mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 14:05:23 +01:00
IMP(shellcheck): replace ! -z by -n (SC2236)
This commit is contained in:
parent
eaf56ca25e
commit
d371b8d057
@ -22,7 +22,7 @@ audit() {
|
||||
info "Checking if setuid is set on world writable Directories"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable directories are not on sticky bit mode!"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
@ -34,7 +34,7 @@ audit() {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
else
|
||||
ok "All world writable directories have a sticky bit, nothing to apply"
|
||||
|
@ -44,7 +44,7 @@ audit() {
|
||||
fi
|
||||
done
|
||||
IFS=$IFS_BAK
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell"
|
||||
crit "$RESULT"
|
||||
else
|
||||
@ -71,7 +71,7 @@ apply() {
|
||||
fi
|
||||
done
|
||||
IFS=$IFS_BAK
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell -- Fixing"
|
||||
warn "$RESULT"
|
||||
for USER in $(echo "$RESULT" | cut -d: -f 1); do
|
||||
|
@ -22,7 +22,7 @@ audit() {
|
||||
info "Checking if there are world writable files"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
@ -34,7 +34,7 @@ audit() {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "chmoding o-w all files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
|
||||
else
|
||||
|
@ -24,12 +24,12 @@ EXCLUDED=''
|
||||
audit() {
|
||||
info "Checking if there are unowned files"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
if [ ! -z $EXCLUDED ]; then
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||
else
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
|
||||
fi
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some unowned files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
@ -40,12 +40,12 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ ! -z $EXCLUDED ]; then
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
fi
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "Applying chown on all unowned files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||
else
|
||||
|
@ -24,12 +24,12 @@ EXCLUDED=''
|
||||
audit() {
|
||||
info "Checking if there are ungrouped files"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
if [ ! -z $EXCLUDED ]; then
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||
else
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
|
||||
fi
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some ungrouped files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
@ -40,12 +40,12 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ ! -z $EXCLUDED ]; then
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
fi
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "Applying chgrp on all ungrouped files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||
else
|
||||
|
@ -23,7 +23,7 @@ audit() {
|
||||
info "Checking if there are suid files"
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
|
||||
# shellcheck disable=2086
|
||||
if [ ! -z $IGNORED_PATH ]; then
|
||||
if [ -n "$IGNORED_PATH" ]; then
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||
else
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
|
||||
@ -36,7 +36,7 @@ audit() {
|
||||
BAD_BINARIES="$BAD_BINARIES $BINARY"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$BAD_BINARIES" ]; then
|
||||
if [ -n "$BAD_BINARIES" ]; then
|
||||
crit "Some suid files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
|
@ -23,7 +23,7 @@ audit() {
|
||||
info "Checking if there are sgid files"
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
|
||||
# shellcheck disable=2086
|
||||
if [ ! -z $IGNORED_PATH ]; then
|
||||
if [ -n "$IGNORED_PATH" ]; then
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||
else
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
|
||||
@ -36,7 +36,7 @@ audit() {
|
||||
BAD_BINARIES="$BAD_BINARIES $BINARY"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$BAD_BINARIES" ]; then
|
||||
if [ -n "$BAD_BINARIES" ]; then
|
||||
crit "Some sgid files are present"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
|
@ -51,7 +51,7 @@ apply() {
|
||||
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
|
||||
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
|
||||
warn "Group Write permission set on FILE $FILE"
|
||||
chmod g-w "$FILE"
|
||||
chmod g-w "$FILE"
|
||||
fi
|
||||
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
|
||||
warn "Other Write permission set on FILE $FILE"
|
||||
|
@ -21,9 +21,9 @@ DESCRIPTION="Ensure password fields are not empty in /etc/shadow."
|
||||
audit() {
|
||||
info "Checking if accounts have an empty password"
|
||||
RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some accounts have an empty password"
|
||||
crit $RESULT
|
||||
crit "$RESULT"
|
||||
else
|
||||
ok "All accounts have a password"
|
||||
fi
|
||||
@ -32,7 +32,7 @@ audit() {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "Some accounts have an empty password"
|
||||
for ACCOUNT in $RESULT; do
|
||||
info "Locking $ACCOUNT"
|
||||
|
@ -17,7 +17,6 @@ HARDENING_LEVEL=1
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="There is no user in shadow group (that can read /etc/shadow file)."
|
||||
|
||||
ERRORS=0
|
||||
FILEGROUP='/etc/group'
|
||||
PATTERN='^shadow:x:[[:digit:]]+:'
|
||||
|
||||
@ -29,7 +28,7 @@ audit() {
|
||||
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
|
||||
GROUPID=$(getent group shadow | cut -d: -f3)
|
||||
debug "$RESULT $GROUPID"
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some users belong to shadow group: $RESULT"
|
||||
else
|
||||
ok "No user belongs to shadow group"
|
||||
@ -37,7 +36,7 @@ audit() {
|
||||
|
||||
info "Checking if a user has $GROUPID as primary group"
|
||||
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some users have shadow id as their primary group: $RESULT"
|
||||
else
|
||||
ok "No user has shadow id as their primary group"
|
||||
|
@ -40,7 +40,7 @@ audit() {
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some accounts have uid 0: $(tr '\n' ' ' <<<"$RESULT")"
|
||||
else
|
||||
ok "No account with uid 0 appart from root ${FOUND_EXCEPTIONS:+and configured exceptions:}$FOUND_EXCEPTIONS"
|
||||
|
@ -53,12 +53,12 @@ check_ip() {
|
||||
ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}")
|
||||
bad_ips=$(sed 's/ $//' <<<"${bad_ips}")
|
||||
if [[ -z $bad_ips ]]; then
|
||||
if [[ ! -z $ok_ips ]]; then
|
||||
if [[ -n $ok_ips ]]; then
|
||||
ok "Line $linum of $file allows ssh access only from allowed IPs ($ok_ips)."
|
||||
fi
|
||||
else
|
||||
crit "Line $linum of $file allows ssh access from (${bad_ips}) that are not allowed."
|
||||
if [[ ! -z $ok_ips ]]; then
|
||||
if [[ -n $ok_ips ]]; then
|
||||
ok "Line $linum of $file allows ssh access from at least allowed IPs ($ok_ips)."
|
||||
fi
|
||||
fi
|
||||
|
@ -12,7 +12,7 @@ test_audit() {
|
||||
describe Tests purposely failing
|
||||
local targetdir="/home/secaudit/world_writable_folder"
|
||||
mkdir $targetdir || true
|
||||
chmod 777 $targetdir
|
||||
chmod 777 "$targetdir"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some world writable directories are not on sticky bit mode"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
@ -70,7 +70,7 @@ for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Sup
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then
|
||||
if [[ -n "$failedtarget" && "$nowait" -eq 0 ]]; then
|
||||
echo -e "\nPress \e[1mENTER\e[0m to display failed test logs"
|
||||
echo -e "Use \e[1m:n\e[0m (next) and \e[1m:p\e[0m (previous) to navigate between log files"
|
||||
echo -e "and \e[1mq\e[0m to quit"
|
||||
|
Loading…
Reference in New Issue
Block a user