diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 01411b2..436aeb2 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -22,7 +22,7 @@ audit() { info "Checking if setuid is set on world writable Directories" FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" @@ -34,7 +34,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t else ok "All world writable directories have a sticky bit, nothing to apply" diff --git a/bin/hardening/5.4.2_disable_system_accounts.sh b/bin/hardening/5.4.2_disable_system_accounts.sh index 5efbd27..a6f00cd 100755 --- a/bin/hardening/5.4.2_disable_system_accounts.sh +++ b/bin/hardening/5.4.2_disable_system_accounts.sh @@ -44,7 +44,7 @@ audit() { fi done IFS=$IFS_BAK - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell" crit "$RESULT" else @@ -71,7 +71,7 @@ apply() { fi done IFS=$IFS_BAK - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then warn "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell -- Fixing" warn "$RESULT" for USER in $(echo "$RESULT" | cut -d: -f 1); do diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index d0fcaa9..4426181 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -22,7 +22,7 @@ audit() { info "Checking if there are world writable files" FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some world writable files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" @@ -34,7 +34,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then warn "chmoding o-w all files in the system" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w else diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index 65fba68..3c464f6 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -24,12 +24,12 @@ EXCLUDED='' audit() { info "Checking if there are unowned files" FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) - if [ ! -z $EXCLUDED ]; then + if [ -n "$EXCLUDED" ]; then RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) else RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) fi - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some unowned files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" @@ -40,12 +40,12 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - if [ ! -z $EXCLUDED ]; then + if [ -n "$EXCLUDED" ]; then RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) else RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) fi - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then warn "Applying chown on all unowned files in the system" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER else diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index 6f9bfdc..717fc16 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -24,12 +24,12 @@ EXCLUDED='' audit() { info "Checking if there are ungrouped files" FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) - if [ ! -z $EXCLUDED ]; then + if [ -n "$EXCLUDED" ]; then RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) else RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) fi - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some ungrouped files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" @@ -40,12 +40,12 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - if [ ! -z $EXCLUDED ]; then + if [ -n "$EXCLUDED" ]; then RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) else RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) fi - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then warn "Applying chgrp on all ungrouped files in the system" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP else diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index bd86cac..a6f3be6 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -23,7 +23,7 @@ audit() { info "Checking if there are suid files" FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') # shellcheck disable=2086 - if [ ! -z $IGNORED_PATH ]; then + if [ -n "$IGNORED_PATH" ]; then FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) else FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) @@ -36,7 +36,7 @@ audit() { BAD_BINARIES="$BAD_BINARIES $BINARY" fi done - if [ ! -z "$BAD_BINARIES" ]; then + if [ -n "$BAD_BINARIES" ]; then crit "Some suid files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index b68970d..a5afa32 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -23,7 +23,7 @@ audit() { info "Checking if there are sgid files" FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') # shellcheck disable=2086 - if [ ! -z $IGNORED_PATH ]; then + if [ -n "$IGNORED_PATH" ]; then FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) else FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) @@ -36,7 +36,7 @@ audit() { BAD_BINARIES="$BAD_BINARIES $BINARY" fi done - if [ ! -z "$BAD_BINARIES" ]; then + if [ -n "$BAD_BINARIES" ]; then crit "Some sgid files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index 10ebbc0..f37d208 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -51,7 +51,7 @@ apply() { FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") if [ $(echo $FILEPERM | cut -c6) != "-" ]; then warn "Group Write permission set on FILE $FILE" - chmod g-w "$FILE" + chmod g-w "$FILE" fi if [ $(echo $FILEPERM | cut -c9) != "-" ]; then warn "Other Write permission set on FILE $FILE" diff --git a/bin/hardening/6.2.1_remove_empty_password_field.sh b/bin/hardening/6.2.1_remove_empty_password_field.sh index acf64a6..c2b7373 100755 --- a/bin/hardening/6.2.1_remove_empty_password_field.sh +++ b/bin/hardening/6.2.1_remove_empty_password_field.sh @@ -21,9 +21,9 @@ DESCRIPTION="Ensure password fields are not empty in /etc/shadow." audit() { info "Checking if accounts have an empty password" RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }') - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some accounts have an empty password" - crit $RESULT + crit "$RESULT" else ok "All accounts have a password" fi @@ -32,7 +32,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }') - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then warn "Some accounts have an empty password" for ACCOUNT in $RESULT; do info "Locking $ACCOUNT" diff --git a/bin/hardening/6.2.20_shadow_group_empty.sh b/bin/hardening/6.2.20_shadow_group_empty.sh index 67c7dfc..3bab01a 100755 --- a/bin/hardening/6.2.20_shadow_group_empty.sh +++ b/bin/hardening/6.2.20_shadow_group_empty.sh @@ -17,7 +17,6 @@ HARDENING_LEVEL=1 # shellcheck disable=2034 DESCRIPTION="There is no user in shadow group (that can read /etc/shadow file)." -ERRORS=0 FILEGROUP='/etc/group' PATTERN='^shadow:x:[[:digit:]]+:' @@ -29,7 +28,7 @@ audit() { RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4) GROUPID=$(getent group shadow | cut -d: -f3) debug "$RESULT $GROUPID" - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some users belong to shadow group: $RESULT" else ok "No user belongs to shadow group" @@ -37,7 +36,7 @@ audit() { info "Checking if a user has $GROUPID as primary group" RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd) - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some users have shadow id as their primary group: $RESULT" else ok "No user has shadow id as their primary group" diff --git a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh index 93eba10..06da46e 100755 --- a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh @@ -40,7 +40,7 @@ audit() { debug "$ACCOUNT not found in exceptions" fi done - if [ ! -z "$RESULT" ]; then + if [ -n "$RESULT" ]; then crit "Some accounts have uid 0: $(tr '\n' ' ' <<<"$RESULT")" else ok "No account with uid 0 appart from root ${FOUND_EXCEPTIONS:+and configured exceptions:}$FOUND_EXCEPTIONS" diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index 9abbf98..7d97cf7 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -53,12 +53,12 @@ check_ip() { ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}") bad_ips=$(sed 's/ $//' <<<"${bad_ips}") if [[ -z $bad_ips ]]; then - if [[ ! -z $ok_ips ]]; then + if [[ -n $ok_ips ]]; then ok "Line $linum of $file allows ssh access only from allowed IPs ($ok_ips)." fi else crit "Line $linum of $file allows ssh access from (${bad_ips}) that are not allowed." - if [[ ! -z $ok_ips ]]; then + if [[ -n $ok_ips ]]; then ok "Line $linum of $file allows ssh access from at least allowed IPs ($ok_ips)." fi fi diff --git a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 23aa02d..4602fcd 100755 --- a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -12,7 +12,7 @@ test_audit() { describe Tests purposely failing local targetdir="/home/secaudit/world_writable_folder" mkdir $targetdir || true - chmod 777 $targetdir + chmod 777 "$targetdir" register_test retvalshouldbe 1 register_test contain "Some world writable directories are not on sticky bit mode" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all diff --git a/tests/run_all_targets.sh b/tests/run_all_targets.sh index 6a81321..3765117 100755 --- a/tests/run_all_targets.sh +++ b/tests/run_all_targets.sh @@ -70,7 +70,7 @@ for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Sup fi done -if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then +if [[ -n "$failedtarget" && "$nowait" -eq 0 ]]; then echo -e "\nPress \e[1mENTER\e[0m to display failed test logs" echo -e "Use \e[1m:n\e[0m (next) and \e[1m:p\e[0m (previous) to navigate between log files" echo -e "and \e[1mq\e[0m to quit"