elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 21:17:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shellcheck): disable sed replacement (SC2001)

Browse Source 
Shellcheck recommands to replace sed by shell expansions in 'simple' cases.
However, the replacement here is likely to lead to erros, so we disable this rule.
Moreover, it does'nt really add readability.
This commit is contained in:
Thibault Ayanides 2020-12-10 08:34:57 +01:00
parent 36528b55e0
commit b9e129d8fe
18 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bin/hardening.sh
View File

@ -233,6 +233,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ "${#TEST_LIST[@]}" -gt 0 ]; then if [ "${#TEST_LIST[@]}" -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ? # --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")") SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
# shellcheck disable=SC2001
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX") SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list # not in the list

1
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -24,6 +24,7 @@ audit() {
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else

1
bin/hardening/2.2.18_disable_telnet_server.sh
View File

@ -67,6 +67,7 @@ apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
# shellcheck disable=SC2001
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else

2
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -31,6 +31,7 @@ audit() {
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
@ -55,6 +56,7 @@ apply() {
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001
SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file "$FILE" "$PATTERN" does_pattern_exist_in_file "$FILE" "$PATTERN"

2
bin/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -24,6 +24,7 @@ audit() {
if $SUDO_CMD [ ! -r $CONF_FILE ]; then if $SUDO_CMD [ ! -r $CONF_FILE ]; then
crit "$CONF_FILE is not readable" crit "$CONF_FILE is not readable"
else else
# shellcheck disable=SC2001
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$CONF_LINE is present in $CONF_FILE" ok "$CONF_LINE is present in $CONF_FILE"
@ -38,6 +39,7 @@ apply() {
if $SUDO_CMD [ ! -r $CONF_FILE ]; then if $SUDO_CMD [ ! -r $CONF_FILE ]; then
crit "$CONF_FILE is not readable" crit "$CONF_FILE is not readable"
else else
# shellcheck disable=SC2001
does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$CONF_LINE is present in $CONF_FILE" ok "$CONF_LINE is present in $CONF_FILE"

2
bin/hardening/5.4.2_disable_system_accounts.sh
View File

@ -38,6 +38,7 @@ audit() {
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception" debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT") RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else else
debug "$ACCOUNT not found in exceptions" debug "$ACCOUNT not found in exceptions"
@ -65,6 +66,7 @@ apply() {
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception" debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT") RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else else
debug "$ACCOUNT not found in exceptions" debug "$ACCOUNT not found in exceptions"

1
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -24,6 +24,7 @@ audit() {
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable files are present" crit "Some world writable files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else

1
bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -31,6 +31,7 @@ audit() {
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some unowned files are present" crit "Some unowned files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else

1
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -31,6 +31,7 @@ audit() {
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some ungrouped files are present" crit "Some ungrouped files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else

1
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -38,6 +38,7 @@ audit() {
done done
if [ -n "$BAD_BINARIES" ]; then if [ -n "$BAD_BINARIES" ]; then
crit "Some suid files are present" crit "Some suid files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else

1
bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -38,6 +38,7 @@ audit() {
done done
if [ -n "$BAD_BINARIES" ]; then if [ -n "$BAD_BINARIES" ]; then
crit "Some sgid files are present" crit "Some sgid files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else

2
bin/hardening/6.2.10_check_user_dot_file_perm.sh
View File

@ -51,7 +51,7 @@ apply() {
FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
warn "Group Write permission set on FILE $FILE" warn "Group Write permission set on FILE $FILE"
chmod g-w "$FILE" chmod g-w "$FILE"
fi fi
if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then
warn "Other Write permission set on FILE $FILE" warn "Other Write permission set on FILE $FILE"

1
bin/hardening/6.2.5_find_0_uid_non_root_account.sh
View File

@ -34,6 +34,7 @@ audit() {
debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT" debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT"
if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception" debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT") RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT")
FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT" FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT"
else else

2
bin/hardening/6.2.8_check_user_dir_perm.sh
View File

@ -27,6 +27,7 @@ audit() {
debug "echo \"$EXCEPTIONS\" | grep -q $dir" debug "echo \"$EXCEPTIONS\" | grep -q $dir"
if echo "$EXCEPTIONS" | grep -q "$dir"; then if echo "$EXCEPTIONS" | grep -q "$dir"; then
debug "$dir is confirmed as an exception" debug "$dir is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$dir!!" <<<"$RESULT") RESULT=$(sed "s!$dir!!" <<<"$RESULT")
else else
debug "$dir not found in exceptions" debug "$dir not found in exceptions"
@ -66,6 +67,7 @@ apply() {
debug "echo \"$EXCEPTIONS\" | grep -q $dir" debug "echo \"$EXCEPTIONS\" | grep -q $dir"
if echo "$EXCEPTIONS" | grep -q "$dir"; then if echo "$EXCEPTIONS" | grep -q "$dir"; then
debug "$dir is confirmed as an exception" debug "$dir is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$dir!!" <<<"$RESULT") RESULT=$(sed "s!$dir!!" <<<"$RESULT")
else else
debug "$dir not found in exceptions" debug "$dir not found in exceptions"

1
bin/hardening/99.5.2.3_ssh_cry_rekey.sh
View File

@ -77,6 +77,7 @@ apply() {
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
# shellcheck disable=SC2001
SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE") SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE")
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

3
bin/hardening/99.5.4_ssh_keys_from.sh
View File

@ -41,6 +41,7 @@ check_ip() {
ok_ips_allowed="" ok_ips_allowed=""
bad_ips="" bad_ips=""
for ip in $ips; do for ip in $ips; do
# shellcheck disable=SC2001
ip_escaped=$(sed 's/\./\\./g' <<<"$ip") ip_escaped=$(sed 's/\./\\./g' <<<"$ip")
if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then if grep -qw "$ip_escaped" <<<"$ALLOWED_IPS"; then
debug "Line $linum of $file allows access from exused IP (${ip})." debug "Line $linum of $file allows access from exused IP (${ip})."
@ -50,7 +51,9 @@ check_ip() {
bad_ips+="$ip " bad_ips+="$ip "
fi fi
done done
# shellcheck disable=SC2001
ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}") ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}")
# shellcheck disable=SC2001
bad_ips=$(sed 's/ $//' <<<"${bad_ips}") bad_ips=$(sed 's/ $//' <<<"${bad_ips}")
if [[ -z $bad_ips ]]; then if [[ -z $bad_ips ]]; then
if [[ -n $ok_ips ]]; then if [[ -n $ok_ips ]]; then

1
bin/hardening/99.5.6_ssh_sys_accept_env.sh
View File

@ -52,6 +52,7 @@ apply() {
else else
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file_nocase $FILE "^$PATTERN" does_pattern_exist_in_file_nocase $FILE "^$PATTERN"
# shellcheck disable=SC2001
PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g') PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g')
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
add_end_of_file $FILE "$PATTERN" add_end_of_file $FILE "$PATTERN"

3
lib/utils.sh
View File

@ -177,6 +177,7 @@ add_line_file_before_pattern() {
backup_file "$FILE" backup_file "$FILE"
debug "Inserting $LINE before $PATTERN in $FILE" debug "Inserting $LINE before $PATTERN in $FILE"
# shellcheck disable=SC2001
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN") PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
debug "sed -i '/$PATTERN/i $LINE' $FILE" debug "sed -i '/$PATTERN/i $LINE' $FILE"
sed -i "/$PATTERN/i $LINE" "$FILE" sed -i "/$PATTERN/i $LINE" "$FILE"
@ -190,6 +191,7 @@ replace_in_file() {
backup_file "$FILE" backup_file "$FILE"
debug "Replacing $SOURCE to $DESTINATION in $FILE" debug "Replacing $SOURCE to $DESTINATION in $FILE"
# shellcheck disable=SC2001
SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE") SOURCE=$(sed 's@/@\\\/@g' <<<"$SOURCE")
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
sed -i "s/$SOURCE/$DESTINATION/g" "$FILE" sed -i "s/$SOURCE/$DESTINATION/g" "$FILE"
@ -202,6 +204,7 @@ delete_line_in_file() {
backup_file "$FILE" backup_file "$FILE"
debug "Deleting lines from $FILE containing $PATTERN" debug "Deleting lines from $FILE containing $PATTERN"
# shellcheck disable=SC2001
PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN") PATTERN=$(sed 's@/@\\\/@g' <<<"$PATTERN")
debug "sed -i '/$PATTERN/d' $FILE" debug "sed -i '/$PATTERN/d' $FILE"
sed -i "/$PATTERN/d" "$FILE" sed -i "/$PATTERN/d" "$FILE"