<<"$RESULT")
|
RESULT=$(sed "s!$dir!!" <<<"$RESULT")
|
||||||
else
|
else
|
||||||
debug "$dir not found in exceptions"
|
debug "$dir not found in exceptions"
|
||||||
|
@ -77,6 +77,7 @@ apply() {
|
|||||||
warn "$PATTERN is not present in $FILE, adding it"
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}"
|
does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
# shellcheck disable=SC2001
|
||||||
SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE")
|
SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE")
|
||||||
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
else
|
else
|
||||||
|
@ -41,6 +41,7 @@ check_ip() {
|
|||||||
ok_ips_allowed=""
|
ok_ips_allowed=""
|
||||||
bad_ips=""
|
bad_ips=""
|
||||||
for ip in $ips; do
|
for ip in $ips; do
|
||||||
|
# shellcheck disable=SC2001
|
||||||
ip_escaped=$(sed 's/\./\\./g' <<<"$ip")
|
ip_escaped=$(sed 's/\./\\./g' <<<"$ip")
|
||||||
if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then
|
if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then
|
||||||
debug "Line $linum of $file allows access from exused IP (${ip})."
|
debug "Line $linum of $file allows access from exused IP (${ip})."
|
||||||
@ -50,7 +51,9 @@ check_ip() {
|
|||||||
bad_ips+="$ip "
|
bad_ips+="$ip "
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
# shellcheck disable=SC2001
|
||||||
ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}")
|
ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}")
|
||||||
|
# shellcheck disable=SC2001
|
||||||
bad_ips=$(sed 's/ $//' <<<"${bad_ips}")
|
bad_ips=$(sed 's/ $//' <<<"${bad_ips}")
|
||||||
if [[ -z $bad_ips ]]; then
|
if [[ -z $bad_ips ]]; then
|
||||||
if [[ -n $ok_ips ]]; then
|
if [[ -n $ok_ips ]]; then
|
||||||
|
@ -52,6 +52,7 @@ apply() {
|
|||||||
else
|
else
|
||||||
warn "$PATTERN is not present in $FILE, adding it"
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
does_pattern_exist_in_file_nocase $FILE "^$PATTERN"
|
does_pattern_exist_in_file_nocase $FILE "^$PATTERN"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g')
|
PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g')
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
add_end_of_file $FILE "$PATTERN"
|
add_end_of_file $FILE "$PATTERN"
|
||||||
|
@ -177,6 +177,7 @@ add_line_file_before_pattern() {
|
|||||||
|
|
||||||
backup_file "$FILE"
|
backup_file "$FILE"
|
||||||
debug "Inserting $LINE before $PATTERN in $FILE"
|
debug "Inserting $LINE before $PATTERN in $FILE"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
|
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
|
||||||
debug "sed -i '/$PATTERN/i $LINE' $FILE"
|
debug "sed -i '/$PATTERN/i $LINE' $FILE"
|
||||||
sed -i "/$PATTERN/i $LINE" "$FILE"
|
sed -i "/$PATTERN/i $LINE" "$FILE"
|
||||||
@ -190,6 +191,7 @@ replace_in_file() {
|
|||||||
|
|
||||||
backup_file "$FILE"
|
backup_file "$FILE"
|
||||||
debug "Replacing $SOURCE to $DESTINATION in $FILE"
|
debug "Replacing $SOURCE to $DESTINATION in $FILE"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
|
SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
|
||||||
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
|
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
|
||||||
sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
|
sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
|
||||||
@ -202,6 +204,7 @@ delete_line_in_file() {
|
|||||||
|
|
||||||
backup_file "$FILE"
|
backup_file "$FILE"
|
||||||
debug "Deleting lines from $FILE containing $PATTERN"
|
debug "Deleting lines from $FILE containing $PATTERN"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
|
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
|
||||||
debug "sed -i '/$PATTERN/d' $FILE"
|
debug "sed -i '/$PATTERN/d' $FILE"
|
||||||
sed -i "/$PATTERN/d" "$FILE"
|
sed -i "/$PATTERN/d" "$FILE"
|
||||||
|
Loading…
Reference in New Issue
Block a user