From c17d04ecc26a25c4c9dd2a4f64f815b164849cb2 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Fri, 27 Nov 2020 09:18:00 +0100 Subject: [PATCH] IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) --- bin/hardening/1.1.1.1_disable_freevxfs.sh | 4 ++++ bin/hardening/1.1.1.2_disable_jffs2.sh | 4 ++++ bin/hardening/1.1.1.3_disable_hfs.sh | 4 ++++ bin/hardening/1.1.1.4_disable_hfsplus.sh | 4 ++++ bin/hardening/1.1.1.5_disable_udf.sh | 4 ++++ bin/hardening/1.1.1.6_disable_cramfs.sh | 4 ++++ bin/hardening/1.1.1.7_disable_squashfs.sh | 4 ++++ bin/hardening/1.1.10_var_tmp_noexec.sh | 4 ++++ bin/hardening/1.1.11_var_log_partition.sh | 4 ++++ bin/hardening/1.1.12_var_log_audit_partition.sh | 4 ++++ bin/hardening/1.1.13_home_partition.sh | 4 ++++ bin/hardening/1.1.14_home_nodev.sh | 4 ++++ bin/hardening/1.1.15_run_shm_nodev.sh | 5 +++-- bin/hardening/1.1.16_run_shm_nosuid.sh | 5 +++-- bin/hardening/1.1.17_run_shm_noexec.sh | 5 +++-- bin/hardening/1.1.18_removable_device_nodev.sh | 4 ++++ bin/hardening/1.1.19_removable_device_nosuid.sh | 4 ++++ bin/hardening/1.1.20_removable_device_noexec.sh | 4 ++++ .../1.1.21_sticky_bit_world_writable_folder.sh | 4 ++++ bin/hardening/1.1.22_disable_automounting.sh | 4 ++++ bin/hardening/1.1.2_tmp_partition.sh | 4 ++++ bin/hardening/1.1.3_tmp_nodev.sh | 4 ++++ bin/hardening/1.1.4_tmp_nosuid.sh | 4 ++++ bin/hardening/1.1.5_tmp_noexec.sh | 4 ++++ bin/hardening/1.1.6_var_partition.sh | 4 ++++ bin/hardening/1.1.7_var_tmp_partition.sh | 4 ++++ bin/hardening/1.1.8_var_tmp_nodev.sh | 4 ++++ bin/hardening/1.1.9_var_tmp_nosuid.sh | 4 ++++ bin/hardening/1.4.1_bootloader_ownership.sh | 4 ++++ bin/hardening/1.4.2_bootloader_password.sh | 4 ++++ bin/hardening/1.4.3_root_password.sh | 4 ++++ bin/hardening/1.5.1_restrict_core_dumps.sh | 4 ++++ bin/hardening/1.5.2_enable_nx_support.sh | 4 ++++ .../1.5.3_enable_randomized_vm_placement.sh | 4 ++++ bin/hardening/1.5.4_disable_prelink.sh | 4 ++++ bin/hardening/1.6.2.1_enable_apparmor.sh | 4 ++++ bin/hardening/1.7.1.1_remove_os_info_motd.sh | 4 ++++ bin/hardening/1.7.1.2_remove_os_info_issue.sh | 4 ++++ bin/hardening/1.7.1.3_remove_os_info_issue_net.sh | 4 ++++ bin/hardening/1.7.1.4_motd_perms.sh | 4 ++++ bin/hardening/1.7.1.5_etc_issue_perms.sh | 4 ++++ bin/hardening/1.7.1.6_etc_issue_net_perms.sh | 4 ++++ bin/hardening/1.7.2_graphical_warning_banners.sh | 4 ++++ bin/hardening/1.8_install_updates.sh | 4 ++++ bin/hardening/2.1.1_disable_xinetd.sh | 4 ++++ bin/hardening/2.1.2_disable_bsd_inetd.sh | 4 ++++ bin/hardening/2.2.1.1_use_time_sync.sh | 14 ++++++++++++-- bin/hardening/2.2.1.2_configure_ntp.sh | 5 +++++ bin/hardening/2.2.1.3_configure_chrony.sh | 5 +++++ bin/hardening/2.2.10_disable_http_server.sh | 5 +++++ bin/hardening/2.2.11_disable_imap_pop.sh | 5 +++++ bin/hardening/2.2.12_disable_samba.sh | 5 +++++ bin/hardening/2.2.13_disable_http_proxy.sh | 5 +++++ bin/hardening/2.2.14_disable_snmp_server.sh | 5 +++++ bin/hardening/2.2.15_mta_localhost.sh | 5 +++++ bin/hardening/2.2.16_disable_rsync.sh | 5 +++++ bin/hardening/2.2.18_disable_telnet_server.sh | 4 ++++ bin/hardening/2.2.2_disable_xwindow_system.sh | 5 +++++ bin/hardening/2.2.3_disable_avahi_server.sh | 4 ++++ bin/hardening/2.2.4_disable_print_server.sh | 5 +++++ bin/hardening/2.2.5_disable_dhcp.sh | 5 +++++ bin/hardening/2.2.6_disable_ldap.sh | 5 +++++ bin/hardening/2.2.7_disable_nfs_rpc.sh | 5 +++++ bin/hardening/2.2.8_disable_dns_server.sh | 5 +++++ bin/hardening/2.2.9_disable_ftp.sh | 5 +++++ bin/hardening/2.3.1_disable_nis.sh | 4 ++++ bin/hardening/2.3.2_disable_rsh_client.sh | 4 ++++ bin/hardening/2.3.3_disable_talk_client.sh | 4 ++++ bin/hardening/2.3.4_disable_telnet_client.sh | 4 ++++ bin/hardening/2.3.5_disable_ldap_client.sh | 4 ++++ bin/hardening/3.1.1_disable_ip_forwarding.sh | 4 ++++ .../3.1.2_disable_send_packet_redirects.sh | 4 ++++ .../3.2.1_disable_source_routed_packets.sh | 4 ++++ bin/hardening/3.2.2_disable_icmp_redirect.sh | 4 ++++ .../3.2.3_disable_secure_icmp_redirect.sh | 4 ++++ bin/hardening/3.2.4_log_martian_packets.sh | 4 ++++ bin/hardening/3.2.5_ignore_broadcast_requests.sh | 4 ++++ .../3.2.6_enable_bad_error_message_protection.sh | 4 ++++ .../3.2.7_enable_source_route_validation.sh | 4 ++++ bin/hardening/3.2.8_enable_tcp_syn_cookies.sh | 4 ++++ .../3.2.9_disable_ipv6_router_advertisement.sh | 4 ++++ bin/hardening/3.3.1_install_tcp_wrapper.sh | 4 ++++ bin/hardening/3.3.2_hosts_allow.sh | 4 ++++ bin/hardening/3.3.3_hosts_deny.sh | 4 ++++ bin/hardening/3.3.4_hosts_allow_permissions.sh | 4 ++++ bin/hardening/3.3.5_hosts_deny_permissions.sh | 4 ++++ bin/hardening/3.4.1_disable_dccp.sh | 4 ++++ bin/hardening/3.4.2_disable_sctp.sh | 4 ++++ bin/hardening/3.4.3_disable_rds.sh | 4 ++++ bin/hardening/3.4.4_disable_tipc.sh | 4 ++++ .../3.5.1.1_net_fw_default_policy_drop.sh | 5 +++-- bin/hardening/3.5_enable_firewall.sh | 4 ++++ bin/hardening/3.6_disable_wireless.sh | 5 +++++ bin/hardening/3.7_disable_ipv6.sh | 4 ++++ bin/hardening/4.1.1.1_audit_log_storage.sh | 4 ++++ bin/hardening/4.1.1.2_halt_when_audit_log_full.sh | 4 ++++ bin/hardening/4.1.1.3_keep_all_audit_logs.sh | 4 ++++ bin/hardening/4.1.10_record_dac_edit.sh | 4 ++++ bin/hardening/4.1.11_record_failed_access_file.sh | 4 ++++ bin/hardening/4.1.12_record_privileged_commands.sh | 4 ++++ bin/hardening/4.1.13_record_successful_mount.sh | 4 ++++ bin/hardening/4.1.14_record_file_deletions.sh | 4 ++++ bin/hardening/4.1.15_record_sudoers_edit.sh | 4 ++++ bin/hardening/4.1.16_record_sudo_usage.sh | 4 ++++ bin/hardening/4.1.17_record_kernel_modules.sh | 4 ++++ bin/hardening/4.1.18_freeze_auditd_conf.sh | 4 ++++ bin/hardening/4.1.2_enable_auditd.sh | 4 ++++ bin/hardening/4.1.3_audit_bootloader.sh | 4 ++++ bin/hardening/4.1.4_record_date_time_edit.sh | 4 ++++ bin/hardening/4.1.5_record_user_group_edit.sh | 4 ++++ bin/hardening/4.1.6_record_network_edit.sh | 4 ++++ bin/hardening/4.1.7_record_mac_edit.sh | 4 ++++ bin/hardening/4.1.8_record_login_logout.sh | 4 ++++ bin/hardening/4.1.9_record_session_init.sh | 4 ++++ bin/hardening/4.2.2.1_enable_syslog-ng.sh | 4 ++++ bin/hardening/4.2.2.2_configure_syslog-ng.sh | 4 ++++ bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh | 7 ++++--- bin/hardening/4.2.2.4_syslog-ng_remote_host.sh | 4 ++++ bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh | 4 ++++ bin/hardening/4.2.3_install_syslog-ng.sh | 4 ++++ bin/hardening/4.2.4_logs_permissions.sh | 4 ++++ bin/hardening/4.3_configure_logrotate.sh | 4 ++++ bin/hardening/5.1.1_enable_cron.sh | 4 ++++ bin/hardening/5.1.2_crontab_perm_ownership.sh | 4 ++++ bin/hardening/5.1.3_cron_hourly_perm_ownership.sh | 4 ++++ bin/hardening/5.1.4_cron_daily_perm_ownership.sh | 4 ++++ bin/hardening/5.1.5_cron_weekly_perm_ownership.sh | 4 ++++ bin/hardening/5.1.6_cron_monthly_perm_ownership.sh | 4 ++++ bin/hardening/5.1.7_cron_d_perm_ownership.sh | 4 ++++ bin/hardening/5.1.8_cron_users.sh | 4 ++++ bin/hardening/5.2.10_disable_root_login.sh | 4 ++++ .../5.2.11_disable_sshd_permitemptypasswords.sh | 4 ++++ bin/hardening/5.2.12_disable_sshd_setenv.sh | 4 ++++ bin/hardening/5.2.13_sshd_ciphers.sh | 4 ++++ bin/hardening/5.2.14_ssh_cry_mac.sh | 7 ++++--- bin/hardening/5.2.15_ssh_cry_kex.sh | 7 ++++--- bin/hardening/5.2.16_sshd_idle_timeout.sh | 4 ++++ bin/hardening/5.2.17_sshd_login_grace_time.sh | 4 ++++ bin/hardening/5.2.18_sshd_limit_access.sh | 4 ++++ bin/hardening/5.2.19_ssh_banner.sh | 4 ++++ bin/hardening/5.2.1_sshd_conf_perm_ownership.sh | 4 ++++ .../5.2.2_ssh_host_private_keys_perm_ownership.sh | 4 ++++ .../5.2.3_ssh_host_public_keys_perm_ownership.sh | 4 ++++ bin/hardening/5.2.4_sshd_protocol.sh | 4 ++++ bin/hardening/5.2.5_sshd_loglevel.sh | 7 ++++--- bin/hardening/5.2.6_disable_x11_forwarding.sh | 4 ++++ bin/hardening/5.2.7_sshd_maxauthtries.sh | 4 ++++ bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh | 4 ++++ .../5.2.9_disable_sshd_hostbasedauthentication.sh | 4 ++++ bin/hardening/5.3.1_enable_pwquality.sh | 4 ++++ .../5.3.2_enable_lockout_failed_password.sh | 4 ++++ bin/hardening/5.3.3_limit_password_reuse.sh | 4 ++++ bin/hardening/5.3.4_acc_pam_sha512.sh | 7 ++++--- bin/hardening/5.4.1.1_set_password_exp_days.sh | 4 ++++ .../5.4.1.2_set_password_min_days_change.sh | 4 ++++ .../5.4.1.3_set_password_exp_warning_days.sh | 4 ++++ .../5.4.1.4_lock_inactive_user_account.sh | 4 ++++ bin/hardening/5.4.2_disable_system_accounts.sh | 4 ++++ bin/hardening/5.4.3_default_root_group.sh | 4 ++++ bin/hardening/5.4.4_default_umask.sh | 4 ++++ bin/hardening/5.5_secure_tty.sh | 4 ++++ bin/hardening/5.6_restrict_su.sh | 4 ++++ bin/hardening/6.1.10_find_world_writable_file.sh | 4 ++++ bin/hardening/6.1.11_find_unowned_files.sh | 4 ++++ bin/hardening/6.1.12_find_ungrouped_files.sh | 4 ++++ bin/hardening/6.1.13_find_suid_files.sh | 8 +++++--- bin/hardening/6.1.14_find_sgid_files.sh | 8 +++++--- bin/hardening/6.1.5_etc_passwd_permissions.sh | 4 ++++ bin/hardening/6.1.6_etc_shadow_permissions.sh | 4 ++++ bin/hardening/6.1.7_etc_group_permissions.sh | 4 ++++ bin/hardening/6.2.10_check_user_dot_file_perm.sh | 4 ++++ bin/hardening/6.2.11_find_user_forward_files.sh | 4 ++++ bin/hardening/6.2.12_find_user_netrc_files.sh | 4 ++++ bin/hardening/6.2.13_set_perm_on_user_netrc.sh | 4 ++++ bin/hardening/6.2.14_find_user_rhosts_files.sh | 4 ++++ .../6.2.15_find_passwd_group_inconsistencies.sh | 4 ++++ bin/hardening/6.2.16_check_duplicate_uid.sh | 7 ++++--- bin/hardening/6.2.17_check_duplicate_gid.sh | 7 ++++--- bin/hardening/6.2.18_check_duplicate_username.sh | 4 ++++ bin/hardening/6.2.19_check_duplicate_groupname.sh | 4 ++++ bin/hardening/6.2.1_remove_empty_password_field.sh | 4 ++++ bin/hardening/6.2.20_shadow_group_empty.sh | 4 ++++ .../6.2.2_remove_legacy_passwd_entries.sh | 4 ++++ .../6.2.3_remove_legacy_shadow_entries.sh | 4 ++++ bin/hardening/6.2.4_remove_legacy_group_entries.sh | 4 ++++ bin/hardening/6.2.5_find_0_uid_non_root_account.sh | 9 ++++++--- bin/hardening/6.2.6_sanitize_root_path.sh | 4 ++++ bin/hardening/6.2.7_users_valid_homedir.sh | 4 ++++ bin/hardening/6.2.8_check_user_dir_perm.sh | 4 ++++ bin/hardening/6.2.9_users_valid_homedir.sh | 4 ++++ bin/hardening/8.0_enable_auditd_kernel.sh | 4 ++++ bin/hardening/8.3.1_install_tripwire.sh | 4 ++++ bin/hardening/8.3.2_tripwire_cron.sh | 1 + bin/hardening/99.1_timeout_tty.sh | 7 ++++--- bin/hardening/99.2_disable_usb_devices.sh | 3 +++ bin/hardening/99.3.1_acc_shadow_sha512.sh | 7 ++++--- bin/hardening/99.3.2_acc_sudoers_no_all.sh | 7 ++++--- bin/hardening/99.3.4_acc_logindefs_sha512.sh | 7 ++++--- bin/hardening/99.5.1_ssh_auth_pubk_only.sh | 7 ++++--- bin/hardening/99.5.2.3_ssh_cry_rekey.sh | 7 ++++--- bin/hardening/99.5.3_ssh_disable_features.sh | 8 +++++--- bin/hardening/99.5.4_ssh_keys_from.sh | 7 ++++--- bin/hardening/99.5.5_ssh_strict_modes.sh | 7 ++++--- bin/hardening/99.5.6_ssh_sys_accept_env.sh | 7 ++++--- bin/hardening/99.5.7_ssh_sys_no_legacy.sh | 7 ++++--- bin/hardening/99.5.8_ssh_sys_sandbox.sh | 7 ++++--- bin/hardening/99.5.9_ssh_loglevel.sh | 7 ++++--- 207 files changed, 850 insertions(+), 79 deletions(-) diff --git a/bin/hardening/1.1.1.1_disable_freevxfs.sh b/bin/hardening/1.1.1.1_disable_freevxfs.sh index de18e20..c7c3677 100755 --- a/bin/hardening/1.1.1.1_disable_freevxfs.sh +++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable mounting of freevxfs filesystems." KERNEL_OPTION="CONFIG_VXFS_FS" @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.2_disable_jffs2.sh b/bin/hardening/1.1.1.2_disable_jffs2.sh index 3d90207..ce8dc89 100755 --- a/bin/hardening/1.1.1.2_disable_jffs2.sh +++ b/bin/hardening/1.1.1.2_disable_jffs2.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable mounting of jffs2 filesystems." KERNEL_OPTION="CONFIG_JFFS2_FS" @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.3_disable_hfs.sh b/bin/hardening/1.1.1.3_disable_hfs.sh index 202f318..684be0a 100755 --- a/bin/hardening/1.1.1.3_disable_hfs.sh +++ b/bin/hardening/1.1.1.3_disable_hfs.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable mounting of hfs filesystems." KERNEL_OPTION="CONFIG_HFS_FS" @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.4_disable_hfsplus.sh b/bin/hardening/1.1.1.4_disable_hfsplus.sh index e6c3eb1..0d8fd2b 100755 --- a/bin/hardening/1.1.1.4_disable_hfsplus.sh +++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable mounting of hfsplus filesystems." KERNEL_OPTION="CONFIG_HFSPLUS_FS" @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.5_disable_udf.sh b/bin/hardening/1.1.1.5_disable_udf.sh index 4b4d5cb..746c306 100755 --- a/bin/hardening/1.1.1.5_disable_udf.sh +++ b/bin/hardening/1.1.1.5_disable_udf.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable mounting of udf filesystems." KERNEL_OPTION="CONFIG_UDF_FS" @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.6_disable_cramfs.sh b/bin/hardening/1.1.1.6_disable_cramfs.sh index 9152d9e..0818ca1 100755 --- a/bin/hardening/1.1.1.6_disable_cramfs.sh +++ b/bin/hardening/1.1.1.6_disable_cramfs.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable mounting of cramfs filesystems." KERNEL_OPTION="CONFIG_CRAMFS" @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.7_disable_squashfs.sh b/bin/hardening/1.1.1.7_disable_squashfs.sh index 1e9438b..d49bb88 100755 --- a/bin/hardening/1.1.1.7_disable_squashfs.sh +++ b/bin/hardening/1.1.1.7_disable_squashfs.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable mounting of squashfs filesytems." KERNEL_OPTION="CONFIG_SQUASHFS" @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.10_var_tmp_noexec.sh b/bin/hardening/1.1.10_var_tmp_noexec.sh index fe6fbfa..b90445d 100755 --- a/bin/hardening/1.1.10_var_tmp_noexec.sh +++ b/bin/hardening/1.1.10_var_tmp_noexec.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="/var/tmp partition with noexec option." # Quick factoring as many script use the same logic @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.11_var_log_partition.sh b/bin/hardening/1.1.11_var_log_partition.sh index 96967d9..5494047 100755 --- a/bin/hardening/1.1.11_var_log_partition.sh +++ b/bin/hardening/1.1.11_var_log_partition.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="/var/log on separate partition." # Quick factoring as many script use the same logic @@ -58,6 +60,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -68,6 +71,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.12_var_log_audit_partition.sh b/bin/hardening/1.1.12_var_log_audit_partition.sh index d684ce8..8bceeec 100755 --- a/bin/hardening/1.1.12_var_log_audit_partition.sh +++ b/bin/hardening/1.1.12_var_log_audit_partition.sh @@ -11,7 +11,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="/var/log/audit on a separate partition." # Quick factoring as many script use the same logic @@ -57,6 +59,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -67,6 +70,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.13_home_partition.sh b/bin/hardening/1.1.13_home_partition.sh index 5464bd2..1f0b2a1 100755 --- a/bin/hardening/1.1.13_home_partition.sh +++ b/bin/hardening/1.1.13_home_partition.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="/home on a separate partition." # Quick factoring as many script use the same logic @@ -58,6 +60,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -68,6 +71,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.14_home_nodev.sh b/bin/hardening/1.1.14_home_nodev.sh index 1b5119b..ff0ab65 100755 --- a/bin/hardening/1.1.14_home_nodev.sh +++ b/bin/hardening/1.1.14_home_nodev.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="/home partition with nodev option." # Quick factoring as many script use the same logic @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.15_run_shm_nodev.sh b/bin/hardening/1.1.15_run_shm_nodev.sh index 38e6211..36f985c 100755 --- a/bin/hardening/1.1.15_run_shm_nodev.sh +++ b/bin/hardening/1.1.15_run_shm_nodev.sh @@ -74,6 +74,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -84,8 +85,8 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.16_run_shm_nosuid.sh b/bin/hardening/1.1.16_run_shm_nosuid.sh index 1161cd8..227d5cf 100755 --- a/bin/hardening/1.1.16_run_shm_nosuid.sh +++ b/bin/hardening/1.1.16_run_shm_nosuid.sh @@ -74,6 +74,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -84,8 +85,8 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.17_run_shm_noexec.sh b/bin/hardening/1.1.17_run_shm_noexec.sh index 2c7e373..9dd3ec0 100755 --- a/bin/hardening/1.1.17_run_shm_noexec.sh +++ b/bin/hardening/1.1.17_run_shm_noexec.sh @@ -74,6 +74,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -84,8 +85,8 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.18_removable_device_nodev.sh b/bin/hardening/1.1.18_removable_device_nodev.sh index ba17a6c..ae6807e 100755 --- a/bin/hardening/1.1.18_removable_device_nodev.sh +++ b/bin/hardening/1.1.18_removable_device_nodev.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="nodev option for removable media partitions." # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive @@ -59,6 +61,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -69,6 +72,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.19_removable_device_nosuid.sh b/bin/hardening/1.1.19_removable_device_nosuid.sh index 1136a9a..aaec9cf 100755 --- a/bin/hardening/1.1.19_removable_device_nosuid.sh +++ b/bin/hardening/1.1.19_removable_device_nosuid.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="nosuid option for removable media partitions." # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive @@ -59,6 +61,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -69,6 +72,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.20_removable_device_noexec.sh b/bin/hardening/1.1.20_removable_device_noexec.sh index 858a5ec..b3a9dd6 100755 --- a/bin/hardening/1.1.20_removable_device_noexec.sh +++ b/bin/hardening/1.1.20_removable_device_noexec.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="noexec option for removable media partitions." # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive @@ -59,6 +61,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -69,6 +72,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 31ef92f..773b5af 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them." # This function will be called if the script status is on enabled / audit mode @@ -47,6 +49,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -57,6 +60,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.22_disable_automounting.sh b/bin/hardening/1.1.22_disable_automounting.sh index b9b77d5..0bfb018 100755 --- a/bin/hardening/1.1.22_disable_automounting.sh +++ b/bin/hardening/1.1.22_disable_automounting.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable automounting of devices." SERVICE_NAME="autofs" @@ -47,6 +49,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -57,6 +60,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.2_tmp_partition.sh b/bin/hardening/1.1.2_tmp_partition.sh index 9959593..6a98621 100755 --- a/bin/hardening/1.1.2_tmp_partition.sh +++ b/bin/hardening/1.1.2_tmp_partition.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure /tmp is configured (Scored)" # Quick factoring as many script use the same logic @@ -58,6 +60,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -68,6 +71,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.3_tmp_nodev.sh b/bin/hardening/1.1.3_tmp_nodev.sh index d00f638..dfa55ba 100755 --- a/bin/hardening/1.1.3_tmp_nodev.sh +++ b/bin/hardening/1.1.3_tmp_nodev.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="/tmp partition with nodev option." # Quick factoring as many script use the same logic @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.4_tmp_nosuid.sh b/bin/hardening/1.1.4_tmp_nosuid.sh index feb6130..6596cc9 100755 --- a/bin/hardening/1.1.4_tmp_nosuid.sh +++ b/bin/hardening/1.1.4_tmp_nosuid.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="/tmp partition with nosuid option." # Quick factoring as many script use the same logic @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.5_tmp_noexec.sh b/bin/hardening/1.1.5_tmp_noexec.sh index 500bdd9..f426b1b 100755 --- a/bin/hardening/1.1.5_tmp_noexec.sh +++ b/bin/hardening/1.1.5_tmp_noexec.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="/tmp partition with noexec option." # Quick factoring as many script use the same logic @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.6_var_partition.sh b/bin/hardening/1.1.6_var_partition.sh index 150b32b..ee9fa23 100755 --- a/bin/hardening/1.1.6_var_partition.sh +++ b/bin/hardening/1.1.6_var_partition.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="/var on a separate partition." # Quick factoring as many script use the same logic @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.7_var_tmp_partition.sh b/bin/hardening/1.1.7_var_tmp_partition.sh index 0940bdf..c0e8502 100755 --- a/bin/hardening/1.1.7_var_tmp_partition.sh +++ b/bin/hardening/1.1.7_var_tmp_partition.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="/var/tmp on a separate partition." # Quick factoring as many script use the same logic @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.8_var_tmp_nodev.sh b/bin/hardening/1.1.8_var_tmp_nodev.sh index 6e91036..c73892b 100755 --- a/bin/hardening/1.1.8_var_tmp_nodev.sh +++ b/bin/hardening/1.1.8_var_tmp_nodev.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="/var/tmp partition with nodev option." # Quick factoring as many script use the same logic @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.9_var_tmp_nosuid.sh b/bin/hardening/1.1.9_var_tmp_nosuid.sh index 07ea3c0..320d7cd 100755 --- a/bin/hardening/1.1.9_var_tmp_nosuid.sh +++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="/var/tmp partition with nosuid option." # Quick factoring as many script use the same logic @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.4.1_bootloader_ownership.sh b/bin/hardening/1.4.1_bootloader_ownership.sh index 6c411ba..a99241f 100755 --- a/bin/hardening/1.4.1_bootloader_ownership.sh +++ b/bin/hardening/1.4.1_bootloader_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="User and group root owner of grub bootloader config." # Assertion : Grub Based. @@ -85,6 +87,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -95,6 +98,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.4.2_bootloader_password.sh b/bin/hardening/1.4.2_bootloader_password.sh index e50be9d..0605f58 100755 --- a/bin/hardening/1.4.2_bootloader_password.sh +++ b/bin/hardening/1.4.2_bootloader_password.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Setting bootloader password to secure boot parameters." FILE='/boot/grub/grub.cfg' @@ -67,6 +69,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -77,6 +80,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.4.3_root_password.sh b/bin/hardening/1.4.3_root_password.sh index 124a737..5a55c84 100755 --- a/bin/hardening/1.4.3_root_password.sh +++ b/bin/hardening/1.4.3_root_password.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Root password for single user mode." FILE="/etc/shadow" @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.5.1_restrict_core_dumps.sh b/bin/hardening/1.5.1_restrict_core_dumps.sh index cb48c60..3ad8412 100755 --- a/bin/hardening/1.5.1_restrict_core_dumps.sh +++ b/bin/hardening/1.5.1_restrict_core_dumps.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Restrict core dumps." LIMIT_FILE='/etc/security/limits.conf' @@ -82,6 +84,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -92,6 +95,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.5.2_enable_nx_support.sh b/bin/hardening/1.5.2_enable_nx_support.sh index bfe7b8d..61dd73c 100755 --- a/bin/hardening/1.5.2_enable_nx_support.sh +++ b/bin/hardening/1.5.2_enable_nx_support.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks." PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active' @@ -68,6 +70,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -78,6 +81,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh index 1a9e217..43af98e 100755 --- a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh +++ b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits." SYSCTL_PARAM='kernel.randomize_va_space' @@ -50,6 +52,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -60,6 +63,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.5.4_disable_prelink.sh b/bin/hardening/1.5.4_disable_prelink.sh index f157e5a..643b90e 100755 --- a/bin/hardening/1.5.4_disable_prelink.sh +++ b/bin/hardening/1.5.4_disable_prelink.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable prelink to prevent libraries compromission." PACKAGE='prelink' @@ -49,6 +51,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -59,6 +62,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.6.2.1_enable_apparmor.sh b/bin/hardening/1.6.2.1_enable_apparmor.sh index 46a5b59..192bcbf 100755 --- a/bin/hardening/1.6.2.1_enable_apparmor.sh +++ b/bin/hardening/1.6.2.1_enable_apparmor.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Activate AppArmor to enforce permissions control." PACKAGE='apparmor' @@ -85,6 +87,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -95,6 +98,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.1_remove_os_info_motd.sh b/bin/hardening/1.7.1.1_remove_os_info_motd.sh index c3c793a..2e8fb10 100755 --- a/bin/hardening/1.7.1.1_remove_os_info_motd.sh +++ b/bin/hardening/1.7.1.1_remove_os_info_motd.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Remove OS information from motd" FILE='/etc/motd' @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.2_remove_os_info_issue.sh b/bin/hardening/1.7.1.2_remove_os_info_issue.sh index 90dc08c..5f38002 100755 --- a/bin/hardening/1.7.1.2_remove_os_info_issue.sh +++ b/bin/hardening/1.7.1.2_remove_os_info_issue.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Remove OS information from Login Warning Banners." FILE='/etc/issue' @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh index bf3e229..a1fe41d 100755 --- a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh +++ b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Remove OS information from remote Login Warning Banners." FILE='/etc/issue.net' @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.4_motd_perms.sh b/bin/hardening/1.7.1.4_motd_perms.sh index 1e95fce..47ea1ed 100755 --- a/bin/hardening/1.7.1.4_motd_perms.sh +++ b/bin/hardening/1.7.1.4_motd_perms.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ." PERMISSIONS='644' @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.5_etc_issue_perms.sh b/bin/hardening/1.7.1.5_etc_issue_perms.sh index 5b855e9..1955a59 100755 --- a/bin/hardening/1.7.1.5_etc_issue_perms.sh +++ b/bin/hardening/1.7.1.5_etc_issue_perms.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ." PERMISSIONS='644' @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh index c6145dc..9e1ce03 100755 --- a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh +++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ." PERMISSIONS='644' @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.2_graphical_warning_banners.sh b/bin/hardening/1.7.2_graphical_warning_banners.sh index 01d8519..84ed678 100755 --- a/bin/hardening/1.7.2_graphical_warning_banners.sh +++ b/bin/hardening/1.7.2_graphical_warning_banners.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set graphical warning banner." # This function will be called if the script status is on enabled / audit mode @@ -32,6 +34,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -42,6 +45,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.8_install_updates.sh b/bin/hardening/1.8_install_updates.sh index c157e4f..7828951 100755 --- a/bin/hardening/1.8_install_updates.sh +++ b/bin/hardening/1.8_install_updates.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)" # This function will be called if the script status is on enabled / audit mode @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.1.1_disable_xinetd.sh b/bin/hardening/2.1.1_disable_xinetd.sh index 486facf..b151263 100755 --- a/bin/hardening/2.1.1_disable_xinetd.sh +++ b/bin/hardening/2.1.1_disable_xinetd.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure xinetd is not enabled." PACKAGE='xinetd' @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.1.2_disable_bsd_inetd.sh b/bin/hardening/2.1.2_disable_bsd_inetd.sh index fc2273b..2a04d35 100755 --- a/bin/hardening/2.1.2_disable_bsd_inetd.sh +++ b/bin/hardening/2.1.2_disable_bsd_inetd.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure bsd-inetd is not enabled." PACKAGES='openbsd-inetd inetutils-inetd' @@ -50,6 +52,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -60,6 +63,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.1.1_use_time_sync.sh b/bin/hardening/2.2.1.1_use_time_sync.sh index bbc9bad..c696abc 100755 --- a/bin/hardening/2.2.1.1_use_time_sync.sh +++ b/bin/hardening/2.2.1.1_use_time_sync.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure time synchronization is in use" PACKAGES="ntp chrony" @@ -44,6 +46,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -52,6 +55,13 @@ if [ -z "$CIS_ROOT_DIR" ]; then exit 128 fi -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/2.2.1.2_configure_ntp.sh b/bin/hardening/2.2.1.2_configure_ntp.sh index 6a288ab..3b4c680 100755 --- a/bin/hardening/2.2.1.2_configure_ntp.sh +++ b/bin/hardening/2.2.1.2_configure_ntp.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user." +# shellcheck disable=2034 HARDENING_EXCEPTION=ntp PACKAGE='ntp' @@ -79,6 +82,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -89,6 +93,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.1.3_configure_chrony.sh b/bin/hardening/2.2.1.3_configure_chrony.sh index 1159c48..1598eea 100755 --- a/bin/hardening/2.2.1.3_configure_chrony.sh +++ b/bin/hardening/2.2.1.3_configure_chrony.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user." +# shellcheck disable=2034 HARDENING_EXCEPTION=ntp PACKAGE=chrony @@ -48,6 +51,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +62,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.10_disable_http_server.sh b/bin/hardening/2.2.10_disable_http_server.sh index 106e67c..73fb26e 100755 --- a/bin/hardening/2.2.10_disable_http_server.sh +++ b/bin/hardening/2.2.10_disable_http_server.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure HTTP server is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=http # Based on aptitude search '~Phttpd' @@ -52,6 +55,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -62,6 +66,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.11_disable_imap_pop.sh b/bin/hardening/2.2.11_disable_imap_pop.sh index af67d6c..e612344 100755 --- a/bin/hardening/2.2.11_disable_imap_pop.sh +++ b/bin/hardening/2.2.11_disable_imap_pop.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure IMAP and POP servers are not installed" +# shellcheck disable=2034 HARDENING_EXCEPTION=mail # Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server' @@ -52,6 +55,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -62,6 +66,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.12_disable_samba.sh b/bin/hardening/2.2.12_disable_samba.sh index 442c9ec..972789a 100755 --- a/bin/hardening/2.2.12_disable_samba.sh +++ b/bin/hardening/2.2.12_disable_samba.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure Samba is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=samba PACKAGES='samba' @@ -65,6 +68,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -75,6 +79,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.13_disable_http_proxy.sh b/bin/hardening/2.2.13_disable_http_proxy.sh index 25c9da7..ddbe453 100755 --- a/bin/hardening/2.2.13_disable_http_proxy.sh +++ b/bin/hardening/2.2.13_disable_http_proxy.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure HTTP-proxy is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=http PACKAGES='squid3 squid' @@ -51,6 +54,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +65,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.14_disable_snmp_server.sh b/bin/hardening/2.2.14_disable_snmp_server.sh index e28305f..3863432 100755 --- a/bin/hardening/2.2.14_disable_snmp_server.sh +++ b/bin/hardening/2.2.14_disable_snmp_server.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Enure SNMP server is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=snmp PACKAGES='snmpd' @@ -51,6 +54,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +65,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.15_mta_localhost.sh b/bin/hardening/2.2.15_mta_localhost.sh index 63f253a..c32d53e 100755 --- a/bin/hardening/2.2.15_mta_localhost.sh +++ b/bin/hardening/2.2.15_mta_localhost.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode." +# shellcheck disable=2034 HARDENING_EXCEPTION=mail # This function will be called if the script status is on enabled / audit mode @@ -60,6 +63,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +74,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.16_disable_rsync.sh b/bin/hardening/2.2.16_disable_rsync.sh index 0185f16..5c12bc9 100755 --- a/bin/hardening/2.2.16_disable_rsync.sh +++ b/bin/hardening/2.2.16_disable_rsync.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure rsync service is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=rsync PACKAGE='rsync' @@ -62,6 +65,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -72,6 +76,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.18_disable_telnet_server.sh b/bin/hardening/2.2.18_disable_telnet_server.sh index d09a116..1778666 100755 --- a/bin/hardening/2.2.18_disable_telnet_server.sh +++ b/bin/hardening/2.2.18_disable_telnet_server.sh @@ -14,7 +14,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)." # Based on aptitude search '~Ptelnet-server' @@ -81,6 +83,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -91,6 +94,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.2_disable_xwindow_system.sh b/bin/hardening/2.2.2_disable_xwindow_system.sh index f60bb90..dbc1ae3 100755 --- a/bin/hardening/2.2.2_disable_xwindow_system.sh +++ b/bin/hardening/2.2.2_disable_xwindow_system.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure the X Window system is not installed." +# shellcheck disable=2034 HARDENING_EXCEPTION=x11 # Based on aptitude search '~Pxserver' @@ -52,6 +55,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -62,6 +66,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.3_disable_avahi_server.sh b/bin/hardening/2.2.3_disable_avahi_server.sh index 706c1f0..4799e25 100755 --- a/bin/hardening/2.2.3_disable_avahi_server.sh +++ b/bin/hardening/2.2.3_disable_avahi_server.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure Avahi server is not enabled." PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' @@ -50,6 +52,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -60,6 +63,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.4_disable_print_server.sh b/bin/hardening/2.2.4_disable_print_server.sh index d08efe1..b034b13 100755 --- a/bin/hardening/2.2.4_disable_print_server.sh +++ b/bin/hardening/2.2.4_disable_print_server.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=cups PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' @@ -51,6 +54,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +65,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.5_disable_dhcp.sh b/bin/hardening/2.2.5_disable_dhcp.sh index 7422e04..2e4d91c 100755 --- a/bin/hardening/2.2.5_disable_dhcp.sh +++ b/bin/hardening/2.2.5_disable_dhcp.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure DHCP server is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=dhcp PACKAGES='udhcpd isc-dhcp-server' @@ -51,6 +54,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +65,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.6_disable_ldap.sh b/bin/hardening/2.2.6_disable_ldap.sh index 2359ef4..e3169db 100755 --- a/bin/hardening/2.2.6_disable_ldap.sh +++ b/bin/hardening/2.2.6_disable_ldap.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure LDAP is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=ldap PACKAGES='slapd' @@ -51,6 +54,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +65,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.7_disable_nfs_rpc.sh b/bin/hardening/2.2.7_disable_nfs_rpc.sh index e83ae25..f7129da 100755 --- a/bin/hardening/2.2.7_disable_nfs_rpc.sh +++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=nfs PACKAGES='rpcbind nfs-kernel-server' @@ -51,6 +54,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +65,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.8_disable_dns_server.sh b/bin/hardening/2.2.8_disable_dns_server.sh index d767d7f..1299f1d 100755 --- a/bin/hardening/2.2.8_disable_dns_server.sh +++ b/bin/hardening/2.2.8_disable_dns_server.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure Domain Name System (dns) server is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=dns PACKAGES='bind9 unbound' @@ -51,6 +54,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +65,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.9_disable_ftp.sh b/bin/hardening/2.2.9_disable_ftp.sh index 5c836ce..fa17bb3 100755 --- a/bin/hardening/2.2.9_disable_ftp.sh +++ b/bin/hardening/2.2.9_disable_ftp.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled." +# shellcheck disable=2034 HARDENING_EXCEPTION=ftp # Based on aptitude search '~Pftp-server' @@ -52,6 +55,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -62,6 +66,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.1_disable_nis.sh b/bin/hardening/2.3.1_disable_nis.sh index 2376e36..49cb39f 100755 --- a/bin/hardening/2.3.1_disable_nis.sh +++ b/bin/hardening/2.3.1_disable_nis.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP." PACKAGE='nis' @@ -47,6 +49,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -57,6 +60,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.2_disable_rsh_client.sh b/bin/hardening/2.3.2_disable_rsh_client.sh index 04300a6..2ea3bb5 100755 --- a/bin/hardening/2.3.2_disable_rsh_client.sh +++ b/bin/hardening/2.3.2_disable_rsh_client.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh." # Based on aptitude search '~Prsh-client', exluding ssh-client OFC @@ -51,6 +53,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +64,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.3_disable_talk_client.sh b/bin/hardening/2.3.3_disable_talk_client.sh index 8043c05..1464abc 100755 --- a/bin/hardening/2.3.3_disable_talk_client.sh +++ b/bin/hardening/2.3.3_disable_talk_client.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure talk client is not installed." PACKAGES='talk inetutils-talk' @@ -50,6 +52,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -60,6 +63,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.4_disable_telnet_client.sh b/bin/hardening/2.3.4_disable_telnet_client.sh index 386ee89..4f96a9f 100755 --- a/bin/hardening/2.3.4_disable_telnet_client.sh +++ b/bin/hardening/2.3.4_disable_telnet_client.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure telnet client is not installed." PACKAGES='telnet' @@ -50,6 +52,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -60,6 +63,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.5_disable_ldap_client.sh b/bin/hardening/2.3.5_disable_ldap_client.sh index 0832b29..20bd276 100755 --- a/bin/hardening/2.3.5_disable_ldap_client.sh +++ b/bin/hardening/2.3.5_disable_ldap_client.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure ldap client is not installed." PACKAGES='ldap-utils' @@ -50,6 +52,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -60,6 +63,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.1.1_disable_ip_forwarding.sh b/bin/hardening/3.1.1_disable_ip_forwarding.sh index 8aa9cf0..b92b983 100755 --- a/bin/hardening/3.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh @@ -13,8 +13,10 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 HARDENING_EXCEPTION=gw +# shellcheck disable=2034 DESCRIPTION="Disable IP forwarding." SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.1.2_disable_send_packet_redirects.sh b/bin/hardening/3.1.2_disable_send_packet_redirects.sh index 7a0caae..08db575 100755 --- a/bin/hardening/3.1.2_disable_send_packet_redirects.sh +++ b/bin/hardening/3.1.2_disable_send_packet_redirects.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption." #net.ipv4.conf.all.send_redirects = 0 @@ -62,6 +64,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -72,6 +75,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.1_disable_source_routed_packets.sh b/bin/hardening/3.2.1_disable_source_routed_packets.sh index 3ef2143..ac23490 100755 --- a/bin/hardening/3.2.1_disable_source_routed_packets.sh +++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable source routed packet acceptance." # set in config file SYSCTL_PARAMS='' @@ -71,6 +73,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -81,6 +84,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.2_disable_icmp_redirect.sh b/bin/hardening/3.2.2_disable_icmp_redirect.sh index 35a83ca..954b1f3 100755 --- a/bin/hardening/3.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption." # set in config file SYSCTL_PARAMS='' @@ -72,6 +74,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -82,6 +85,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh index 148368f..dcfa901 100755 --- a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh +++ b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables corruptions." SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.4_log_martian_packets.sh b/bin/hardening/3.2.4_log_martian_packets.sh index 66a2983..c8b709a 100755 --- a/bin/hardening/3.2.4_log_martian_packets.sh +++ b/bin/hardening/3.2.4_log_martian_packets.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Log suspicious packets, like spoofed packets." SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.5_ignore_broadcast_requests.sh b/bin/hardening/3.2.5_ignore_broadcast_requests.sh index b340851..51dd89d 100755 --- a/bin/hardening/3.2.5_ignore_broadcast_requests.sh +++ b/bin/hardening/3.2.5_ignore_broadcast_requests.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack." SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh index d13d48b..d5162e1 100755 --- a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh +++ b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Enable bad error message protection to prevent logfiles fillup." SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.7_enable_source_route_validation.sh b/bin/hardening/3.2.7_enable_source_route_validation.sh index 1a967f5..5adfa96 100755 --- a/bin/hardening/3.2.7_enable_source_route_validation.sh +++ b/bin/hardening/3.2.7_enable_source_route_validation.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Enable RFC-recommended source route validation." SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh index b544bc7..995741f 100755 --- a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack." SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh index a762180..3aae40a 100755 --- a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh +++ b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable IPv6 router advertisements." SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0' @@ -70,6 +72,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -80,6 +83,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.1_install_tcp_wrapper.sh b/bin/hardening/3.3.1_install_tcp_wrapper.sh index f6c599b..94a8996 100755 --- a/bin/hardening/3.3.1_install_tcp_wrapper.sh +++ b/bin/hardening/3.3.1_install_tcp_wrapper.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Install TCP wrappers for simple access list management and standardized logging method for services." PACKAGE='tcpd' @@ -45,6 +47,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -55,6 +58,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.2_hosts_allow.sh b/bin/hardening/3.3.2_hosts_allow.sh index 625c36e..4abde0d 100755 --- a/bin/hardening/3.3.2_hosts_allow.sh +++ b/bin/hardening/3.3.2_hosts_allow.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Create /etc/hosts.allow ." FILE='/etc/hosts.allow' @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.3_hosts_deny.sh b/bin/hardening/3.3.3_hosts_deny.sh index 5945335..490bb00 100755 --- a/bin/hardening/3.3.3_hosts_deny.sh +++ b/bin/hardening/3.3.3_hosts_deny.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Create /etc/hosts.deny ." FILE='/etc/hosts.deny' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.4_hosts_allow_permissions.sh b/bin/hardening/3.3.4_hosts_allow_permissions.sh index 1595432..d4b136f 100755 --- a/bin/hardening/3.3.4_hosts_allow_permissions.sh +++ b/bin/hardening/3.3.4_hosts_allow_permissions.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Check 644 permissions and root:root ownership on /hosts.allow ." FILE='/etc/hosts.allow' @@ -54,6 +56,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -64,6 +67,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.5_hosts_deny_permissions.sh b/bin/hardening/3.3.5_hosts_deny_permissions.sh index 4c2fd35..7c86967 100755 --- a/bin/hardening/3.3.5_hosts_deny_permissions.sh +++ b/bin/hardening/3.3.5_hosts_deny_permissions.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Check 644 permissions and root:root ownership on /etc/hosts.deny ." FILE='/etc/hosts.deny' @@ -54,6 +56,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -64,6 +67,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.4.1_disable_dccp.sh b/bin/hardening/3.4.1_disable_dccp.sh index 6c2e796..8ef2850 100755 --- a/bin/hardening/3.4.1_disable_dccp.sh +++ b/bin/hardening/3.4.1_disable_dccp.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)." # This function will be called if the script status is on enabled / audit mode @@ -32,6 +34,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -42,6 +45,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.4.2_disable_sctp.sh b/bin/hardening/3.4.2_disable_sctp.sh index d3c99d0..87b168d 100755 --- a/bin/hardening/3.4.2_disable_sctp.sh +++ b/bin/hardening/3.4.2_disable_sctp.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)." # This function will be called if the script status is on enabled / audit mode @@ -32,6 +34,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -42,6 +45,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.4.3_disable_rds.sh b/bin/hardening/3.4.3_disable_rds.sh index 6123984..72aff97 100755 --- a/bin/hardening/3.4.3_disable_rds.sh +++ b/bin/hardening/3.4.3_disable_rds.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)." # This function will be called if the script status is on enabled / audit mode @@ -32,6 +34,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -42,6 +45,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.4.4_disable_tipc.sh b/bin/hardening/3.4.4_disable_tipc.sh index 6243da9..6e09336 100755 --- a/bin/hardening/3.4.4_disable_tipc.sh +++ b/bin/hardening/3.4.4_disable_tipc.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)." # This function will be called if the script status is on enabled / audit mode @@ -32,6 +34,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -42,6 +45,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh index b151bf1..f4d6c50 100755 --- a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh +++ b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh @@ -61,6 +61,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -71,8 +72,8 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.5_enable_firewall.sh b/bin/hardening/3.5_enable_firewall.sh index 162ca56..55e360b 100755 --- a/bin/hardening/3.5_enable_firewall.sh +++ b/bin/hardening/3.5_enable_firewall.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)." # Quick note here : CIS recommends your iptables rules to be persistent. @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.6_disable_wireless.sh b/bin/hardening/3.6_disable_wireless.sh index 43dd28e..d1e4694 100755 --- a/bin/hardening/3.6_disable_wireless.sh +++ b/bin/hardening/3.6_disable_wireless.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Deactivate wireless interfaces." # This function will be called if the script status is on enabled / audit mode @@ -32,6 +34,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -44,6 +47,7 @@ fi # echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting" # exit 128 #else +# shellcheck source=../../debian/default # . /etc/default/cis-hardening # if [ -z ${CIS_ROOT_DIR:-} ]; then # echo "No CIS_ROOT_DIR variable, aborting" @@ -53,6 +57,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.7_disable_ipv6.sh b/bin/hardening/3.7_disable_ipv6.sh index fb74b1e..9487a17 100755 --- a/bin/hardening/3.7_disable_ipv6.sh +++ b/bin/hardening/3.7_disable_ipv6.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable IPv6." SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1' @@ -70,6 +72,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -80,6 +83,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.1.1_audit_log_storage.sh b/bin/hardening/4.1.1.1_audit_log_storage.sh index 0a97ab7..45ad8c4 100755 --- a/bin/hardening/4.1.1.1_audit_log_storage.sh +++ b/bin/hardening/4.1.1.1_audit_log_storage.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Configure audit log storage size." FILE='/etc/audit/auditd.conf' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh index 4cac2ec..83ce552 100755 --- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Disable system on audit log full." FILE='/etc/audit/auditd.conf' @@ -87,6 +89,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -97,6 +100,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh index 21fd118..3b75b3d 100755 --- a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Keep all auditing information." FILE='/etc/audit/auditd.conf' @@ -78,6 +80,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -88,6 +91,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.10_record_dac_edit.sh b/bin/hardening/4.1.10_record_dac_edit.sh index 70bc34b..eb9cf33 100755 --- a/bin/hardening/4.1.10_record_dac_edit.sh +++ b/bin/hardening/4.1.10_record_dac_edit.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collect discretionary access control (DAC) permission modification events." AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod @@ -66,6 +68,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -76,6 +79,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.11_record_failed_access_file.sh b/bin/hardening/4.1.11_record_failed_access_file.sh index 449d8d6..4cd57eb 100755 --- a/bin/hardening/4.1.11_record_failed_access_file.sh +++ b/bin/hardening/4.1.11_record_failed_access_file.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collect unsuccessful unauthorized access attemps to files." AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access @@ -64,6 +66,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -74,6 +77,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.12_record_privileged_commands.sh b/bin/hardening/4.1.12_record_privileged_commands.sh index 9426ef7..21154cf 100755 --- a/bin/hardening/4.1.12_record_privileged_commands.sh +++ b/bin/hardening/4.1.12_record_privileged_commands.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collect use of privileged commands." # Find all files with setuid or setgid set @@ -65,6 +67,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -75,6 +78,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.13_record_successful_mount.sh b/bin/hardening/4.1.13_record_successful_mount.sh index df69293..d729a19 100755 --- a/bin/hardening/4.1.13_record_successful_mount.sh +++ b/bin/hardening/4.1.13_record_successful_mount.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collect sucessfull file system mounts." AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts @@ -62,6 +64,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -72,6 +75,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.14_record_file_deletions.sh b/bin/hardening/4.1.14_record_file_deletions.sh index 795368e..ed9f225 100755 --- a/bin/hardening/4.1.14_record_file_deletions.sh +++ b/bin/hardening/4.1.14_record_file_deletions.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collects file deletion events by users." AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete @@ -62,6 +64,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -72,6 +75,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.15_record_sudoers_edit.sh b/bin/hardening/4.1.15_record_sudoers_edit.sh index 687a828..97ab21e 100755 --- a/bin/hardening/4.1.15_record_sudoers_edit.sh +++ b/bin/hardening/4.1.15_record_sudoers_edit.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collect changes to system administration scopre." AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers @@ -62,6 +64,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -72,6 +75,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.16_record_sudo_usage.sh b/bin/hardening/4.1.16_record_sudo_usage.sh index 993efe8..ecd5ef0 100755 --- a/bin/hardening/4.1.16_record_sudo_usage.sh +++ b/bin/hardening/4.1.16_record_sudo_usage.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collect system administration actions (sudolog)." AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction' @@ -61,6 +63,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -71,6 +74,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.17_record_kernel_modules.sh b/bin/hardening/4.1.17_record_kernel_modules.sh index 747da54..6dfb453 100755 --- a/bin/hardening/4.1.17_record_kernel_modules.sh +++ b/bin/hardening/4.1.17_record_kernel_modules.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collect kernel module loading and unloading." AUDIT_PARAMS='-w /sbin/insmod -p x -k modules @@ -64,6 +66,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -74,6 +77,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.18_freeze_auditd_conf.sh b/bin/hardening/4.1.18_freeze_auditd_conf.sh index a884dbd..85b0eed 100755 --- a/bin/hardening/4.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/4.1.18_freeze_auditd_conf.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Make the audit configuration immutable." AUDIT_PARAMS='-e 2' @@ -61,6 +63,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -71,6 +74,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.2_enable_auditd.sh b/bin/hardening/4.1.2_enable_auditd.sh index 5a1a705..3da8b6d 100755 --- a/bin/hardening/4.1.2_enable_auditd.sh +++ b/bin/hardening/4.1.2_enable_auditd.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Ensure auditd service is installed and running." PACKAGE='auditd' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.3_audit_bootloader.sh b/bin/hardening/4.1.3_audit_bootloader.sh index 8105cb7..92d3ca1 100755 --- a/bin/hardening/4.1.3_audit_bootloader.sh +++ b/bin/hardening/4.1.3_audit_bootloader.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Enable auditing for processes that start prior to auditd." FILE='/etc/default/grub' @@ -78,6 +80,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -88,6 +91,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.4_record_date_time_edit.sh b/bin/hardening/4.1.4_record_date_time_edit.sh index 893b4f4..0f44ae6 100755 --- a/bin/hardening/4.1.4_record_date_time_edit.sh +++ b/bin/hardening/4.1.4_record_date_time_edit.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Record events that modify date and time information." AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change @@ -65,6 +67,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -75,6 +78,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.5_record_user_group_edit.sh b/bin/hardening/4.1.5_record_user_group_edit.sh index b1439ac..06774ec 100755 --- a/bin/hardening/4.1.5_record_user_group_edit.sh +++ b/bin/hardening/4.1.5_record_user_group_edit.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Record events that modify user/group information." AUDIT_PARAMS='-w /etc/group -p wa -k identity @@ -65,6 +67,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -75,6 +78,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.6_record_network_edit.sh b/bin/hardening/4.1.6_record_network_edit.sh index ed80c6c..3ef5e76 100755 --- a/bin/hardening/4.1.6_record_network_edit.sh +++ b/bin/hardening/4.1.6_record_network_edit.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Record events that modify the system's network environment." AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale @@ -66,6 +68,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -76,6 +79,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.7_record_mac_edit.sh b/bin/hardening/4.1.7_record_mac_edit.sh index 8b2dd0f..4673d23 100755 --- a/bin/hardening/4.1.7_record_mac_edit.sh +++ b/bin/hardening/4.1.7_record_mac_edit.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)." AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' @@ -61,6 +63,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -71,6 +74,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.8_record_login_logout.sh b/bin/hardening/4.1.8_record_login_logout.sh index 1beecbc..fda7b92 100755 --- a/bin/hardening/4.1.8_record_login_logout.sh +++ b/bin/hardening/4.1.8_record_login_logout.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collect login and logout events." AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins @@ -63,6 +65,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -73,6 +76,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.9_record_session_init.sh b/bin/hardening/4.1.9_record_session_init.sh index 1ccf803..0d6ac80 100755 --- a/bin/hardening/4.1.9_record_session_init.sh +++ b/bin/hardening/4.1.9_record_session_init.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Collec sessions initiation information." AUDIT_PARAMS='-w /var/run/utmp -p wa -k session @@ -63,6 +65,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -73,6 +76,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.2.1_enable_syslog-ng.sh b/bin/hardening/4.2.2.1_enable_syslog-ng.sh index 1c2e191..fdf2336 100755 --- a/bin/hardening/4.2.2.1_enable_syslog-ng.sh +++ b/bin/hardening/4.2.2.1_enable_syslog-ng.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure syslog-ng service is activated." SERVICE_NAME="syslog-ng" @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.2.2_configure_syslog-ng.sh b/bin/hardening/4.2.2.2_configure_syslog-ng.sh index 7625daf..1ff1eaa 100755 --- a/bin/hardening/4.2.2.2_configure_syslog-ng.sh +++ b/bin/hardening/4.2.2.2_configure_syslog-ng.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ." SERVICE_NAME="syslog-ng" @@ -36,6 +38,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -46,6 +49,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh index 3092dac..9ee2ab4 100755 --- a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh +++ b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh @@ -145,6 +145,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -154,9 +155,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh b/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh index d204806..4f7af00 100755 --- a/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh +++ b/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Configure syslog-ng to send logs to a remote log host." PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' @@ -67,6 +69,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -77,6 +80,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh b/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh index 74fc3be..c3be515 100755 --- a/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh +++ b/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts." # This function will be called if the script status is on enabled / audit mode @@ -32,6 +34,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -42,6 +45,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.3_install_syslog-ng.sh b/bin/hardening/4.2.3_install_syslog-ng.sh index 84103f4..bd2b162 100755 --- a/bin/hardening/4.2.3_install_syslog-ng.sh +++ b/bin/hardening/4.2.3_install_syslog-ng.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Install syslog-ng to manage logs" # NB : in CIS, rsyslog has been chosen, however we chose syslog-ng @@ -46,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -56,6 +59,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh index a681223..69dbbdd 100755 --- a/bin/hardening/4.2.4_logs_permissions.sh +++ b/bin/hardening/4.2.4_logs_permissions.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Check permissions on logs (other has no permissions on any files and group does not have write or execute permissions on any file)" DIR='/var/log' @@ -63,6 +65,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -73,6 +76,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.3_configure_logrotate.sh b/bin/hardening/4.3_configure_logrotate.sh index c05b143..3716e8e 100755 --- a/bin/hardening/4.3_configure_logrotate.sh +++ b/bin/hardening/4.3_configure_logrotate.sh @@ -11,7 +11,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable." SERVICE_NAME="syslog-ng" @@ -35,6 +37,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -45,6 +48,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.1_enable_cron.sh b/bin/hardening/5.1.1_enable_cron.sh index 90adb7a..ac43bc7 100755 --- a/bin/hardening/5.1.1_enable_cron.sh +++ b/bin/hardening/5.1.1_enable_cron.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Cron package is installed and enabled." PACKAGE="cron" @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.2_crontab_perm_ownership.sh b/bin/hardening/5.1.2_crontab_perm_ownership.sh index a51f8fd..a2b96c6 100755 --- a/bin/hardening/5.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="User/Group set to root and permissions to 600 on /etc/crontab ." FILE='/etc/crontab' @@ -75,6 +77,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -85,6 +88,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh index 46aab51..ae20ebb 100755 --- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="User/Group set to root and permissions to 700 on /etc/cron.hourly ." FILE='/etc/cron.hourly' @@ -75,6 +77,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -85,6 +88,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh index 82f9ec1..4a07de7 100755 --- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.daily ." FILE='/etc/cron.daily' @@ -75,6 +77,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -85,6 +88,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh index 0058325..37d15fe 100755 --- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.weekly ." FILE='/etc/cron.weekly' @@ -75,6 +77,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -85,6 +88,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh index 571c969..20d3d8c 100755 --- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.monthly ." FILE='/etc/cron.monthly' @@ -75,6 +77,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -85,6 +88,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.7_cron_d_perm_ownership.sh b/bin/hardening/5.1.7_cron_d_perm_ownership.sh index d7c2b12..6b85c5d 100755 --- a/bin/hardening/5.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/5.1.7_cron_d_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.d ." FILE='/etc/cron.d' @@ -75,6 +77,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -85,6 +88,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.8_cron_users.sh b/bin/hardening/5.1.8_cron_users.sh index 0ff1de8..cf018c5 100755 --- a/bin/hardening/5.1.8_cron_users.sh +++ b/bin/hardening/5.1.8_cron_users.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Restrict at/cron to authorized users." FILES_ABSENT='/etc/cron.deny /etc/at.deny' @@ -102,6 +104,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -112,6 +115,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.10_disable_root_login.sh b/bin/hardening/5.2.10_disable_root_login.sh index d2cae33..3ea387f 100755 --- a/bin/hardening/5.2.10_disable_root_login.sh +++ b/bin/hardening/5.2.10_disable_root_login.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Disable SSH Root Login." PACKAGE='openssh-server' @@ -86,6 +88,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh index bda0977..b46b6e5 100755 --- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs." PACKAGE='openssh-server' @@ -86,6 +88,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.12_disable_sshd_setenv.sh b/bin/hardening/5.2.12_disable_sshd_setenv.sh index d443779..0a613ca 100755 --- a/bin/hardening/5.2.12_disable_sshd_setenv.sh +++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Do not allow users to set environment options." PACKAGE='openssh-server' @@ -86,6 +88,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.13_sshd_ciphers.sh b/bin/hardening/5.2.13_sshd_ciphers.sh index 84790d5..82fd2fe 100755 --- a/bin/hardening/5.2.13_sshd_ciphers.sh +++ b/bin/hardening/5.2.13_sshd_ciphers.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)." PACKAGE='openssh-server' @@ -87,6 +89,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -97,6 +100,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.14_ssh_cry_mac.sh b/bin/hardening/5.2.14_ssh_cry_mac.sh index 59ee93b..4c2bdf1 100755 --- a/bin/hardening/5.2.14_ssh_cry_mac.sh +++ b/bin/hardening/5.2.14_ssh_cry_mac.sh @@ -89,6 +89,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -98,9 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.15_ssh_cry_kex.sh b/bin/hardening/5.2.15_ssh_cry_kex.sh index 17e8ee9..d755587 100755 --- a/bin/hardening/5.2.15_ssh_cry_kex.sh +++ b/bin/hardening/5.2.15_ssh_cry_kex.sh @@ -99,6 +99,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -108,9 +109,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.16_sshd_idle_timeout.sh b/bin/hardening/5.2.16_sshd_idle_timeout.sh index d2fb0d0..111dc0e 100755 --- a/bin/hardening/5.2.16_sshd_idle_timeout.sh +++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh @@ -13,7 +13,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set Idle Timeout Interval for user login." PACKAGE='openssh-server' @@ -88,6 +90,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -98,6 +101,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.17_sshd_login_grace_time.sh b/bin/hardening/5.2.17_sshd_login_grace_time.sh index 3e8b005..6195c42 100755 --- a/bin/hardening/5.2.17_sshd_login_grace_time.sh +++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set Login Grace Time for user login." PACKAGE='openssh-server' @@ -87,6 +89,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -97,6 +100,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh index 86bbb3a..3e74ab5 100755 --- a/bin/hardening/5.2.18_sshd_limit_access.sh +++ b/bin/hardening/5.2.18_sshd_limit_access.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Limite access via SSH by (dis)allowing specific users or groups." PACKAGE='openssh-server' @@ -107,6 +109,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -117,6 +120,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.19_ssh_banner.sh b/bin/hardening/5.2.19_ssh_banner.sh index 05f140e..92bfba9 100755 --- a/bin/hardening/5.2.19_ssh_banner.sh +++ b/bin/hardening/5.2.19_ssh_banner.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set ssh banner." PACKAGE='openssh-server' @@ -87,6 +89,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -97,6 +100,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh index 61545fb..14ddb88 100755 --- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh +++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config." FILE='/etc/ssh/sshd_config' @@ -75,6 +77,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -85,6 +88,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh index 581e907..14b76eb 100755 --- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh +++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Checking permissions and ownership to root 600 for ssh private keys. " DIR='/etc/ssh' @@ -101,6 +103,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -111,6 +114,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh index 17503a8..502c8bf 100755 --- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh +++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Checking permissions and ownership to root 644 for ssh public keys. " DIR='/etc/ssh' @@ -119,6 +121,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -129,6 +132,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.4_sshd_protocol.sh b/bin/hardening/5.2.4_sshd_protocol.sh index af60dbc..7958561 100755 --- a/bin/hardening/5.2.4_sshd_protocol.sh +++ b/bin/hardening/5.2.4_sshd_protocol.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set secure shell (SSH) protocol to 2." PACKAGE='openssh-server' @@ -86,6 +88,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.5_sshd_loglevel.sh b/bin/hardening/5.2.5_sshd_loglevel.sh index c4eb31e..9415666 100755 --- a/bin/hardening/5.2.5_sshd_loglevel.sh +++ b/bin/hardening/5.2.5_sshd_loglevel.sh @@ -91,6 +91,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -100,9 +101,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.6_disable_x11_forwarding.sh b/bin/hardening/5.2.6_disable_x11_forwarding.sh index 610395d..4b7b92a 100755 --- a/bin/hardening/5.2.6_disable_x11_forwarding.sh +++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Disable SSH X11 forwarding." PACKAGE='openssh-server' @@ -87,6 +89,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -97,6 +100,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.7_sshd_maxauthtries.sh b/bin/hardening/5.2.7_sshd_maxauthtries.sh index 65daaf2..9316ee4 100755 --- a/bin/hardening/5.2.7_sshd_maxauthtries.sh +++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set SSH MaxAuthTries to 4." PACKAGE='openssh-server' @@ -86,6 +88,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh index ebb35ce..41ddc97 100755 --- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set SSH IgnoreRhosts to Yes." PACKAGE='openssh-server' @@ -85,6 +87,7 @@ EOF } # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -95,6 +98,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh index 51b3d3d..9834468 100755 --- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set SSH HostbasedAUthentication to No." PACKAGE='openssh-server' @@ -86,6 +88,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.3.1_enable_pwquality.sh b/bin/hardening/5.3.1_enable_pwquality.sh index 11144d5..437897f 100755 --- a/bin/hardening/5.3.1_enable_pwquality.sh +++ b/bin/hardening/5.3.1_enable_pwquality.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set password creation requirement parameters using pam.cracklib." PACKAGE='libpam-pwquality' @@ -104,6 +106,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -114,6 +117,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.3.2_enable_lockout_failed_password.sh b/bin/hardening/5.3.2_enable_lockout_failed_password.sh index e535f7e..f898b72 100755 --- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh +++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set lockout for failed password attemps." PACKAGE='libpam-modules-bin' @@ -76,6 +78,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -86,6 +89,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.3.3_limit_password_reuse.sh b/bin/hardening/5.3.3_limit_password_reuse.sh index e0aa3f4..940365f 100755 --- a/bin/hardening/5.3.3_limit_password_reuse.sh +++ b/bin/hardening/5.3.3_limit_password_reuse.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Limit password reuse." PACKAGE='libpam-modules' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.3.4_acc_pam_sha512.sh b/bin/hardening/5.3.4_acc_pam_sha512.sh index 868e482..d2e100d 100755 --- a/bin/hardening/5.3.4_acc_pam_sha512.sh +++ b/bin/hardening/5.3.4_acc_pam_sha512.sh @@ -56,6 +56,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -65,9 +66,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.4.1.1_set_password_exp_days.sh b/bin/hardening/5.4.1.1_set_password_exp_days.sh index a67f321..a7f2b68 100755 --- a/bin/hardening/5.4.1.1_set_password_exp_days.sh +++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set password expiration days." PACKAGE='login' @@ -86,6 +88,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.4.1.2_set_password_min_days_change.sh b/bin/hardening/5.4.1.2_set_password_min_days_change.sh index 86f2951..80d7719 100755 --- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh +++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set password change minimum number of days." PACKAGE='login' @@ -86,6 +88,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh index 57d319b..a4c587e 100755 --- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set password expiration warning days." PACKAGE='login' @@ -86,6 +88,7 @@ EOF # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -96,6 +99,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.4.1.4_lock_inactive_user_account.sh b/bin/hardening/5.4.1.4_lock_inactive_user_account.sh index a10e2c8..850f46f 100755 --- a/bin/hardening/5.4.1.4_lock_inactive_user_account.sh +++ b/bin/hardening/5.4.1.4_lock_inactive_user_account.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Lock inactive user accounts." # This function will be called if the script status is on enabled / audit mode @@ -36,6 +38,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -46,6 +49,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.4.2_disable_system_accounts.sh b/bin/hardening/5.4.2_disable_system_accounts.sh index adbcbc6..e41aafc 100755 --- a/bin/hardening/5.4.2_disable_system_accounts.sh +++ b/bin/hardening/5.4.2_disable_system_accounts.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Disable system accounts, preventing them from interactive login." ACCEPTED_SHELLS='/bin/false /usr/sbin/nologin /sbin/nologin' @@ -105,6 +107,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -115,6 +118,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.4.3_default_root_group.sh b/bin/hardening/5.4.3_default_root_group.sh index 80a5812..2f39290 100755 --- a/bin/hardening/5.4.3_default_root_group.sh +++ b/bin/hardening/5.4.3_default_root_group.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set default group for root account to 0." USER='root' @@ -44,6 +46,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -54,6 +57,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.4.4_default_umask.sh b/bin/hardening/5.4.4_default_umask.sh index 8e1901e..bdc556d 100755 --- a/bin/hardening/5.4.4_default_umask.sh +++ b/bin/hardening/5.4.4_default_umask.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Set default mask for users to 077." USER='root' @@ -94,6 +96,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -104,6 +107,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.5_secure_tty.sh b/bin/hardening/5.5_secure_tty.sh index 4464881..77b6c75 100755 --- a/bin/hardening/5.5_secure_tty.sh +++ b/bin/hardening/5.5_secure_tty.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Restrict root login to system console." FILE='/etc/securetty' @@ -36,6 +38,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -46,6 +49,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.6_restrict_su.sh b/bin/hardening/5.6_restrict_su.sh index 958dfd8..d088986 100755 --- a/bin/hardening/5.6_restrict_su.sh +++ b/bin/hardening/5.6_restrict_su.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Restrict access to su command." PACKAGE='login' @@ -60,6 +62,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -70,6 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index ee4838c..a96e917 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Ensure no world writable files exist" # This function will be called if the script status is on enabled / audit mode @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index 002f5c4..ea14d20 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure no unowned files or directories exist" USER='root' @@ -59,6 +61,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -69,6 +72,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index 582bb0a..b0d0994 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure no ungrouped files or directories exist" GROUP='root' @@ -59,6 +61,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -69,6 +72,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index e3b6507..d6c2a7a 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -14,6 +14,7 @@ set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Find SUID system executables." IGNORED_PATH='' @@ -66,6 +67,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -75,9 +77,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index 9649910..65c81ef 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -14,6 +14,7 @@ set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Find SGID system executables." IGNORED_PATH='' @@ -67,6 +68,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -76,9 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.5_etc_passwd_permissions.sh b/bin/hardening/6.1.5_etc_passwd_permissions.sh index 3a936e6..f1eb22a 100755 --- a/bin/hardening/6.1.5_etc_passwd_permissions.sh +++ b/bin/hardening/6.1.5_etc_passwd_permissions.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Check 644 permissions and root:root ownership on /etc/passwd" FILE='/etc/passwd' @@ -61,6 +63,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -71,6 +74,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.6_etc_shadow_permissions.sh b/bin/hardening/6.1.6_etc_shadow_permissions.sh index 6303a09..a30392d 100755 --- a/bin/hardening/6.1.6_etc_shadow_permissions.sh +++ b/bin/hardening/6.1.6_etc_shadow_permissions.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Check 644 permissions and root:root ownership on /etc/shadow" FILE='/etc/shadow' @@ -61,6 +63,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -71,6 +74,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.7_etc_group_permissions.sh b/bin/hardening/6.1.7_etc_group_permissions.sh index 94dddbc..f784cce 100755 --- a/bin/hardening/6.1.7_etc_group_permissions.sh +++ b/bin/hardening/6.1.7_etc_group_permissions.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Check 644 permissions and root:root ownership on /etc/group" FILE='/etc/group' @@ -61,6 +63,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -71,6 +74,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index 9295b94..1d1b28a 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Check user dot file permissions." ERRORS=0 @@ -67,6 +69,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -77,6 +80,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.11_find_user_forward_files.sh b/bin/hardening/6.2.11_find_user_forward_files.sh index a2c3c69..11920a8 100755 --- a/bin/hardening/6.2.11_find_user_forward_files.sh +++ b/bin/hardening/6.2.11_find_user_forward_files.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="There is no user .forward files." ERRORS=0 @@ -47,6 +49,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -57,6 +60,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.12_find_user_netrc_files.sh b/bin/hardening/6.2.12_find_user_netrc_files.sh index c117ddc..590b26c 100755 --- a/bin/hardening/6.2.12_find_user_netrc_files.sh +++ b/bin/hardening/6.2.12_find_user_netrc_files.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="There is no user .netrc files." ERRORS=0 @@ -47,6 +49,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -57,6 +60,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh index 72f921e..802c0e8 100755 --- a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh +++ b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure users' .netrc Files are not group or world accessible" PERMISSIONS="600" @@ -66,6 +68,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -76,6 +79,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.14_find_user_rhosts_files.sh b/bin/hardening/6.2.14_find_user_rhosts_files.sh index 23f7d8a..5ebe13e 100755 --- a/bin/hardening/6.2.14_find_user_rhosts_files.sh +++ b/bin/hardening/6.2.14_find_user_rhosts_files.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="No user's .rhosts file." ERRORS=0 @@ -47,6 +49,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -57,6 +60,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh b/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh index 09df3cf..2138950 100755 --- a/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh +++ b/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="There is no group in /etc/passwd that is not in /etc/group." ERRORS=0 @@ -45,6 +47,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -55,6 +58,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.16_check_duplicate_uid.sh b/bin/hardening/6.2.16_check_duplicate_uid.sh index 1f97f5e..7e50ac5 100755 --- a/bin/hardening/6.2.16_check_duplicate_uid.sh +++ b/bin/hardening/6.2.16_check_duplicate_uid.sh @@ -69,6 +69,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -78,9 +79,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.17_check_duplicate_gid.sh b/bin/hardening/6.2.17_check_duplicate_gid.sh index 599f30d..2a4d1bb 100755 --- a/bin/hardening/6.2.17_check_duplicate_gid.sh +++ b/bin/hardening/6.2.17_check_duplicate_gid.sh @@ -50,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -59,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.18_check_duplicate_username.sh b/bin/hardening/6.2.18_check_duplicate_username.sh index 0ff4bd5..979ff31 100755 --- a/bin/hardening/6.2.18_check_duplicate_username.sh +++ b/bin/hardening/6.2.18_check_duplicate_username.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="There is no duplicate usernames." ERRORS=0 @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.19_check_duplicate_groupname.sh b/bin/hardening/6.2.19_check_duplicate_groupname.sh index 011eaf0..8eb81ac 100755 --- a/bin/hardening/6.2.19_check_duplicate_groupname.sh +++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="There is no duplicate group names." ERRORS=0 @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.1_remove_empty_password_field.sh b/bin/hardening/6.2.1_remove_empty_password_field.sh index 36eae08..c2751b7 100755 --- a/bin/hardening/6.2.1_remove_empty_password_field.sh +++ b/bin/hardening/6.2.1_remove_empty_password_field.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Ensure password fields are not empty in /etc/shadow." @@ -49,6 +51,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -59,6 +62,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.20_shadow_group_empty.sh b/bin/hardening/6.2.20_shadow_group_empty.sh index 39397c6..bf2b708 100755 --- a/bin/hardening/6.2.20_shadow_group_empty.sh +++ b/bin/hardening/6.2.20_shadow_group_empty.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="There is no user in shadow group (that can read /etc/shadow file)." ERRORS=0 @@ -57,6 +59,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -67,6 +70,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh b/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh index 82a6476..27a5525 100755 --- a/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh +++ b/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Verify no legacy + entries exist in /etc/password file." FILE='/etc/passwd' @@ -51,6 +53,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +64,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh index b610a8a..7ca87de 100755 --- a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Verify no legacy + entries exist in /etc/shadow file." FILE='/etc/shadow' @@ -51,6 +53,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +64,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.4_remove_legacy_group_entries.sh b/bin/hardening/6.2.4_remove_legacy_group_entries.sh index 9a1819c..79dca7d 100755 --- a/bin/hardening/6.2.4_remove_legacy_group_entries.sh +++ b/bin/hardening/6.2.4_remove_legacy_group_entries.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=1 +# shellcheck disable=2034 DESCRIPTION="Verify no legacy + entries exist in /etc/group file." FILE='/etc/group' @@ -51,6 +53,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -61,6 +64,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh index 97f1c08..7f32d77 100755 --- a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh @@ -12,9 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 # shellcheck disable=2034 HARDENING_LEVEL=2 # shellcheck disable=2034 +# shellcheck disable=2034 DESCRIPTION="Verify root is the only UID 0 account." EXCEPTIONS="" @@ -68,6 +70,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -77,9 +80,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.6_sanitize_root_path.sh b/bin/hardening/6.2.6_sanitize_root_path.sh index 40cff74..3b12a26 100755 --- a/bin/hardening/6.2.6_sanitize_root_path.sh +++ b/bin/hardening/6.2.6_sanitize_root_path.sh @@ -16,7 +16,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure root path integrity." ERRORS=0 @@ -78,6 +80,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -88,6 +91,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.7_users_valid_homedir.sh b/bin/hardening/6.2.7_users_valid_homedir.sh index b431a2c..8550f55 100755 --- a/bin/hardening/6.2.7_users_valid_homedir.sh +++ b/bin/hardening/6.2.7_users_valid_homedir.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Users are assigned valid home directories." ERRORS=0 @@ -48,6 +50,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -58,6 +61,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.8_check_user_dir_perm.sh b/bin/hardening/6.2.8_check_user_dir_perm.sh index 8fdf38b..efedc59 100755 --- a/bin/hardening/6.2.8_check_user_dir_perm.sh +++ b/bin/hardening/6.2.8_check_user_dir_perm.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Check permissions on user home directories." ERRORS=0 @@ -108,6 +110,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -118,6 +121,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.9_users_valid_homedir.sh b/bin/hardening/6.2.9_users_valid_homedir.sh index 2101122..1f920ec 100755 --- a/bin/hardening/6.2.9_users_valid_homedir.sh +++ b/bin/hardening/6.2.9_users_valid_homedir.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Ensure users own their home directories" EXCEPTIONS="" @@ -80,6 +82,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -90,6 +93,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh index 157441a..537729c 100755 --- a/bin/hardening/8.0_enable_auditd_kernel.sh +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Ensure CONFIG_AUDIT is enabled in your running kernel." # Note : Not part of the CIS guide, but what's the point of configuring software not compatible with your kernel? :) @@ -49,6 +51,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -59,6 +62,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh index b2d3bd9..9b1099c 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -12,7 +12,9 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=4 +# shellcheck disable=2034 DESCRIPTION="Ensure tripwire package is installed." # NB : in CIS, AIDE has been chosen, however we chose tripwire @@ -47,6 +49,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -57,6 +60,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.sh . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/8.3.2_tripwire_cron.sh b/bin/hardening/8.3.2_tripwire_cron.sh index 752c001..a93f79a 100755 --- a/bin/hardening/8.3.2_tripwire_cron.sh +++ b/bin/hardening/8.3.2_tripwire_cron.sh @@ -63,6 +63,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh index 851a079..ba9b002 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/99.1_timeout_tty.sh @@ -102,6 +102,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -111,9 +112,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 77d7391..4188bb2 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -13,6 +13,7 @@ set -e # One error, it's over set -u # One variable unset, it's over USER='root' +# shellcheck disable=2034 DESCRIPTION="USB devices are disabled." PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you @@ -105,6 +106,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -115,6 +117,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +# shellcheck source=../../lib/main.h . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/99.3.1_acc_shadow_sha512.sh b/bin/hardening/99.3.1_acc_shadow_sha512.sh index 733d427..a5ab471 100755 --- a/bin/hardening/99.3.1_acc_shadow_sha512.sh +++ b/bin/hardening/99.3.1_acc_shadow_sha512.sh @@ -65,6 +65,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -74,9 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.3.2_acc_sudoers_no_all.sh b/bin/hardening/99.3.2_acc_sudoers_no_all.sh index f659c66..fdbac25 100755 --- a/bin/hardening/99.3.2_acc_sudoers_no_all.sh +++ b/bin/hardening/99.3.2_acc_sudoers_no_all.sh @@ -82,6 +82,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -91,9 +92,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.3.4_acc_logindefs_sha512.sh b/bin/hardening/99.3.4_acc_logindefs_sha512.sh index 8ef744e..a3f96fa 100755 --- a/bin/hardening/99.3.4_acc_logindefs_sha512.sh +++ b/bin/hardening/99.3.4_acc_logindefs_sha512.sh @@ -58,6 +58,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -67,9 +68,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh index 935af44..e14fd26 100755 --- a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh +++ b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh @@ -79,6 +79,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -88,9 +89,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh index cd12823..950ec62 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -96,6 +96,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -105,9 +106,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.3_ssh_disable_features.sh b/bin/hardening/99.5.3_ssh_disable_features.sh index 1a94d6c..cb7c142 100755 --- a/bin/hardening/99.5.3_ssh_disable_features.sh +++ b/bin/hardening/99.5.3_ssh_disable_features.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 # shellcheck disable=2034 DESCRIPTION="Check all special features in sshd_config are disabled" @@ -78,6 +79,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -87,9 +89,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index 5f1278f..52f7ecc 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -167,6 +167,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -176,9 +177,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.5_ssh_strict_modes.sh b/bin/hardening/99.5.5_ssh_strict_modes.sh index 007b975..22fb71e 100755 --- a/bin/hardening/99.5.5_ssh_strict_modes.sh +++ b/bin/hardening/99.5.5_ssh_strict_modes.sh @@ -78,6 +78,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -87,9 +88,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.6_ssh_sys_accept_env.sh index 6e631b5..6d5c223 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.6_ssh_sys_accept_env.sh @@ -70,6 +70,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -79,9 +80,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh b/bin/hardening/99.5.7_ssh_sys_no_legacy.sh index aad4562..0298dfd 100755 --- a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh +++ b/bin/hardening/99.5.7_ssh_sys_no_legacy.sh @@ -48,6 +48,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -57,9 +58,9 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.8_ssh_sys_sandbox.sh b/bin/hardening/99.5.8_ssh_sys_sandbox.sh index 590ff8f..30c3e76 100755 --- a/bin/hardening/99.5.8_ssh_sys_sandbox.sh +++ b/bin/hardening/99.5.8_ssh_sys_sandbox.sh @@ -80,6 +80,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -89,9 +90,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.9_ssh_loglevel.sh b/bin/hardening/99.5.9_ssh_loglevel.sh index 1cc55dd..9d2b5ed 100755 --- a/bin/hardening/99.5.9_ssh_loglevel.sh +++ b/bin/hardening/99.5.9_ssh_loglevel.sh @@ -79,6 +79,7 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then +# shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then @@ -88,9 +89,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=/opt/debian-cis/lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . $CIS_ROOT_DIR/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128