diff --git a/bin/hardening/1.1.1.1_disable_freevxfs.sh b/bin/hardening/1.1.1.1_disable_freevxfs.sh index c7c3677..8c5a18a 100755 --- a/bin/hardening/1.1.1.1_disable_freevxfs.sh +++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh @@ -23,8 +23,8 @@ MODULE_NAME="freevxfs" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else ok "$KERNEL_OPTION is disabled" @@ -33,8 +33,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" else ok "$KERNEL_OPTION is disabled, nothing to do" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.1.2_disable_jffs2.sh b/bin/hardening/1.1.1.2_disable_jffs2.sh index ce8dc89..afd1cea 100755 --- a/bin/hardening/1.1.1.2_disable_jffs2.sh +++ b/bin/hardening/1.1.1.2_disable_jffs2.sh @@ -23,8 +23,8 @@ MODULE_NAME="jffs2" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else ok "$KERNEL_OPTION is disabled" @@ -33,8 +33,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" else ok "$KERNEL_OPTION is disabled, nothing to do" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.1.3_disable_hfs.sh b/bin/hardening/1.1.1.3_disable_hfs.sh index 684be0a..344de96 100755 --- a/bin/hardening/1.1.1.3_disable_hfs.sh +++ b/bin/hardening/1.1.1.3_disable_hfs.sh @@ -23,8 +23,8 @@ MODULE_FILE="hfs" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else ok "$KERNEL_OPTION is disabled" @@ -33,8 +33,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" else ok "$KERNEL_OPTION is disabled, nothing to do" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.1.4_disable_hfsplus.sh b/bin/hardening/1.1.1.4_disable_hfsplus.sh index 0d8fd2b..4b3ce21 100755 --- a/bin/hardening/1.1.1.4_disable_hfsplus.sh +++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh @@ -23,8 +23,8 @@ MODULE_FILE="hfsplus" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else ok "$KERNEL_OPTION is disabled" @@ -33,8 +33,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" else ok "$KERNEL_OPTION is disabled, nothing to do" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.1.5_disable_udf.sh b/bin/hardening/1.1.1.5_disable_udf.sh index 746c306..d281091 100755 --- a/bin/hardening/1.1.1.5_disable_udf.sh +++ b/bin/hardening/1.1.1.5_disable_udf.sh @@ -23,8 +23,8 @@ MODULE_FILE="udf" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else ok "$KERNEL_OPTION is disabled" @@ -33,8 +33,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" else ok "$KERNEL_OPTION is disabled, nothing to do" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.1.6_disable_cramfs.sh b/bin/hardening/1.1.1.6_disable_cramfs.sh index 0818ca1..95bf7f8 100755 --- a/bin/hardening/1.1.1.6_disable_cramfs.sh +++ b/bin/hardening/1.1.1.6_disable_cramfs.sh @@ -23,8 +23,8 @@ MODULE_NAME="cramfs" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else ok "$KERNEL_OPTION is disabled" @@ -34,8 +34,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" else ok "$KERNEL_OPTION is disabled, nothing to do" @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.1.7_disable_squashfs.sh b/bin/hardening/1.1.1.7_disable_squashfs.sh index d49bb88..25dec28 100755 --- a/bin/hardening/1.1.1.7_disable_squashfs.sh +++ b/bin/hardening/1.1.1.7_disable_squashfs.sh @@ -23,8 +23,8 @@ MODULE_FILE="squashfs" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else ok "$KERNEL_OPTION is disabled" @@ -34,8 +34,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" else ok "$KERNEL_OPTION is disabled, nothing to do" @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.10_var_tmp_noexec.sh b/bin/hardening/1.1.10_var_tmp_noexec.sh index b90445d..14f4802 100755 --- a/bin/hardening/1.1.10_var_tmp_noexec.sh +++ b/bin/hardening/1.1.10_var_tmp_noexec.sh @@ -31,13 +31,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -50,18 +50,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.11_var_log_partition.sh b/bin/hardening/1.1.11_var_log_partition.sh index 5494047..13ed458 100755 --- a/bin/hardening/1.1.11_var_log_partition.sh +++ b/bin/hardening/1.1.11_var_log_partition.sh @@ -42,13 +42,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" else info "mounting $PARTITION" - mount $PARTITION + mount "$PARTITION" fi } @@ -70,9 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.12_var_log_audit_partition.sh b/bin/hardening/1.1.12_var_log_audit_partition.sh index 8bceeec..04350d5 100755 --- a/bin/hardening/1.1.12_var_log_audit_partition.sh +++ b/bin/hardening/1.1.12_var_log_audit_partition.sh @@ -41,13 +41,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" else info "mounting $PARTITION" - mount $PARTITION + mount "$PARTITION" fi } @@ -69,9 +69,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.13_home_partition.sh b/bin/hardening/1.1.13_home_partition.sh index 1f0b2a1..6936011 100755 --- a/bin/hardening/1.1.13_home_partition.sh +++ b/bin/hardening/1.1.13_home_partition.sh @@ -42,13 +42,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" else info "mounting $PARTITION" - mount $PARTITION + mount "$PARTITION" fi } @@ -70,9 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.14_home_nodev.sh b/bin/hardening/1.1.14_home_nodev.sh index ff0ab65..23b4802 100755 --- a/bin/hardening/1.1.14_home_nodev.sh +++ b/bin/hardening/1.1.14_home_nodev.sh @@ -31,13 +31,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -50,18 +50,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.15_run_shm_nodev.sh b/bin/hardening/1.1.15_run_shm_nodev.sh index 36f985c..fd33215 100755 --- a/bin/hardening/1.1.15_run_shm_nodev.sh +++ b/bin/hardening/1.1.15_run_shm_nodev.sh @@ -32,13 +32,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -51,18 +51,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -86,7 +86,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.16_run_shm_nosuid.sh b/bin/hardening/1.1.16_run_shm_nosuid.sh index 227d5cf..3977a50 100755 --- a/bin/hardening/1.1.16_run_shm_nosuid.sh +++ b/bin/hardening/1.1.16_run_shm_nosuid.sh @@ -32,13 +32,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -51,18 +51,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -86,7 +86,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.17_run_shm_noexec.sh b/bin/hardening/1.1.17_run_shm_noexec.sh index 9dd3ec0..61c866b 100755 --- a/bin/hardening/1.1.17_run_shm_noexec.sh +++ b/bin/hardening/1.1.17_run_shm_noexec.sh @@ -32,13 +32,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -51,18 +51,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -86,7 +86,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.18_removable_device_nodev.sh b/bin/hardening/1.1.18_removable_device_nodev.sh index ae6807e..0f5ca0b 100755 --- a/bin/hardening/1.1.18_removable_device_nodev.sh +++ b/bin/hardening/1.1.18_removable_device_nodev.sh @@ -33,7 +33,7 @@ audit () { FNRET=0 else info "detected $PARTITION like" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 @@ -45,9 +45,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION fi @@ -71,9 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.19_removable_device_nosuid.sh b/bin/hardening/1.1.19_removable_device_nosuid.sh index aaec9cf..56b9539 100755 --- a/bin/hardening/1.1.19_removable_device_nosuid.sh +++ b/bin/hardening/1.1.19_removable_device_nosuid.sh @@ -33,7 +33,7 @@ audit () { FNRET=0 else info "detected $PARTITION like" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 @@ -45,9 +45,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION fi @@ -71,9 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.20_removable_device_noexec.sh b/bin/hardening/1.1.20_removable_device_noexec.sh index b3a9dd6..94e34b3 100755 --- a/bin/hardening/1.1.20_removable_device_noexec.sh +++ b/bin/hardening/1.1.20_removable_device_noexec.sh @@ -33,7 +33,7 @@ audit () { FNRET=0 else info "detected $PARTITION like" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 @@ -45,9 +45,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION fi @@ -71,9 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 773b5af..63a2c0b 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.22_disable_automounting.sh b/bin/hardening/1.1.22_disable_automounting.sh index 0bfb018..90bc774 100755 --- a/bin/hardening/1.1.22_disable_automounting.sh +++ b/bin/hardening/1.1.22_disable_automounting.sh @@ -22,8 +22,8 @@ SERVICE_NAME="autofs" # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if $SERVICE_NAME is enabled" - is_service_enabled $SERVICE_NAME - if [ $FNRET = 0 ]; then + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" = 0 ]; then crit "$SERVICE_NAME is enabled" else ok "$SERVICE_NAME is disabled" @@ -33,8 +33,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { info "Checking if $SERVICE_NAME is enabled" - is_service_enabled $SERVICE_NAME - if [ $FNRET = 0 ]; then + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" = 0 ]; then info "Disabling $SERVICE_NAME" update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 else @@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.2_tmp_partition.sh b/bin/hardening/1.1.2_tmp_partition.sh index 6a98621..c6e5cd9 100755 --- a/bin/hardening/1.1.2_tmp_partition.sh +++ b/bin/hardening/1.1.2_tmp_partition.sh @@ -42,13 +42,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" else info "mounting $PARTITION" - mount $PARTITION + mount "$PARTITION" fi } @@ -70,9 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.3_tmp_nodev.sh b/bin/hardening/1.1.3_tmp_nodev.sh index dfa55ba..2e0405e 100755 --- a/bin/hardening/1.1.3_tmp_nodev.sh +++ b/bin/hardening/1.1.3_tmp_nodev.sh @@ -31,13 +31,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -50,18 +50,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.4_tmp_nosuid.sh b/bin/hardening/1.1.4_tmp_nosuid.sh index 6596cc9..9475ad3 100755 --- a/bin/hardening/1.1.4_tmp_nosuid.sh +++ b/bin/hardening/1.1.4_tmp_nosuid.sh @@ -31,13 +31,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -50,18 +50,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.5_tmp_noexec.sh b/bin/hardening/1.1.5_tmp_noexec.sh index f426b1b..116e9ac 100755 --- a/bin/hardening/1.1.5_tmp_noexec.sh +++ b/bin/hardening/1.1.5_tmp_noexec.sh @@ -31,13 +31,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -50,18 +50,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.6_var_partition.sh b/bin/hardening/1.1.6_var_partition.sh index ee9fa23..53e824a 100755 --- a/bin/hardening/1.1.6_var_partition.sh +++ b/bin/hardening/1.1.6_var_partition.sh @@ -44,13 +44,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" else info "mounting $PARTITION" - mount $PARTITION + mount "$PARTITION" fi } @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.7_var_tmp_partition.sh b/bin/hardening/1.1.7_var_tmp_partition.sh index c0e8502..4a8d9a1 100755 --- a/bin/hardening/1.1.7_var_tmp_partition.sh +++ b/bin/hardening/1.1.7_var_tmp_partition.sh @@ -44,13 +44,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" else info "mounting $PARTITION" - mount $PARTITION + mount "$PARTITION" fi } @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.8_var_tmp_nodev.sh b/bin/hardening/1.1.8_var_tmp_nodev.sh index c73892b..ca73b85 100755 --- a/bin/hardening/1.1.8_var_tmp_nodev.sh +++ b/bin/hardening/1.1.8_var_tmp_nodev.sh @@ -31,13 +31,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -50,18 +50,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.1.9_var_tmp_nosuid.sh b/bin/hardening/1.1.9_var_tmp_nosuid.sh index 320d7cd..2244df9 100755 --- a/bin/hardening/1.1.9_var_tmp_nosuid.sh +++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh @@ -31,13 +31,13 @@ audit () { FNRET=2 else ok "$PARTITION is a partition" - has_mount_option $PARTITION $OPTION + has_mount_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" - has_mounted_option $PARTITION $OPTION + has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 @@ -50,18 +50,18 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" - elif [ $FNRET = 2 ]; then + elif [ "$FNRET" = 2 ]; then crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" - elif [ $FNRET = 1 ]; then + elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION info "Remounting $PARTITION from fstab" - remount_partition $PARTITION - elif [ $FNRET = 3 ]; then + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" - remount_partition $PARTITION + remount_partition "$PARTITION" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.4.1_bootloader_ownership.sh b/bin/hardening/1.4.1_bootloader_ownership.sh index a99241f..8146fa8 100755 --- a/bin/hardening/1.4.1_bootloader_ownership.sh +++ b/bin/hardening/1.4.1_bootloader_ownership.sh @@ -26,15 +26,15 @@ PERMISSIONS='400' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -43,20 +43,20 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else info "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } @@ -64,22 +64,22 @@ apply () { check_config() { is_pkg_installed "grub-pc" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "Grub is not installed, not handling configuration" exit 128 fi does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" exit 128 fi @@ -97,9 +97,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.4.2_bootloader_password.sh b/bin/hardening/1.4.2_bootloader_password.sh index 0605f58..e23d68e 100755 --- a/bin/hardening/1.4.2_bootloader_password.sh +++ b/bin/hardening/1.4.2_bootloader_password.sh @@ -24,13 +24,13 @@ PWD_PATTERN="^password_pbkdf2" # This function will be called if the script status is on enabled / audit mode audit () { does_pattern_exist_in_file $FILE "$USER_PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER_PATTERN not present in $FILE" else ok "$USER_PATTERN is present in $FILE" fi does_pattern_exist_in_file $FILE "$PWD_PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PWD_PATTERN not present in $FILE" else ok "$PWD_PATTERN is present in $FILE" @@ -40,13 +40,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_pattern_exist_in_file $FILE "$USER_PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$USER_PATTERN not present in $FILE, please configure password for grub" else ok "$USER_PATTERN is present in $FILE" fi does_pattern_exist_in_file $FILE "$PWD_PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$PWD_PATTERN not present in $FILE, please configure password for grub" else ok "$PWD_PATTERN is present in $FILE" @@ -57,11 +57,11 @@ apply () { # This function will check config parameters required check_config() { is_pkg_installed "grub-pc" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "grub-pc is not installed, not handling configuration" exit 128 fi - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" exit 128 fi @@ -79,9 +79,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.4.3_root_password.sh b/bin/hardening/1.4.3_root_password.sh index 5a55c84..acea244 100755 --- a/bin/hardening/1.4.3_root_password.sh +++ b/bin/hardening/1.4.3_root_password.sh @@ -23,7 +23,7 @@ PATTERN="^root:[*\!]:" # This function will be called if the script status is on enabled / audit mode audit () { does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET != 1 ]; then + if [ "$FNRET" != 1 ]; then crit "$PATTERN is present in $FILE" else ok "$PATTERN is not present in $FILE" @@ -33,7 +33,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET != 1 ]; then + if [ "$FNRET" != 1 ]; then warn "$PATTERN is present in $FILE, please put a root password" else ok "$PATTERN is not present in $FILE" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.5.1_restrict_core_dumps.sh b/bin/hardening/1.5.1_restrict_core_dumps.sh index 3ad8412..04f6fb9 100755 --- a/bin/hardening/1.5.1_restrict_core_dumps.sh +++ b/bin/hardening/1.5.1_restrict_core_dumps.sh @@ -35,7 +35,7 @@ audit () { debug "Files to search $LIMIT_FILE $LIMIT_FILES" for file in $LIMIT_FILE $LIMIT_FILES; do does_pattern_exist_in_file $file $LIMIT_PATTERN - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$LIMIT_PATTERN not present in $file" else ok "$LIMIT_PATTERN present in $file" @@ -47,9 +47,9 @@ audit () { crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES" fi has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -59,17 +59,17 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" add_end_of_file $LIMIT_FILE "* hard core 0" else ok "$LIMIT_PATTERN present in $LIMIT_FILE" fi has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -94,9 +94,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.5.2_enable_nx_support.sh b/bin/hardening/1.5.2_enable_nx_support.sh index 61dd73c..24c30c7 100755 --- a/bin/hardening/1.5.2_enable_nx_support.sh +++ b/bin/hardening/1.5.2_enable_nx_support.sh @@ -36,9 +36,9 @@ nx_supported_and_enabled() { # This function will be called if the script status is on enabled / audit mode audit () { does_pattern_exist_in_dmesg $PATTERN - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then nx_supported_and_enabled - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled" else ok "NX is supported and enabled" @@ -51,9 +51,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_pattern_exist_in_dmesg $PATTERN - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then nx_supported_and_enabled - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled" else ok "NX is supported and enabled" @@ -80,9 +80,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh index 43af98e..dde8c8b 100755 --- a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh +++ b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh @@ -22,10 +22,10 @@ SYSCTL_EXP_RESULT=2 # This function will be called if the script status is on enabled / audit mode audit () { - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -34,11 +34,11 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.5.4_disable_prelink.sh b/bin/hardening/1.5.4_disable_prelink.sh index 643b90e..a9c7a3f 100755 --- a/bin/hardening/1.5.4_disable_prelink.sh +++ b/bin/hardening/1.5.4_disable_prelink.sh @@ -21,8 +21,8 @@ PACKAGE='prelink' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -32,11 +32,11 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" /usr/sbin/prelink -ua - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove else ok "$PACKAGE is absent" @@ -61,9 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.6.2.1_enable_apparmor.sh b/bin/hardening/1.6.2.1_enable_apparmor.sh index 192bcbf..cb3d906 100755 --- a/bin/hardening/1.6.2.1_enable_apparmor.sh +++ b/bin/hardening/1.6.2.1_enable_apparmor.sh @@ -21,8 +21,8 @@ PACKAGE='apparmor' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is absent!" else ok "$PACKAGE is installed" @@ -50,8 +50,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed, please install $PACKAGE and configure it" else ok "$PACKAGE is installed" @@ -97,9 +97,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.7.1.1_remove_os_info_motd.sh b/bin/hardening/1.7.1.1_remove_os_info_motd.sh index 2e8fb10..a0267d2 100755 --- a/bin/hardening/1.7.1.1_remove_os_info_motd.sh +++ b/bin/hardening/1.7.1.1_remove_os_info_motd.sh @@ -23,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode audit () { does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" else ok "$PATTERN is not present in $FILE" @@ -33,7 +33,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" delete_line_in_file $FILE $PATTERN else @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.7.1.2_remove_os_info_issue.sh b/bin/hardening/1.7.1.2_remove_os_info_issue.sh index 5f38002..508fedc 100755 --- a/bin/hardening/1.7.1.2_remove_os_info_issue.sh +++ b/bin/hardening/1.7.1.2_remove_os_info_issue.sh @@ -23,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode audit () { does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" else ok "$PATTERN is not present in $FILE" @@ -33,7 +33,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" delete_line_in_file $FILE $PATTERN else @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh index a1fe41d..9dbcba6 100755 --- a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh +++ b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh @@ -23,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode audit () { does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" else ok "$PATTERN is not present in $FILE" @@ -33,7 +33,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" delete_line_in_file $FILE $PATTERN else @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.7.1.4_motd_perms.sh b/bin/hardening/1.7.1.4_motd_perms.sh index 47ea1ed..7d9ed2b 100755 --- a/bin/hardening/1.7.1.4_motd_perms.sh +++ b/bin/hardening/1.7.1.4_motd_perms.sh @@ -25,18 +25,18 @@ FILE='/etc/motd' # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" continue fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -46,23 +46,23 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.7.1.5_etc_issue_perms.sh b/bin/hardening/1.7.1.5_etc_issue_perms.sh index 1955a59..f487633 100755 --- a/bin/hardening/1.7.1.5_etc_issue_perms.sh +++ b/bin/hardening/1.7.1.5_etc_issue_perms.sh @@ -25,18 +25,18 @@ FILE='/etc/issue' # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" continue fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -46,23 +46,23 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh index 9e1ce03..05e884a 100755 --- a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh +++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh @@ -25,18 +25,18 @@ FILE='/etc/issue.net' # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" continue fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -46,23 +46,23 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.7.2_graphical_warning_banners.sh b/bin/hardening/1.7.2_graphical_warning_banners.sh index 84ed678..9a10275 100755 --- a/bin/hardening/1.7.2_graphical_warning_banners.sh +++ b/bin/hardening/1.7.2_graphical_warning_banners.sh @@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/1.8_install_updates.sh b/bin/hardening/1.8_install_updates.sh index 7828951..b505284 100755 --- a/bin/hardening/1.8_install_updates.sh +++ b/bin/hardening/1.8_install_updates.sh @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.1.1_disable_xinetd.sh b/bin/hardening/2.1.1_disable_xinetd.sh index b151263..760b72a 100755 --- a/bin/hardening/2.1.1_disable_xinetd.sh +++ b/bin/hardening/2.1.1_disable_xinetd.sh @@ -21,8 +21,8 @@ PACKAGE='xinetd' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed" else ok "$PACKAGE is absent" @@ -31,10 +31,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove else ok "$PACKAGE is absent" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.1.2_disable_bsd_inetd.sh b/bin/hardening/2.1.2_disable_bsd_inetd.sh index 2a04d35..2ae5469 100755 --- a/bin/hardening/2.1.2_disable_bsd_inetd.sh +++ b/bin/hardening/2.1.2_disable_bsd_inetd.sh @@ -22,8 +22,8 @@ PACKAGES='openbsd-inetd inetutils-inetd' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed" else ok "$PACKAGE is absent" @@ -34,10 +34,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove else ok "$PACKAGE is absent" @@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.1.1_use_time_sync.sh b/bin/hardening/2.2.1.1_use_time_sync.sh index c696abc..ffd33ab 100755 --- a/bin/hardening/2.2.1.1_use_time_sync.sh +++ b/bin/hardening/2.2.1.1_use_time_sync.sh @@ -23,8 +23,8 @@ PACKAGES="ntp chrony" audit () { FOUND=false for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "Time synchronization is available through $PACKAGE" FOUND=true fi @@ -57,9 +57,9 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.1.2_configure_ntp.sh b/bin/hardening/2.2.1.2_configure_ntp.sh index 3b4c680..69ab374 100755 --- a/bin/hardening/2.2.1.2_configure_ntp.sh +++ b/bin/hardening/2.2.1.2_configure_ntp.sh @@ -27,19 +27,19 @@ NTP_INIT_FILE='/etc/init.d/ntp' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed, checking configuration" does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" else ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" fi does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE" else ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" @@ -49,8 +49,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -58,7 +58,7 @@ apply () { info "Checking $PACKAGE configuration" fi does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" backup_file $NTP_CONF_FILE add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" @@ -66,7 +66,7 @@ apply () { ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" fi does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" backup_file $NTP_INIT_FILE add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" @@ -92,9 +92,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.1.3_configure_chrony.sh b/bin/hardening/2.2.1.3_configure_chrony.sh index 1598eea..d1655a7 100755 --- a/bin/hardening/2.2.1.3_configure_chrony.sh +++ b/bin/hardening/2.2.1.3_configure_chrony.sh @@ -25,13 +25,13 @@ CONF_FILE='/etc/chrony/chrony.conf' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed, checking configuration" does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE" else ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE" @@ -61,9 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.10_disable_http_server.sh b/bin/hardening/2.2.10_disable_http_server.sh index 73fb26e..317e9a0 100755 --- a/bin/hardening/2.2.10_disable_http_server.sh +++ b/bin/hardening/2.2.10_disable_http_server.sh @@ -25,8 +25,8 @@ PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -37,10 +37,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -65,9 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.11_disable_imap_pop.sh b/bin/hardening/2.2.11_disable_imap_pop.sh index e612344..9fdde2f 100755 --- a/bin/hardening/2.2.11_disable_imap_pop.sh +++ b/bin/hardening/2.2.11_disable_imap_pop.sh @@ -25,8 +25,8 @@ PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-im # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -37,10 +37,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -65,9 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.12_disable_samba.sh b/bin/hardening/2.2.12_disable_samba.sh index 972789a..b426d6a 100755 --- a/bin/hardening/2.2.12_disable_samba.sh +++ b/bin/hardening/2.2.12_disable_samba.sh @@ -25,15 +25,15 @@ SERVICE='smbd' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" fi done is_service_enabled $SERVICE - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then crit "Service $SERVICE is enabled!" else ok "Service $SERVICE is disabled" @@ -43,17 +43,17 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" fi done is_service_enabled $SERVICE - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then crit "Service $SERVICE is enabled!" systemctl disable $SERVICE else @@ -78,9 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.13_disable_http_proxy.sh b/bin/hardening/2.2.13_disable_http_proxy.sh index ddbe453..6ec07cc 100755 --- a/bin/hardening/2.2.13_disable_http_proxy.sh +++ b/bin/hardening/2.2.13_disable_http_proxy.sh @@ -24,8 +24,8 @@ PACKAGES='squid3 squid' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -36,10 +36,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove else ok "$PACKAGE is absent" @@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.14_disable_snmp_server.sh b/bin/hardening/2.2.14_disable_snmp_server.sh index 3863432..b5d18c5 100755 --- a/bin/hardening/2.2.14_disable_snmp_server.sh +++ b/bin/hardening/2.2.14_disable_snmp_server.sh @@ -24,8 +24,8 @@ PACKAGES='snmpd' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -36,10 +36,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.15_mta_localhost.sh b/bin/hardening/2.2.15_mta_localhost.sh index c32d53e..69724df 100755 --- a/bin/hardening/2.2.15_mta_localhost.sh +++ b/bin/hardening/2.2.15_mta_localhost.sh @@ -73,9 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.16_disable_rsync.sh b/bin/hardening/2.2.16_disable_rsync.sh index 5c12bc9..e633fae 100755 --- a/bin/hardening/2.2.16_disable_rsync.sh +++ b/bin/hardening/2.2.16_disable_rsync.sh @@ -26,13 +26,13 @@ RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then ok "$PACKAGE is not installed" else ok "$PACKAGE is installed, checking configuration" does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" else ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" @@ -42,13 +42,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then ok "$PACKAGE is not installed" else ok "$PACKAGE is installed, checking configuration" does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" backup_file $RSYNC_DEFAULT_FILE replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN @@ -75,9 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.18_disable_telnet_server.sh b/bin/hardening/2.2.18_disable_telnet_server.sh index 1778666..5adaf20 100755 --- a/bin/hardening/2.2.18_disable_telnet_server.sh +++ b/bin/hardening/2.2.18_disable_telnet_server.sh @@ -27,15 +27,15 @@ PATTERN='^telnet' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, checking configuration" does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then ok "$FILE does not exist" else does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then crit "$PATTERN exists, $PACKAGE services are enabled!" else ok "$PATTERN is not present in $FILE" @@ -50,21 +50,21 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove else ok "$PACKAGE is absent" fi does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then ok "$FILE does not exist" else info "$FILE exists, checking patterns" does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) @@ -93,9 +93,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.2_disable_xwindow_system.sh b/bin/hardening/2.2.2_disable_xwindow_system.sh index dbc1ae3..4131e69 100755 --- a/bin/hardening/2.2.2_disable_xwindow_system.sh +++ b/bin/hardening/2.2.2_disable_xwindow_system.sh @@ -25,8 +25,8 @@ PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -37,10 +37,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -65,9 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.3_disable_avahi_server.sh b/bin/hardening/2.2.3_disable_avahi_server.sh index 4799e25..1956d41 100755 --- a/bin/hardening/2.2.3_disable_avahi_server.sh +++ b/bin/hardening/2.2.3_disable_avahi_server.sh @@ -22,8 +22,8 @@ PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -34,10 +34,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.4_disable_print_server.sh b/bin/hardening/2.2.4_disable_print_server.sh index b034b13..e28141b 100755 --- a/bin/hardening/2.2.4_disable_print_server.sh +++ b/bin/hardening/2.2.4_disable_print_server.sh @@ -24,8 +24,8 @@ PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-comm # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -36,10 +36,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.5_disable_dhcp.sh b/bin/hardening/2.2.5_disable_dhcp.sh index 2e4d91c..53e8b9b 100755 --- a/bin/hardening/2.2.5_disable_dhcp.sh +++ b/bin/hardening/2.2.5_disable_dhcp.sh @@ -24,8 +24,8 @@ PACKAGES='udhcpd isc-dhcp-server' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -36,10 +36,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.6_disable_ldap.sh b/bin/hardening/2.2.6_disable_ldap.sh index e3169db..8b9761b 100755 --- a/bin/hardening/2.2.6_disable_ldap.sh +++ b/bin/hardening/2.2.6_disable_ldap.sh @@ -24,8 +24,8 @@ PACKAGES='slapd' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -36,10 +36,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.7_disable_nfs_rpc.sh b/bin/hardening/2.2.7_disable_nfs_rpc.sh index f7129da..450f5af 100755 --- a/bin/hardening/2.2.7_disable_nfs_rpc.sh +++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh @@ -24,8 +24,8 @@ PACKAGES='rpcbind nfs-kernel-server' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -36,10 +36,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.8_disable_dns_server.sh b/bin/hardening/2.2.8_disable_dns_server.sh index 1299f1d..3941234 100755 --- a/bin/hardening/2.2.8_disable_dns_server.sh +++ b/bin/hardening/2.2.8_disable_dns_server.sh @@ -24,8 +24,8 @@ PACKAGES='bind9 unbound' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -36,10 +36,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.2.9_disable_ftp.sh b/bin/hardening/2.2.9_disable_ftp.sh index fa17bb3..9fff5ca 100755 --- a/bin/hardening/2.2.9_disable_ftp.sh +++ b/bin/hardening/2.2.9_disable_ftp.sh @@ -25,8 +25,8 @@ PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd prof # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -37,10 +37,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -65,9 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.3.1_disable_nis.sh b/bin/hardening/2.3.1_disable_nis.sh index 49cb39f..9a9ae5d 100755 --- a/bin/hardening/2.3.1_disable_nis.sh +++ b/bin/hardening/2.3.1_disable_nis.sh @@ -21,8 +21,8 @@ PACKAGE='nis' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" else ok "$PACKAGE is absent" @@ -32,10 +32,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.3.2_disable_rsh_client.sh b/bin/hardening/2.3.2_disable_rsh_client.sh index 2ea3bb5..8bc854d 100755 --- a/bin/hardening/2.3.2_disable_rsh_client.sh +++ b/bin/hardening/2.3.2_disable_rsh_client.sh @@ -23,8 +23,8 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed" else ok "$PACKAGE is absent" @@ -35,10 +35,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -63,9 +63,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.3.3_disable_talk_client.sh b/bin/hardening/2.3.3_disable_talk_client.sh index 1464abc..345c6b2 100755 --- a/bin/hardening/2.3.3_disable_talk_client.sh +++ b/bin/hardening/2.3.3_disable_talk_client.sh @@ -22,8 +22,8 @@ PACKAGES='talk inetutils-talk' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed" else ok "$PACKAGE is absent" @@ -34,10 +34,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.3.4_disable_telnet_client.sh b/bin/hardening/2.3.4_disable_telnet_client.sh index 4f96a9f..dc96166 100755 --- a/bin/hardening/2.3.4_disable_telnet_client.sh +++ b/bin/hardening/2.3.4_disable_telnet_client.sh @@ -22,8 +22,8 @@ PACKAGES='telnet' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed" else ok "$PACKAGE is absent" @@ -34,10 +34,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/2.3.5_disable_ldap_client.sh b/bin/hardening/2.3.5_disable_ldap_client.sh index 20bd276..1204ac5 100755 --- a/bin/hardening/2.3.5_disable_ldap_client.sh +++ b/bin/hardening/2.3.5_disable_ldap_client.sh @@ -22,8 +22,8 @@ PACKAGES='ldap-utils' # This function will be called if the script status is on enabled / audit mode audit () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed" else ok "$PACKAGE is absent" @@ -34,10 +34,10 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for PACKAGE in $PACKAGES; do - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, purging" - apt-get purge $PACKAGE -y + apt-get purge "$PACKAGE" -y apt-get autoremove -y else ok "$PACKAGE is absent" @@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.1.1_disable_ip_forwarding.sh b/bin/hardening/3.1.1_disable_ip_forwarding.sh index b92b983..5a233f3 100755 --- a/bin/hardening/3.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh @@ -26,11 +26,11 @@ SYSCTL_EXP_RESULT=0 audit () { for SYSCTL_PARAM in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" - if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -42,12 +42,12 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for SYSCTL_PARAM in $SYSCTL_PARAMS; do - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.1.2_disable_send_packet_redirects.sh b/bin/hardening/3.1.2_disable_send_packet_redirects.sh index 08db575..8a392ec 100755 --- a/bin/hardening/3.1.2_disable_send_packet_redirects.sh +++ b/bin/hardening/3.1.2_disable_send_packet_redirects.sh @@ -27,10 +27,10 @@ audit () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -44,12 +44,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -74,9 +74,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.1_disable_source_routed_packets.sh b/bin/hardening/3.2.1_disable_source_routed_packets.sh index ac23490..95890c6 100755 --- a/bin/hardening/3.2.1_disable_source_routed_packets.sh +++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh @@ -23,14 +23,14 @@ SYSCTL_PARAMS='' audit () { for SYSCTL_VALUES in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" - if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 + if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -45,12 +45,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.2_disable_icmp_redirect.sh b/bin/hardening/3.2.2_disable_icmp_redirect.sh index 954b1f3..62ab01a 100755 --- a/bin/hardening/3.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh @@ -23,15 +23,15 @@ SYSCTL_PARAMS='' audit () { for SYSCTL_VALUES in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" - if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 + if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -46,12 +46,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -84,9 +84,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh index dcfa901..b74a9d1 100755 --- a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh +++ b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh @@ -25,10 +25,10 @@ audit () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -42,12 +42,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.4_log_martian_packets.sh b/bin/hardening/3.2.4_log_martian_packets.sh index c8b709a..9d56f0c 100755 --- a/bin/hardening/3.2.4_log_martian_packets.sh +++ b/bin/hardening/3.2.4_log_martian_packets.sh @@ -25,10 +25,10 @@ audit () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -42,12 +42,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.5_ignore_broadcast_requests.sh b/bin/hardening/3.2.5_ignore_broadcast_requests.sh index 51dd89d..953ab2a 100755 --- a/bin/hardening/3.2.5_ignore_broadcast_requests.sh +++ b/bin/hardening/3.2.5_ignore_broadcast_requests.sh @@ -25,10 +25,10 @@ audit () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist --Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -42,12 +42,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh index d5162e1..35ec96a 100755 --- a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh +++ b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh @@ -25,10 +25,10 @@ audit () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -42,12 +42,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.7_enable_source_route_validation.sh b/bin/hardening/3.2.7_enable_source_route_validation.sh index 5adfa96..8b0faed 100755 --- a/bin/hardening/3.2.7_enable_source_route_validation.sh +++ b/bin/hardening/3.2.7_enable_source_route_validation.sh @@ -25,10 +25,10 @@ audit () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -42,12 +42,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh index 995741f..f44cf75 100755 --- a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh @@ -25,10 +25,10 @@ audit () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -42,12 +42,12 @@ apply () { SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh index 3aae40a..974933f 100755 --- a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh +++ b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh @@ -22,17 +22,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0' # This function will be called if the script status is on enabled / audit mode audit () { does_sysctl_param_exists "net.ipv6" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then ok "ipv6 is disabled" else for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -44,19 +44,19 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_sysctl_param_exists "net.ipv6" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then ok "ipv6 is disabled" else for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -82,9 +82,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.3.1_install_tcp_wrapper.sh b/bin/hardening/3.3.1_install_tcp_wrapper.sh index 94a8996..901939a 100755 --- a/bin/hardening/3.3.1_install_tcp_wrapper.sh +++ b/bin/hardening/3.3.1_install_tcp_wrapper.sh @@ -21,8 +21,8 @@ PACKAGE='tcpd' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -31,8 +31,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -57,9 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.3.2_hosts_allow.sh b/bin/hardening/3.3.2_hosts_allow.sh index 4abde0d..bb9d7a4 100755 --- a/bin/hardening/3.3.2_hosts_allow.sh +++ b/bin/hardening/3.3.2_hosts_allow.sh @@ -22,7 +22,7 @@ FILE='/etc/hosts.allow' # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exist" @@ -32,7 +32,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE warn "You may want to fill it with allowed networks" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.3.3_hosts_deny.sh b/bin/hardening/3.3.3_hosts_deny.sh index 490bb00..f8e444f 100755 --- a/bin/hardening/3.3.3_hosts_deny.sh +++ b/bin/hardening/3.3.3_hosts_deny.sh @@ -23,12 +23,12 @@ PATTERN='ALL: ALL' # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE, we have to deny everything" else ok "$PATTERN is present in $FILE" @@ -39,14 +39,14 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE else ok "$FILE exists" fi does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE, we have to deny everything" add_end_of_file $FILE "$PATTERN" warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.3.4_hosts_allow_permissions.sh b/bin/hardening/3.3.4_hosts_allow_permissions.sh index d4b136f..bb9e8b5 100755 --- a/bin/hardening/3.3.4_hosts_allow_permissions.sh +++ b/bin/hardening/3.3.4_hosts_allow_permissions.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" @@ -40,12 +40,12 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } @@ -66,9 +66,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.3.5_hosts_deny_permissions.sh b/bin/hardening/3.3.5_hosts_deny_permissions.sh index 7c86967..22c8288 100755 --- a/bin/hardening/3.3.5_hosts_deny_permissions.sh +++ b/bin/hardening/3.3.5_hosts_deny_permissions.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" @@ -40,12 +40,12 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } @@ -66,9 +66,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.4.1_disable_dccp.sh b/bin/hardening/3.4.1_disable_dccp.sh index 8ef2850..0745f62 100755 --- a/bin/hardening/3.4.1_disable_dccp.sh +++ b/bin/hardening/3.4.1_disable_dccp.sh @@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.4.2_disable_sctp.sh b/bin/hardening/3.4.2_disable_sctp.sh index 87b168d..0663987 100755 --- a/bin/hardening/3.4.2_disable_sctp.sh +++ b/bin/hardening/3.4.2_disable_sctp.sh @@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.4.3_disable_rds.sh b/bin/hardening/3.4.3_disable_rds.sh index 72aff97..3851b71 100755 --- a/bin/hardening/3.4.3_disable_rds.sh +++ b/bin/hardening/3.4.3_disable_rds.sh @@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.4.4_disable_tipc.sh b/bin/hardening/3.4.4_disable_tipc.sh index 6e09336..8b529e5 100755 --- a/bin/hardening/3.4.4_disable_tipc.sh +++ b/bin/hardening/3.4.4_disable_tipc.sh @@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh index f4d6c50..4cbadb1 100755 --- a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh +++ b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh @@ -23,7 +23,7 @@ FW_POLICY="DROP" # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -73,7 +73,7 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.5_enable_firewall.sh b/bin/hardening/3.5_enable_firewall.sh index 55e360b..e02dbfb 100755 --- a/bin/hardening/3.5_enable_firewall.sh +++ b/bin/hardening/3.5_enable_firewall.sh @@ -24,8 +24,8 @@ PACKAGE='iptables' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -34,8 +34,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.6_disable_wireless.sh b/bin/hardening/3.6_disable_wireless.sh index d1e4694..f167e34 100755 --- a/bin/hardening/3.6_disable_wireless.sh +++ b/bin/hardening/3.6_disable_wireless.sh @@ -56,9 +56,9 @@ fi #fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/3.7_disable_ipv6.sh b/bin/hardening/3.7_disable_ipv6.sh index 9487a17..746b21e 100755 --- a/bin/hardening/3.7_disable_ipv6.sh +++ b/bin/hardening/3.7_disable_ipv6.sh @@ -22,17 +22,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip # This function will be called if the script status is on enabled / audit mode audit () { does_sysctl_param_exists "net.ipv6" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then ok "ipv6 is disabled" else for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -44,19 +44,19 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_sysctl_param_exists "net.ipv6" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then ok "ipv6 is disabled" else for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS" - elif [ $FNRET = 255 ]; then + elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" @@ -82,9 +82,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.1.1_audit_log_storage.sh b/bin/hardening/4.1.1.1_audit_log_storage.sh index 45ad8c4..cc2ec34 100755 --- a/bin/hardening/4.1.1.1_audit_log_storage.sh +++ b/bin/hardening/4.1.1.1_audit_log_storage.sh @@ -24,12 +24,12 @@ VALUE=5 # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else ok "$PATTERN is present in $FILE" @@ -40,14 +40,14 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE else ok "$FILE exists" fi does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" add_end_of_file $FILE "$PATTERN = $VALUE" else @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh index 83ce552..2b7c2fa 100755 --- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -23,7 +23,7 @@ OPTIONS='' # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" @@ -33,7 +33,7 @@ audit () { PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else ok "$PATTERN is present in $FILE" @@ -45,7 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE else @@ -57,10 +57,10 @@ apply () { debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" else @@ -99,9 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh index 3b75b3d..2d4b394 100755 --- a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh @@ -23,7 +23,7 @@ OPTIONS='max_log_file_action=keep_logs' # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" @@ -33,7 +33,7 @@ audit () { PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else ok "$PATTERN is present in $FILE" @@ -45,7 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE else @@ -57,10 +57,10 @@ apply () { debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" else @@ -90,9 +90,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.10_record_dac_edit.sh b/bin/hardening/4.1.10_record_dac_edit.sh index eb9cf33..057da45 100755 --- a/bin/hardening/4.1.10_record_dac_edit.sh +++ b/bin/hardening/4.1.10_record_dac_edit.sh @@ -36,7 +36,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -51,7 +51,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -78,9 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.11_record_failed_access_file.sh b/bin/hardening/4.1.11_record_failed_access_file.sh index 4cd57eb..198b545 100755 --- a/bin/hardening/4.1.11_record_failed_access_file.sh +++ b/bin/hardening/4.1.11_record_failed_access_file.sh @@ -34,7 +34,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -49,7 +49,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -76,9 +76,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.12_record_privileged_commands.sh b/bin/hardening/4.1.12_record_privileged_commands.sh index 21154cf..34d7a97 100755 --- a/bin/hardening/4.1.12_record_privileged_commands.sh +++ b/bin/hardening/4.1.12_record_privileged_commands.sh @@ -35,7 +35,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -50,7 +50,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -77,9 +77,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.13_record_successful_mount.sh b/bin/hardening/4.1.13_record_successful_mount.sh index d729a19..2ad180d 100755 --- a/bin/hardening/4.1.13_record_successful_mount.sh +++ b/bin/hardening/4.1.13_record_successful_mount.sh @@ -32,7 +32,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -47,7 +47,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -74,9 +74,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.14_record_file_deletions.sh b/bin/hardening/4.1.14_record_file_deletions.sh index ed9f225..abfdd8a 100755 --- a/bin/hardening/4.1.14_record_file_deletions.sh +++ b/bin/hardening/4.1.14_record_file_deletions.sh @@ -32,7 +32,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -47,7 +47,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -74,9 +74,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.15_record_sudoers_edit.sh b/bin/hardening/4.1.15_record_sudoers_edit.sh index 97ab21e..735fb85 100755 --- a/bin/hardening/4.1.15_record_sudoers_edit.sh +++ b/bin/hardening/4.1.15_record_sudoers_edit.sh @@ -32,7 +32,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -47,7 +47,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -74,9 +74,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.16_record_sudo_usage.sh b/bin/hardening/4.1.16_record_sudo_usage.sh index ecd5ef0..6ddebaa 100755 --- a/bin/hardening/4.1.16_record_sudo_usage.sh +++ b/bin/hardening/4.1.16_record_sudo_usage.sh @@ -31,7 +31,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -46,7 +46,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -73,9 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.17_record_kernel_modules.sh b/bin/hardening/4.1.17_record_kernel_modules.sh index 6dfb453..08f34e5 100755 --- a/bin/hardening/4.1.17_record_kernel_modules.sh +++ b/bin/hardening/4.1.17_record_kernel_modules.sh @@ -34,7 +34,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -49,7 +49,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -76,9 +76,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.18_freeze_auditd_conf.sh b/bin/hardening/4.1.18_freeze_auditd_conf.sh index 85b0eed..7d20b81 100755 --- a/bin/hardening/4.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/4.1.18_freeze_auditd_conf.sh @@ -31,7 +31,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -46,7 +46,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -73,9 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.2_enable_auditd.sh b/bin/hardening/4.1.2_enable_auditd.sh index 3da8b6d..aec0224 100755 --- a/bin/hardening/4.1.2_enable_auditd.sh +++ b/bin/hardening/4.1.2_enable_auditd.sh @@ -22,13 +22,13 @@ SERVICE_NAME='auditd' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - is_service_enabled $SERVICE_NAME - if [ $FNRET = 0 ]; then + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" = 0 ]; then ok "$SERVICE_NAME is enabled" else crit "$SERVICE_NAME is not enabled" @@ -38,15 +38,15 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else warn "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - is_service_enabled $SERVICE_NAME - if [ $FNRET = 0 ]; then + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" = 0 ]; then ok "$SERVICE_NAME is enabled" else warn "$SERVICE_NAME is not enabled, enabling it" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.3_audit_bootloader.sh b/bin/hardening/4.1.3_audit_bootloader.sh index 92d3ca1..e107403 100755 --- a/bin/hardening/4.1.3_audit_bootloader.sh +++ b/bin/hardening/4.1.3_audit_bootloader.sh @@ -23,7 +23,7 @@ OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' # This function will be called if the script status is on enabled / audit mode audit () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" @@ -33,7 +33,7 @@ audit () { PATTERN="^$GRUB_PARAM=$GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else ok "$PATTERN is present in $FILE" @@ -45,7 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE else @@ -57,10 +57,10 @@ apply () { debug "$GRUB_PARAM should be set to $GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$GRUB_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" else @@ -90,9 +90,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.4_record_date_time_edit.sh b/bin/hardening/4.1.4_record_date_time_edit.sh index 0f44ae6..3a689fb 100755 --- a/bin/hardening/4.1.4_record_date_time_edit.sh +++ b/bin/hardening/4.1.4_record_date_time_edit.sh @@ -35,7 +35,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -50,7 +50,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -77,9 +77,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.5_record_user_group_edit.sh b/bin/hardening/4.1.5_record_user_group_edit.sh index 06774ec..64776d7 100755 --- a/bin/hardening/4.1.5_record_user_group_edit.sh +++ b/bin/hardening/4.1.5_record_user_group_edit.sh @@ -35,7 +35,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -50,7 +50,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -77,9 +77,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.6_record_network_edit.sh b/bin/hardening/4.1.6_record_network_edit.sh index 3ef5e76..d236946 100755 --- a/bin/hardening/4.1.6_record_network_edit.sh +++ b/bin/hardening/4.1.6_record_network_edit.sh @@ -36,7 +36,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -51,7 +51,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -78,9 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.7_record_mac_edit.sh b/bin/hardening/4.1.7_record_mac_edit.sh index 4673d23..27bd729 100755 --- a/bin/hardening/4.1.7_record_mac_edit.sh +++ b/bin/hardening/4.1.7_record_mac_edit.sh @@ -31,7 +31,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -46,7 +46,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -73,9 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.8_record_login_logout.sh b/bin/hardening/4.1.8_record_login_logout.sh index fda7b92..fd07f81 100755 --- a/bin/hardening/4.1.8_record_login_logout.sh +++ b/bin/hardening/4.1.8_record_login_logout.sh @@ -33,7 +33,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -48,7 +48,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -75,9 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.1.9_record_session_init.sh b/bin/hardening/4.1.9_record_session_init.sh index 0d6ac80..bb6ba1a 100755 --- a/bin/hardening/4.1.9_record_session_init.sh +++ b/bin/hardening/4.1.9_record_session_init.sh @@ -33,7 +33,7 @@ audit () { IFS=$d_IFS does_pattern_exist_in_file $FILE $AUDIT_VALUE IFS=$c_IFS - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else ok "$AUDIT_VALUE is present in $FILE" @@ -48,7 +48,7 @@ apply () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE $AUDIT_VALUE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) @@ -75,9 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.2.2.1_enable_syslog-ng.sh b/bin/hardening/4.2.2.1_enable_syslog-ng.sh index fdf2336..7708019 100755 --- a/bin/hardening/4.2.2.1_enable_syslog-ng.sh +++ b/bin/hardening/4.2.2.1_enable_syslog-ng.sh @@ -22,8 +22,8 @@ SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if $SERVICE_NAME is enabled" - is_service_enabled $SERVICE_NAME - if [ $FNRET = 0 ]; then + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" = 0 ]; then ok "$SERVICE_NAME is enabled" else crit "$SERVICE_NAME is disabled" @@ -33,8 +33,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { info "Checking if $SERVICE_NAME is enabled" - is_service_enabled $SERVICE_NAME - if [ $FNRET != 0 ]; then + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" != 0 ]; then info "Enabling $SERVICE_NAME" update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.2.2.2_configure_syslog-ng.sh b/bin/hardening/4.2.2.2_configure_syslog-ng.sh index 1ff1eaa..5e2218c 100755 --- a/bin/hardening/4.2.2.2_configure_syslog-ng.sh +++ b/bin/hardening/4.2.2.2_configure_syslog-ng.sh @@ -48,9 +48,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh index 9ee2ab4..5dbf52c 100755 --- a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh +++ b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh @@ -155,9 +155,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh b/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh index 4f7af00..87389a0 100755 --- a/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh +++ b/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh @@ -25,7 +25,7 @@ audit () { FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)" for FILE in $FILES; do does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then FOUND=1 fi done @@ -43,7 +43,7 @@ apply () { FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)" for FILE in $FILES; do does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then FOUND=1 fi done @@ -79,9 +79,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh b/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh index c3be515..10b5eb5 100755 --- a/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh +++ b/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh @@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.2.3_install_syslog-ng.sh b/bin/hardening/4.2.3_install_syslog-ng.sh index bd2b162..6d6cfe6 100755 --- a/bin/hardening/4.2.3_install_syslog-ng.sh +++ b/bin/hardening/4.2.3_install_syslog-ng.sh @@ -22,8 +22,8 @@ PACKAGE='syslog-ng' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -32,8 +32,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh index 69dbbdd..0c25df9 100755 --- a/bin/hardening/4.2.4_logs_permissions.sh +++ b/bin/hardening/4.2.4_logs_permissions.sh @@ -25,8 +25,8 @@ audit () { ERRORS=0 for FILE in $($SUDO_CMD find $DIR -type f); do - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else ERRORS=$((ERRORS+1)) @@ -44,12 +44,12 @@ apply () { ERRORS=0 for FILE in $($SUDO_CMD find $DIR -type f); do - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else warn "fixing $DIRlogs ownership to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi done @@ -75,9 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/4.3_configure_logrotate.sh b/bin/hardening/4.3_configure_logrotate.sh index 3716e8e..eccc511 100755 --- a/bin/hardening/4.3_configure_logrotate.sh +++ b/bin/hardening/4.3_configure_logrotate.sh @@ -47,9 +47,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.1.1_enable_cron.sh b/bin/hardening/5.1.1_enable_cron.sh index ac43bc7..c60c4eb 100755 --- a/bin/hardening/5.1.1_enable_cron.sh +++ b/bin/hardening/5.1.1_enable_cron.sh @@ -22,13 +22,13 @@ SERVICE_NAME="cron" # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - is_service_enabled $SERVICE_NAME - if [ $FNRET = 0 ]; then + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" = 0 ]; then ok "$SERVICE_NAME is enabled" else crit "$SERVICE_NAME is disabled" @@ -38,14 +38,14 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" apt_install $PACKAGE - is_service_enabled $SERVICE_NAME - if [ $FNRET != 0 ]; then + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" != 0 ]; then info "Enabling $SERVICE_NAME" update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.1.2_crontab_perm_ownership.sh b/bin/hardening/5.1.2_crontab_perm_ownership.sh index a2b96c6..4177fb4 100755 --- a/bin/hardening/5.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -41,35 +41,35 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -87,9 +87,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh index ae20ebb..c2d61bd 100755 --- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -41,35 +41,35 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -87,9 +87,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh index 4a07de7..5307954 100755 --- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -41,35 +41,35 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -87,9 +87,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh index 37d15fe..779af01 100755 --- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -41,35 +41,35 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -87,9 +87,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh index 20d3d8c..b28efdb 100755 --- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -41,35 +41,35 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -87,9 +87,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.1.7_cron_d_perm_ownership.sh b/bin/hardening/5.1.7_cron_d_perm_ownership.sh index 6b85c5d..4d51e54 100755 --- a/bin/hardening/5.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/5.1.7_cron_d_perm_ownership.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -41,35 +41,35 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -87,9 +87,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.1.8_cron_users.sh b/bin/hardening/5.1.8_cron_users.sh index cf018c5..539a396 100755 --- a/bin/hardening/5.1.8_cron_users.sh +++ b/bin/hardening/5.1.8_cron_users.sh @@ -27,7 +27,7 @@ GROUP='root' audit () { for FILE in $FILES_ABSENT; do does_file_exist $FILE - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then crit "$FILE exists" else ok "$FILE is absent" @@ -35,17 +35,17 @@ audit () { done for FILE in $FILES_PRESENT; do does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$FILE is absent" else - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -58,7 +58,7 @@ audit () { apply () { for FILE in $FILES_ABSENT; do does_file_exist $FILE - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then warn "$FILE exists" rm $FILE else @@ -67,23 +67,23 @@ apply () { done for FILE in $FILES_PRESENT; do does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then warn "$FILE is absent" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else warn "$FILE permissions were not set to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi done } @@ -91,12 +91,12 @@ apply () { # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -114,9 +114,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.10_disable_root_login.sh b/bin/hardening/5.2.10_disable_root_login.sh index 3ea387f..0932c6e 100755 --- a/bin/hardening/5.2.10_disable_root_login.sh +++ b/bin/hardening/5.2.10_disable_root_login.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh index b46b6e5..d398322 100755 --- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.12_disable_sshd_setenv.sh b/bin/hardening/5.2.12_disable_sshd_setenv.sh index 0a613ca..ea857a6 100755 --- a/bin/hardening/5.2.12_disable_sshd_setenv.sh +++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.13_sshd_ciphers.sh b/bin/hardening/5.2.13_sshd_ciphers.sh index 82fd2fe..2692009 100755 --- a/bin/hardening/5.2.13_sshd_ciphers.sh +++ b/bin/hardening/5.2.13_sshd_ciphers.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -99,9 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.14_ssh_cry_mac.sh b/bin/hardening/5.2.14_ssh_cry_mac.sh index 4c2bdf1..d4c0cd8 100755 --- a/bin/hardening/5.2.14_ssh_cry_mac.sh +++ b/bin/hardening/5.2.14_ssh_cry_mac.sh @@ -23,7 +23,7 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -44,7 +44,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -99,9 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.15_ssh_cry_kex.sh b/bin/hardening/5.2.15_ssh_cry_kex.sh index d755587..3ba9076 100755 --- a/bin/hardening/5.2.15_ssh_cry_kex.sh +++ b/bin/hardening/5.2.15_ssh_cry_kex.sh @@ -23,7 +23,7 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -44,7 +44,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -109,9 +109,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.16_sshd_idle_timeout.sh b/bin/hardening/5.2.16_sshd_idle_timeout.sh index 111dc0e..a7ffd57 100755 --- a/bin/hardening/5.2.16_sshd_idle_timeout.sh +++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh @@ -24,8 +24,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -34,7 +34,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -45,8 +45,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -57,12 +57,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -100,9 +100,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.17_sshd_login_grace_time.sh b/bin/hardening/5.2.17_sshd_login_grace_time.sh index 6195c42..7f035f8 100755 --- a/bin/hardening/5.2.17_sshd_login_grace_time.sh +++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -99,9 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh index 3e74ab5..6b15a71 100755 --- a/bin/hardening/5.2.18_sshd_limit_access.sh +++ b/bin/hardening/5.2.18_sshd_limit_access.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'" - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -34,7 +34,7 @@ audit () { SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -45,8 +45,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -58,12 +58,12 @@ apply () { SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -119,9 +119,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.19_ssh_banner.sh b/bin/hardening/5.2.19_ssh_banner.sh index 92bfba9..578d285 100755 --- a/bin/hardening/5.2.19_ssh_banner.sh +++ b/bin/hardening/5.2.19_ssh_banner.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { OPTIONS="Banner=$BANNER_FILE" - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -32,7 +32,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) PATTERN="^$SSH_PARAM[[:space:]]*" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -43,8 +43,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -55,12 +55,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present and activated" @@ -99,9 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh index 14ddb88..8339535 100755 --- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh +++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -41,35 +41,35 @@ audit () { # This function will be called if the script status is on enabled mode apply () { does_file_exist $FILE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch $FILE fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi } # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -87,9 +87,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh index 14b76eb..3ed61a7 100755 --- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh +++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh @@ -27,8 +27,8 @@ audit () { ERRORS=0 for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else ERRORS=$((ERRORS+1)) @@ -44,8 +44,8 @@ audit () { ERRORS=0 for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" else @@ -63,8 +63,8 @@ audit () { apply () { for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" else warn "fixing $DIR SSH private keys permissions to $USER:$GROUP" @@ -75,12 +75,12 @@ apply () { for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else warn "fixing $DIR SSH private keys ownership to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi done @@ -90,12 +90,12 @@ apply () { # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -113,9 +113,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh index 502c8bf..8a59c7c 100755 --- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh +++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh @@ -27,16 +27,16 @@ audit () { ERRORS=0 for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - has_file_correct_permissions $FILE 640 - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" 640 + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - has_file_correct_permissions $FILE 600 - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" 600 + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else ERRORS=$((ERRORS+1)) @@ -54,8 +54,8 @@ audit () { ERRORS=0 for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" else @@ -73,20 +73,20 @@ audit () { apply () { for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - has_file_correct_permissions $FILE 640 - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" 640 + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - has_file_correct_permissions $FILE 600 - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" 600 + if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else warn "fixing $DIR SSH public keys permissions to $USER:$GROUP" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi fi fi @@ -94,8 +94,8 @@ apply () { for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" else warn "fixing $DIR SSH public keys ownership to $PERMISSIONS" @@ -108,12 +108,12 @@ apply () { # This function will check config parameters required check_config() { does_user_exist $USER - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi does_group_exist $GROUP - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi @@ -131,9 +131,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.4_sshd_protocol.sh b/bin/hardening/5.2.4_sshd_protocol.sh index 7958561..5607051 100755 --- a/bin/hardening/5.2.4_sshd_protocol.sh +++ b/bin/hardening/5.2.4_sshd_protocol.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.5_sshd_loglevel.sh b/bin/hardening/5.2.5_sshd_loglevel.sh index 9415666..4b90254 100755 --- a/bin/hardening/5.2.5_sshd_loglevel.sh +++ b/bin/hardening/5.2.5_sshd_loglevel.sh @@ -24,7 +24,7 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -45,7 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -101,9 +101,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.6_disable_x11_forwarding.sh b/bin/hardening/5.2.6_disable_x11_forwarding.sh index 4b7b92a..adb2065 100755 --- a/bin/hardening/5.2.6_disable_x11_forwarding.sh +++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -99,9 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.7_sshd_maxauthtries.sh b/bin/hardening/5.2.7_sshd_maxauthtries.sh index 9316ee4..a664b8c 100755 --- a/bin/hardening/5.2.7_sshd_maxauthtries.sh +++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh index 41ddc97..38c490f 100755 --- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -97,9 +97,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh index 9834468..3d4a57a 100755 --- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh @@ -23,8 +23,8 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.3.1_enable_pwquality.sh b/bin/hardening/5.3.1_enable_pwquality.sh index 437897f..e7e53d6 100755 --- a/bin/hardening/5.3.1_enable_pwquality.sh +++ b/bin/hardening/5.3.1_enable_pwquality.sh @@ -27,13 +27,13 @@ FILE_QUALITY='/etc/security/pwquality.conf' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN_COMMON is present in $FILE_COMMON" else crit "$PATTERN_COMMON is not present in $FILE_COMMON" @@ -44,7 +44,7 @@ audit () { PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE" does_pattern_exist_in_file $FILE_QUALITY "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE_QUALITY" else crit "$PATTERN is not present in $FILE_QUALITY" @@ -55,15 +55,15 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN_COMMON is present in $FILE_COMMON" else warn "$PATTERN_COMMON is not present in $FILE_COMMON" @@ -75,12 +75,12 @@ apply () { PW_VALUE=$(echo $PW_OPT | cut -d= -f2) PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE" does_pattern_exist_in_file $FILE_QUALITY $PATTERN - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE_QUALITY" else warn "$PATTERN is not present in $FILE_QUALITY, adding it" does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -116,9 +116,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.3.2_enable_lockout_failed_password.sh b/bin/hardening/5.3.2_enable_lockout_failed_password.sh index f898b72..c4113cc 100755 --- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh +++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh @@ -25,19 +25,19 @@ FILE_ACCOUNT='/etc/pam.d/common-account' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN_AUTH is present in $FILE_AUTH" else crit "$PATTERN_AUTH is not present in $FILE_AUTH" fi does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT" else crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT" @@ -47,22 +47,22 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN_AUTH is present in $FILE_AUTH" else warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it" add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details." fi does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT" else warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it" @@ -88,9 +88,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.3.3_limit_password_reuse.sh b/bin/hardening/5.3.3_limit_password_reuse.sh index 940365f..237f7f4 100755 --- a/bin/hardening/5.3.3_limit_password_reuse.sh +++ b/bin/hardening/5.3.3_limit_password_reuse.sh @@ -23,13 +23,13 @@ FILE='/etc/pam.d/common-password' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -39,15 +39,15 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.3.4_acc_pam_sha512.sh b/bin/hardening/5.3.4_acc_pam_sha512.sh index d2e100d..42ae2fb 100755 --- a/bin/hardening/5.3.4_acc_pam_sha512.sh +++ b/bin/hardening/5.3.4_acc_pam_sha512.sh @@ -66,9 +66,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.4.1.1_set_password_exp_days.sh b/bin/hardening/5.4.1.1_set_password_exp_days.sh index a7f2b68..195eb43 100755 --- a/bin/hardening/5.4.1.1_set_password_exp_days.sh +++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh @@ -23,8 +23,8 @@ FILE='/etc/login.defs' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.4.1.2_set_password_min_days_change.sh b/bin/hardening/5.4.1.2_set_password_min_days_change.sh index 80d7719..b2fa8f6 100755 --- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh +++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh @@ -23,8 +23,8 @@ FILE='/etc/login.defs' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh index a4c587e..f2949f7 100755 --- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh @@ -23,8 +23,8 @@ FILE='/etc/login.defs' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -33,7 +33,7 @@ audit () { SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -44,8 +44,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -56,12 +56,12 @@ apply () { SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" @@ -98,9 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.4.1.4_lock_inactive_user_account.sh b/bin/hardening/5.4.1.4_lock_inactive_user_account.sh index 850f46f..0005216 100755 --- a/bin/hardening/5.4.1.4_lock_inactive_user_account.sh +++ b/bin/hardening/5.4.1.4_lock_inactive_user_account.sh @@ -48,9 +48,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.4.2_disable_system_accounts.sh b/bin/hardening/5.4.2_disable_system_accounts.sh index e41aafc..3b26975 100755 --- a/bin/hardening/5.4.2_disable_system_accounts.sh +++ b/bin/hardening/5.4.2_disable_system_accounts.sh @@ -117,9 +117,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.4.3_default_root_group.sh b/bin/hardening/5.4.3_default_root_group.sh index 2f39290..1dccc3e 100755 --- a/bin/hardening/5.4.3_default_root_group.sh +++ b/bin/hardening/5.4.3_default_root_group.sh @@ -56,9 +56,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.4.4_default_umask.sh b/bin/hardening/5.4.4_default_umask.sh index bdc556d..7f999f1 100755 --- a/bin/hardening/5.4.4_default_umask.sh +++ b/bin/hardening/5.4.4_default_umask.sh @@ -31,7 +31,7 @@ audit () { debug "$FILE_SEARCHED is a directory" for file_in_dir in $(ls $FILE_SEARCHED); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" else ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" @@ -41,7 +41,7 @@ audit () { done else does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED" else ok "$PATTERN is present in $FILES_TO_SEARCH" @@ -63,7 +63,7 @@ apply () { debug "$FILE_SEARCHED is a directory" for file_in_dir in $(ls $FILE_SEARCHED); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" else ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" @@ -73,7 +73,7 @@ apply () { done else does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED" else ok "$PATTERN is present in $FILES_TO_SEARCH" @@ -106,9 +106,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.5_secure_tty.sh b/bin/hardening/5.5_secure_tty.sh index 77b6c75..80ffe93 100755 --- a/bin/hardening/5.5_secure_tty.sh +++ b/bin/hardening/5.5_secure_tty.sh @@ -48,9 +48,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/5.6_restrict_su.sh b/bin/hardening/5.6_restrict_su.sh index d088986..b339cb1 100755 --- a/bin/hardening/5.6_restrict_su.sh +++ b/bin/hardening/5.6_restrict_su.sh @@ -23,13 +23,13 @@ FILE='/etc/pam.d/su' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -39,15 +39,15 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index a96e917..9b75f8b 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index ea14d20..adfbd3c 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -71,9 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index b0d0994..c41498e 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -71,9 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index d6c2a7a..d463eb6 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -77,9 +77,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index 65c81ef..8492003 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -78,9 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.5_etc_passwd_permissions.sh b/bin/hardening/6.1.5_etc_passwd_permissions.sh index f1eb22a..bf1192d 100755 --- a/bin/hardening/6.1.5_etc_passwd_permissions.sh +++ b/bin/hardening/6.1.5_etc_passwd_permissions.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" @@ -40,15 +40,15 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else info "fixing $FILE ownership to $USER:$GROUP" @@ -73,9 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.6_etc_shadow_permissions.sh b/bin/hardening/6.1.6_etc_shadow_permissions.sh index a30392d..3b7f6f1 100755 --- a/bin/hardening/6.1.6_etc_shadow_permissions.sh +++ b/bin/hardening/6.1.6_etc_shadow_permissions.sh @@ -24,14 +24,14 @@ GROUP='shadow' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" @@ -40,15 +40,15 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else info "fixing $FILE ownership to $USER:$GROUP" @@ -73,9 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.1.7_etc_group_permissions.sh b/bin/hardening/6.1.7_etc_group_permissions.sh index f784cce..fa93cbd 100755 --- a/bin/hardening/6.1.7_etc_group_permissions.sh +++ b/bin/hardening/6.1.7_etc_group_permissions.sh @@ -24,14 +24,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" @@ -40,15 +40,15 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else info "fixing $FILE ownership to $USER:$GROUP" @@ -73,9 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index 1d1b28a..270b52d 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -79,9 +79,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.11_find_user_forward_files.sh b/bin/hardening/6.2.11_find_user_forward_files.sh index 11920a8..e9150bb 100755 --- a/bin/hardening/6.2.11_find_user_forward_files.sh +++ b/bin/hardening/6.2.11_find_user_forward_files.sh @@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.12_find_user_netrc_files.sh b/bin/hardening/6.2.12_find_user_netrc_files.sh index 590b26c..2c73606 100755 --- a/bin/hardening/6.2.12_find_user_netrc_files.sh +++ b/bin/hardening/6.2.12_find_user_netrc_files.sh @@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh index 802c0e8..7223481 100755 --- a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh +++ b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh @@ -26,8 +26,8 @@ audit () { debug "Working on $DIR" for FILE in $DIR/.netrc; do if [ ! -h "$FILE" -a -f "$FILE" ]; then - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" @@ -49,8 +49,8 @@ apply () { debug "Working on $DIR" for FILE in $DIR/.netrc; do if [ ! -h "$FILE" -a -f "$FILE" ]; then - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else warn "$FILE permissions were not set to $PERMISSIONS" @@ -78,9 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.14_find_user_rhosts_files.sh b/bin/hardening/6.2.14_find_user_rhosts_files.sh index 5ebe13e..43fdbdf 100755 --- a/bin/hardening/6.2.14_find_user_rhosts_files.sh +++ b/bin/hardening/6.2.14_find_user_rhosts_files.sh @@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh b/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh index 2138950..d96860e 100755 --- a/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh +++ b/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh @@ -57,9 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.16_check_duplicate_uid.sh b/bin/hardening/6.2.16_check_duplicate_uid.sh index 7e50ac5..4bbac9a 100755 --- a/bin/hardening/6.2.16_check_duplicate_uid.sh +++ b/bin/hardening/6.2.16_check_duplicate_uid.sh @@ -79,9 +79,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.17_check_duplicate_gid.sh b/bin/hardening/6.2.17_check_duplicate_gid.sh index 2a4d1bb..435bab2 100755 --- a/bin/hardening/6.2.17_check_duplicate_gid.sh +++ b/bin/hardening/6.2.17_check_duplicate_gid.sh @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.18_check_duplicate_username.sh b/bin/hardening/6.2.18_check_duplicate_username.sh index 979ff31..c4aad03 100755 --- a/bin/hardening/6.2.18_check_duplicate_username.sh +++ b/bin/hardening/6.2.18_check_duplicate_username.sh @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.19_check_duplicate_groupname.sh b/bin/hardening/6.2.19_check_duplicate_groupname.sh index 8eb81ac..33c4542 100755 --- a/bin/hardening/6.2.19_check_duplicate_groupname.sh +++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.1_remove_empty_password_field.sh b/bin/hardening/6.2.1_remove_empty_password_field.sh index c2751b7..2e222b2 100755 --- a/bin/hardening/6.2.1_remove_empty_password_field.sh +++ b/bin/hardening/6.2.1_remove_empty_password_field.sh @@ -61,9 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.20_shadow_group_empty.sh b/bin/hardening/6.2.20_shadow_group_empty.sh index bf2b708..1606f4f 100755 --- a/bin/hardening/6.2.20_shadow_group_empty.sh +++ b/bin/hardening/6.2.20_shadow_group_empty.sh @@ -24,7 +24,7 @@ PATTERN='^shadow:x:[[:digit:]]+:' # This function will be called if the script status is on enabled / audit mode audit () { does_pattern_exist_in_file $FILEGROUP $PATTERN - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then info "shadow group exists" RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4) GROUPID=$(getent group shadow | cut -d: -f3) @@ -69,9 +69,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh b/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh index 27a5525..44063ad 100755 --- a/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh +++ b/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh @@ -63,9 +63,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh index 7ca87de..7a5b2ae 100755 --- a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh @@ -63,9 +63,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.4_remove_legacy_group_entries.sh b/bin/hardening/6.2.4_remove_legacy_group_entries.sh index 79dca7d..f16a625 100755 --- a/bin/hardening/6.2.4_remove_legacy_group_entries.sh +++ b/bin/hardening/6.2.4_remove_legacy_group_entries.sh @@ -63,9 +63,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh index 7f32d77..e0e4b98 100755 --- a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh @@ -80,9 +80,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.6_sanitize_root_path.sh b/bin/hardening/6.2.6_sanitize_root_path.sh index 3b12a26..0ac0523 100755 --- a/bin/hardening/6.2.6_sanitize_root_path.sh +++ b/bin/hardening/6.2.6_sanitize_root_path.sh @@ -90,9 +90,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.7_users_valid_homedir.sh b/bin/hardening/6.2.7_users_valid_homedir.sh index 8550f55..113fb14 100755 --- a/bin/hardening/6.2.7_users_valid_homedir.sh +++ b/bin/hardening/6.2.7_users_valid_homedir.sh @@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.8_check_user_dir_perm.sh b/bin/hardening/6.2.8_check_user_dir_perm.sh index efedc59..16477c3 100755 --- a/bin/hardening/6.2.8_check_user_dir_perm.sh +++ b/bin/hardening/6.2.8_check_user_dir_perm.sh @@ -120,9 +120,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/6.2.9_users_valid_homedir.sh b/bin/hardening/6.2.9_users_valid_homedir.sh index 1f920ec..1b6edb1 100755 --- a/bin/hardening/6.2.9_users_valid_homedir.sh +++ b/bin/hardening/6.2.9_users_valid_homedir.sh @@ -92,9 +92,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh index 537729c..db488cb 100755 --- a/bin/hardening/8.0_enable_auditd_kernel.sh +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -24,8 +24,8 @@ KERNEL_OPTION="CONFIG_AUDIT" # This function will be called if the script status is on enabled / audit mode audit () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated ok "$KERNEL_OPTION is enabled" else crit "$KERNEL_OPTION is disabled, auditd will not work" @@ -35,8 +35,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_kernel_option_enabled $KERNEL_OPTION - if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated ok "$KERNEL_OPTION is enabled" else warn "I cannot fix $KERNEL_OPTION disabled, to make auditd work, recompile your kernel please" @@ -61,9 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh index 9b1099c..a54081c 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -22,8 +22,8 @@ PACKAGE='tripwire' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -32,8 +32,8 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh index ba9b002..483d554 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/99.1_timeout_tty.sh @@ -112,9 +112,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 4188bb2..5548aa2 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -29,7 +29,7 @@ audit () { debug "$FILE_SEARCHED is a directory" for file_in_dir in $( $SUDO_CMD ls $FILE_SEARCHED); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" else ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" @@ -39,7 +39,7 @@ audit () { done else does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED" else ok "$PATTERN is present in $FILES_TO_SEARCH" @@ -61,7 +61,7 @@ apply () { debug "$FILE_SEARCHED is a directory" for file_in_dir in $(ls $FILE_SEARCHED); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" else ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" @@ -71,7 +71,7 @@ apply () { done else does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED" else ok "$PATTERN is present in $FILES_TO_SEARCH" @@ -116,9 +116,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.h - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.3.1_acc_shadow_sha512.sh b/bin/hardening/99.3.1_acc_shadow_sha512.sh index a5ab471..47e9e0c 100755 --- a/bin/hardening/99.3.1_acc_shadow_sha512.sh +++ b/bin/hardening/99.3.1_acc_shadow_sha512.sh @@ -75,9 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.3.2_acc_sudoers_no_all.sh b/bin/hardening/99.3.2_acc_sudoers_no_all.sh index fdbac25..b07d0f8 100755 --- a/bin/hardening/99.3.2_acc_sudoers_no_all.sh +++ b/bin/hardening/99.3.2_acc_sudoers_no_all.sh @@ -92,9 +92,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.3.4_acc_logindefs_sha512.sh b/bin/hardening/99.3.4_acc_logindefs_sha512.sh index a3f96fa..7f7d6cc 100755 --- a/bin/hardening/99.3.4_acc_logindefs_sha512.sh +++ b/bin/hardening/99.3.4_acc_logindefs_sha512.sh @@ -68,9 +68,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh index e14fd26..b868897 100755 --- a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh +++ b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh @@ -23,7 +23,7 @@ OPTIONS='PubkeyAuthentication=yes PasswordAuthentication=no KbdInteractiveAuthen # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -44,7 +44,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -89,9 +89,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh index 950ec62..dedda04 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -38,7 +38,7 @@ audit () { return fi set -u - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -59,7 +59,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -106,9 +106,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.3_ssh_disable_features.sh b/bin/hardening/99.5.3_ssh_disable_features.sh index cb7c142..3caf400 100755 --- a/bin/hardening/99.5.3_ssh_disable_features.sh +++ b/bin/hardening/99.5.3_ssh_disable_features.sh @@ -22,7 +22,7 @@ OPTIONS='AllowAgentForwarding=no AllowTcpForwarding=no AllowStreamLocalForwardin # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -43,7 +43,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -89,9 +89,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index 52f7ecc..15fd6f2 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -177,9 +177,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.5_ssh_strict_modes.sh b/bin/hardening/99.5.5_ssh_strict_modes.sh index 22fb71e..7ed703b 100755 --- a/bin/hardening/99.5.5_ssh_strict_modes.sh +++ b/bin/hardening/99.5.5_ssh_strict_modes.sh @@ -21,7 +21,7 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -42,7 +42,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -88,9 +88,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.6_ssh_sys_accept_env.sh index 6d5c223..31be884 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.6_ssh_sys_accept_env.sh @@ -23,7 +23,7 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -39,7 +39,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -80,9 +80,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh b/bin/hardening/99.5.7_ssh_sys_no_legacy.sh index 0298dfd..eaebfe1 100755 --- a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh +++ b/bin/hardening/99.5.7_ssh_sys_no_legacy.sh @@ -58,9 +58,9 @@ fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.8_ssh_sys_sandbox.sh b/bin/hardening/99.5.8_ssh_sys_sandbox.sh index 30c3e76..07cf929 100755 --- a/bin/hardening/99.5.8_ssh_sys_sandbox.sh +++ b/bin/hardening/99.5.8_ssh_sys_sandbox.sh @@ -23,7 +23,7 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -45,7 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -90,9 +90,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/99.5.9_ssh_loglevel.sh b/bin/hardening/99.5.9_ssh_loglevel.sh index 9d2b5ed..f119095 100755 --- a/bin/hardening/99.5.9_ssh_loglevel.sh +++ b/bin/hardening/99.5.9_ssh_loglevel.sh @@ -23,7 +23,7 @@ FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else @@ -44,7 +44,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE + is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else @@ -89,9 +89,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh - . $CIS_ROOT_DIR/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128