diff --git a/bin/hardening.sh b/bin/hardening.sh index bd85e45..e45dca1 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -180,15 +180,15 @@ if [ -z "$CIS_ROOT_DIR" ]; then exit 128 fi # shellcheck source=../lib/constants.sh -[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh # shellcheck source=../etc/hardening.cfg -[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg +[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg # shellcheck source=../lib/common.sh -[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh # shellcheck source=../lib/utils.sh -[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh -if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi +if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi # If --allow-service-list is specified, don't run anything, just list the supported services if [ "$ALLOW_SERVICE_LIST" = 1 ]; then @@ -223,7 +223,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then exit 0 fi -if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then +if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then echo "For --create-config-files-only, please run as root" exit 1 fi diff --git a/bin/hardening/1.1.1.3_disable_hfs.sh b/bin/hardening/1.1.1.3_disable_hfs.sh index bdfd696..dbb4bb2 100755 --- a/bin/hardening/1.1.1.3_disable_hfs.sh +++ b/bin/hardening/1.1.1.3_disable_hfs.sh @@ -22,7 +22,7 @@ MODULE_FILE="hfs" # This function will be called if the script status is on enabled / audit mode audit() { - is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else diff --git a/bin/hardening/1.1.1.4_disable_hfsplus.sh b/bin/hardening/1.1.1.4_disable_hfsplus.sh index 615c14a..7527ca0 100755 --- a/bin/hardening/1.1.1.4_disable_hfsplus.sh +++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh @@ -22,7 +22,7 @@ MODULE_FILE="hfsplus" # This function will be called if the script status is on enabled / audit mode audit() { - is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else diff --git a/bin/hardening/1.1.1.5_disable_udf.sh b/bin/hardening/1.1.1.5_disable_udf.sh index 8273c6a..6516097 100755 --- a/bin/hardening/1.1.1.5_disable_udf.sh +++ b/bin/hardening/1.1.1.5_disable_udf.sh @@ -22,7 +22,7 @@ MODULE_FILE="udf" # This function will be called if the script status is on enabled / audit mode audit() { - is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else diff --git a/bin/hardening/1.1.1.7_disable_squashfs.sh b/bin/hardening/1.1.1.7_disable_squashfs.sh index d9b8212..feaa3dc 100755 --- a/bin/hardening/1.1.1.7_disable_squashfs.sh +++ b/bin/hardening/1.1.1.7_disable_squashfs.sh @@ -22,7 +22,7 @@ MODULE_FILE="squashfs" # This function will be called if the script status is on enabled / audit mode audit() { - is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" else diff --git a/bin/hardening/1.1.10_var_tmp_noexec.sh b/bin/hardening/1.1.10_var_tmp_noexec.sh index de5a24d..d1265de 100755 --- a/bin/hardening/1.1.10_var_tmp_noexec.sh +++ b/bin/hardening/1.1.10_var_tmp_noexec.sh @@ -56,7 +56,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.14_home_nodev.sh b/bin/hardening/1.1.14_home_nodev.sh index 5da7307..e3221fb 100755 --- a/bin/hardening/1.1.14_home_nodev.sh +++ b/bin/hardening/1.1.14_home_nodev.sh @@ -56,7 +56,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.22_disable_automounting.sh b/bin/hardening/1.1.22_disable_automounting.sh index fff3322..62eb6e0 100755 --- a/bin/hardening/1.1.22_disable_automounting.sh +++ b/bin/hardening/1.1.22_disable_automounting.sh @@ -36,7 +36,7 @@ apply() { is_service_enabled "$SERVICE_NAME" if [ "$FNRET" = 0 ]; then info "Disabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 + update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1 else ok "$SERVICE_NAME is disabled" fi diff --git a/bin/hardening/1.1.3_tmp_nodev.sh b/bin/hardening/1.1.3_tmp_nodev.sh index 9996b80..95f65e7 100755 --- a/bin/hardening/1.1.3_tmp_nodev.sh +++ b/bin/hardening/1.1.3_tmp_nodev.sh @@ -56,7 +56,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.4_tmp_nosuid.sh b/bin/hardening/1.1.4_tmp_nosuid.sh index d6e3c47..4225bf6 100755 --- a/bin/hardening/1.1.4_tmp_nosuid.sh +++ b/bin/hardening/1.1.4_tmp_nosuid.sh @@ -56,7 +56,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.5_tmp_noexec.sh b/bin/hardening/1.1.5_tmp_noexec.sh index 7d673cd..54fe441 100755 --- a/bin/hardening/1.1.5_tmp_noexec.sh +++ b/bin/hardening/1.1.5_tmp_noexec.sh @@ -56,7 +56,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.8_var_tmp_nodev.sh b/bin/hardening/1.1.8_var_tmp_nodev.sh index f7fbd9e..ea6dd63 100755 --- a/bin/hardening/1.1.8_var_tmp_nodev.sh +++ b/bin/hardening/1.1.8_var_tmp_nodev.sh @@ -56,7 +56,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.1.9_var_tmp_nosuid.sh b/bin/hardening/1.1.9_var_tmp_nosuid.sh index 1125594..ac9a772 100755 --- a/bin/hardening/1.1.9_var_tmp_nosuid.sh +++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh @@ -56,7 +56,7 @@ apply() { crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" elif [ "$FNRET" = 1 ]; then info "Adding $OPTION to fstab" - add_option_to_fstab $PARTITION $OPTION + add_option_to_fstab "$PARTITION" "$OPTION" info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" elif [ "$FNRET" = 3 ]; then diff --git a/bin/hardening/1.4.1_bootloader_ownership.sh b/bin/hardening/1.4.1_bootloader_ownership.sh index 2309d63..803a374 100755 --- a/bin/hardening/1.4.1_bootloader_ownership.sh +++ b/bin/hardening/1.4.1_bootloader_ownership.sh @@ -68,17 +68,17 @@ check_config() { warn "Grub is not installed, not handling configuration" exit 128 fi - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 fi - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" exit 128 diff --git a/bin/hardening/1.4.2_bootloader_password.sh b/bin/hardening/1.4.2_bootloader_password.sh index aad38dd..0585c1b 100755 --- a/bin/hardening/1.4.2_bootloader_password.sh +++ b/bin/hardening/1.4.2_bootloader_password.sh @@ -23,13 +23,13 @@ PWD_PATTERN="^password_pbkdf2" # This function will be called if the script status is on enabled / audit mode audit() { - does_pattern_exist_in_file $FILE "$USER_PATTERN" + does_pattern_exist_in_file "$FILE" "$USER_PATTERN" if [ "$FNRET" != 0 ]; then crit "$USER_PATTERN not present in $FILE" else ok "$USER_PATTERN is present in $FILE" fi - does_pattern_exist_in_file $FILE "$PWD_PATTERN" + does_pattern_exist_in_file "$FILE" "$PWD_PATTERN" if [ "$FNRET" != 0 ]; then crit "$PWD_PATTERN not present in $FILE" else @@ -39,13 +39,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_pattern_exist_in_file $FILE "$USER_PATTERN" + does_pattern_exist_in_file "$FILE" "$USER_PATTERN" if [ "$FNRET" != 0 ]; then warn "$USER_PATTERN not present in $FILE, please configure password for grub" else ok "$USER_PATTERN is present in $FILE" fi - does_pattern_exist_in_file $FILE "$PWD_PATTERN" + does_pattern_exist_in_file "$FILE" "$PWD_PATTERN" if [ "$FNRET" != 0 ]; then warn "$PWD_PATTERN not present in $FILE, please configure password for grub" else diff --git a/bin/hardening/1.5.1_restrict_core_dumps.sh b/bin/hardening/1.5.1_restrict_core_dumps.sh index 0e59d39..f4d6ab9 100755 --- a/bin/hardening/1.5.1_restrict_core_dumps.sh +++ b/bin/hardening/1.5.1_restrict_core_dumps.sh @@ -28,7 +28,7 @@ audit() { SEARCH_RES=0 LIMIT_FILES="" if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then - for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do + for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file" done fi @@ -43,7 +43,7 @@ audit() { break fi done - if [ $SEARCH_RES = 0 ]; then + if [ "$SEARCH_RES" = 0 ]; then crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES" fi has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" @@ -68,7 +68,7 @@ apply() { has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else diff --git a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh index 92c5eff..c4c6ee7 100755 --- a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh +++ b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh @@ -37,7 +37,7 @@ apply() { has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else diff --git a/bin/hardening/1.6.2.1_enable_apparmor.sh b/bin/hardening/1.6.2.1_enable_apparmor.sh index 023800d..1102ea3 100755 --- a/bin/hardening/1.6.2.1_enable_apparmor.sh +++ b/bin/hardening/1.6.2.1_enable_apparmor.sh @@ -36,13 +36,13 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for line in $RESULT; do - if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then + if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then crit "$line is not configured" ERROR=1 fi done IFS=$d_IFS - if [ $ERROR = 0 ]; then + if [ "$ERROR" = 0 ]; then ok "$PACKAGE is configured" fi diff --git a/bin/hardening/1.7.1.1_remove_os_info_motd.sh b/bin/hardening/1.7.1.1_remove_os_info_motd.sh index 29ee794..87540da 100755 --- a/bin/hardening/1.7.1.1_remove_os_info_motd.sh +++ b/bin/hardening/1.7.1.1_remove_os_info_motd.sh @@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode audit() { - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" else @@ -32,10 +32,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" - delete_line_in_file $FILE $PATTERN + delete_line_in_file "$FILE" "$PATTERN" else ok "$PATTERN is not present in $FILE" fi diff --git a/bin/hardening/1.7.1.2_remove_os_info_issue.sh b/bin/hardening/1.7.1.2_remove_os_info_issue.sh index 2960586..c055301 100755 --- a/bin/hardening/1.7.1.2_remove_os_info_issue.sh +++ b/bin/hardening/1.7.1.2_remove_os_info_issue.sh @@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode audit() { - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" else @@ -35,7 +35,7 @@ apply() { does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" - delete_line_in_file $FILE $PATTERN + delete_line_in_file "$FILE" "$PATTERN" else ok "$PATTERN is not present in $FILE" fi diff --git a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh index 7bc785c..381d0cf 100755 --- a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh +++ b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh @@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode audit() { - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" else @@ -32,10 +32,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" - delete_line_in_file $FILE $PATTERN + delete_line_in_file "$FILE" "$PATTERN" else ok "$PATTERN is not present in $FILE" fi diff --git a/bin/hardening/1.7.1.4_motd_perms.sh b/bin/hardening/1.7.1.4_motd_perms.sh index 20c117d..b697ad6 100755 --- a/bin/hardening/1.7.1.4_motd_perms.sh +++ b/bin/hardening/1.7.1.4_motd_perms.sh @@ -24,7 +24,7 @@ FILE='/etc/motd' # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else @@ -45,10 +45,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/1.7.1.5_etc_issue_perms.sh b/bin/hardening/1.7.1.5_etc_issue_perms.sh index c103a4c..648da80 100755 --- a/bin/hardening/1.7.1.5_etc_issue_perms.sh +++ b/bin/hardening/1.7.1.5_etc_issue_perms.sh @@ -24,7 +24,7 @@ FILE='/etc/issue' # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else @@ -45,10 +45,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh index 74f321d..fd6aa7a 100755 --- a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh +++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh @@ -24,7 +24,7 @@ FILE='/etc/issue.net' # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else @@ -45,10 +45,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/2.2.1.2_configure_ntp.sh b/bin/hardening/2.2.1.2_configure_ntp.sh index f718805..98aca64 100755 --- a/bin/hardening/2.2.1.2_configure_ntp.sh +++ b/bin/hardening/2.2.1.2_configure_ntp.sh @@ -60,16 +60,16 @@ apply() { does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN" if [ "$FNRET" != 0 ]; then warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" - backup_file $NTP_CONF_FILE - add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" + backup_file "$NTP_CONF_FILE" + add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery" else ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" fi - does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN" if [ "$FNRET" != 0 ]; then warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" - backup_file $NTP_INIT_FILE - add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" + backup_file "$NTP_INIT_FILE" + add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID" else ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" fi diff --git a/bin/hardening/2.2.1.3_configure_chrony.sh b/bin/hardening/2.2.1.3_configure_chrony.sh index c5bc8ee..ebaab56 100755 --- a/bin/hardening/2.2.1.3_configure_chrony.sh +++ b/bin/hardening/2.2.1.3_configure_chrony.sh @@ -30,7 +30,7 @@ audit() { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed, checking configuration" - does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN + does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN" if [ "$FNRET" != 0 ]; then crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE" else diff --git a/bin/hardening/2.2.12_disable_samba.sh b/bin/hardening/2.2.12_disable_samba.sh index a015fff..940f0eb 100755 --- a/bin/hardening/2.2.12_disable_samba.sh +++ b/bin/hardening/2.2.12_disable_samba.sh @@ -32,7 +32,7 @@ audit() { ok "$PACKAGE is absent" fi done - is_service_enabled $SERVICE + is_service_enabled "$SERVICE" if [ "$FNRET" = 0 ]; then crit "Service $SERVICE is enabled!" else @@ -52,10 +52,10 @@ apply() { ok "$PACKAGE is absent" fi done - is_service_enabled $SERVICE + is_service_enabled "$SERVICE" if [ "$FNRET" = 0 ]; then crit "Service $SERVICE is enabled!" - systemctl disable $SERVICE + systemctl disable "$SERVICE" else ok "Service $SERVICE is disabled" fi diff --git a/bin/hardening/2.2.16_disable_rsync.sh b/bin/hardening/2.2.16_disable_rsync.sh index 0019919..4d91f26 100755 --- a/bin/hardening/2.2.16_disable_rsync.sh +++ b/bin/hardening/2.2.16_disable_rsync.sh @@ -31,7 +31,7 @@ audit() { ok "$PACKAGE is not installed" else ok "$PACKAGE is installed, checking configuration" - does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN" if [ "$FNRET" != 0 ]; then crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" else @@ -47,11 +47,11 @@ apply() { ok "$PACKAGE is not installed" else ok "$PACKAGE is installed, checking configuration" - does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN" if [ "$FNRET" != 0 ]; then warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" - backup_file $RSYNC_DEFAULT_FILE - replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN + backup_file "$RSYNC_DEFAULT_FILE" + replace_in_file "$RSYNC_DEFAULT_FILE" "$RSYNC_DEFAULT_PATTERN_TO_SEARCH" "$RSYNC_DEFAULT_PATTERN" else ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" fi diff --git a/bin/hardening/2.2.18_disable_telnet_server.sh b/bin/hardening/2.2.18_disable_telnet_server.sh index 3fd3856..646695c 100755 --- a/bin/hardening/2.2.18_disable_telnet_server.sh +++ b/bin/hardening/2.2.18_disable_telnet_server.sh @@ -30,11 +30,11 @@ audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, checking configuration" - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then ok "$FILE does not exist" else - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then crit "$PATTERN exists, $PACKAGE services are enabled!" else @@ -58,18 +58,18 @@ apply() { else ok "$PACKAGE is absent" fi - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE, purging it" backup_file $FILE # shellcheck disable=SC2001 ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + sed -ie "s/$ESCAPED_PATTERN/#&/g" "$FILE" else ok "$PATTERN is not present in $FILE" fi diff --git a/bin/hardening/3.2.2_disable_icmp_redirect.sh b/bin/hardening/3.2.2_disable_icmp_redirect.sh index 35f4770..e6dcc17 100755 --- a/bin/hardening/3.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh @@ -23,7 +23,7 @@ SYSCTL_PARAMS='' audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" - if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 + if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" diff --git a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh index 9de2801..8f451a2 100755 --- a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh +++ b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh @@ -39,8 +39,8 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then diff --git a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh index e6cbd2d..37db31c 100755 --- a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh @@ -39,8 +39,8 @@ audit() { # This function will be called if the script status is on enabled mode apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then diff --git a/bin/hardening/3.3.2_hosts_allow.sh b/bin/hardening/3.3.2_hosts_allow.sh index c90e572..60291d9 100755 --- a/bin/hardening/3.3.2_hosts_allow.sh +++ b/bin/hardening/3.3.2_hosts_allow.sh @@ -21,7 +21,7 @@ FILE='/etc/hosts.allow' # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else @@ -31,10 +31,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" - touch $FILE + touch "$FILE" warn "You may want to fill it with allowed networks" else ok "$FILE exist" diff --git a/bin/hardening/3.3.3_hosts_deny.sh b/bin/hardening/3.3.3_hosts_deny.sh index c7d4e0d..4e7cca9 100755 --- a/bin/hardening/3.3.3_hosts_deny.sh +++ b/bin/hardening/3.3.3_hosts_deny.sh @@ -22,12 +22,12 @@ PATTERN='ALL: ALL' # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE, we have to deny everything" else @@ -38,17 +38,17 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" - touch $FILE + touch "$FILE" else ok "$FILE exists" fi - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE, we have to deny everything" - add_end_of_file $FILE "$PATTERN" + add_end_of_file "$FILE" "$PATTERN" warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" else ok "$PATTERN is present in $FILE" diff --git a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh index 8b5033e..692ea10 100755 --- a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh +++ b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh @@ -27,17 +27,17 @@ audit() { if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else - ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true) - if [[ -z $ipt ]]; then + ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true) + if [[ -z "$ipt" ]]; then crit "Empty return from $PACKAGE command. Aborting..." return fi for chain in $FW_CHAINS; do regex="Chain $chain \(policy ([A-Z]+)\)" # previous line will capture actual policy - if [[ $ipt =~ $regex ]]; then + if [[ "$ipt" =~ $regex ]]; then actual_policy=${BASH_REMATCH[1]} - if [[ $actual_policy = "$FW_POLICY" ]]; then + if [[ "$actual_policy" = "$FW_POLICY" ]]; then ok "Policy correctly set to $FW_POLICY for chain $chain" else crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}." diff --git a/bin/hardening/4.1.1.1_audit_log_storage.sh b/bin/hardening/4.1.1.1_audit_log_storage.sh index 11ea04b..834fe11 100755 --- a/bin/hardening/4.1.1.1_audit_log_storage.sh +++ b/bin/hardening/4.1.1.1_audit_log_storage.sh @@ -23,12 +23,12 @@ VALUE=5 # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" - does_pattern_exist_in_file $FILE "^${PATTERN}[[:space:]]" + does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]" if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else @@ -39,17 +39,17 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE else ok "$FILE exists" fi - does_pattern_exist_in_file $FILE "^${PATTERN}[[:space:]]" + does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]" if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" - add_end_of_file $FILE "$PATTERN = $VALUE" + add_end_of_file "$FILE" "$PATTERN = $VALUE" else ok "$PATTERN is present in $FILE" fi diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh index 354bb14..5e6d243 100755 --- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -22,7 +22,7 @@ OPTIONS='' # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else @@ -44,7 +44,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE @@ -56,7 +56,7 @@ apply() { AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2) debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM" diff --git a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh index 05aa261..002cd7a 100755 --- a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh @@ -22,17 +22,17 @@ OPTIONS='max_log_file_action=keep_logs' # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" for AUDIT_OPTION in $OPTIONS; do - AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) - AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1) + AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2) PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" != 0 ]; then crit "$PATTERN is not present in $FILE" else @@ -44,7 +44,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch $FILE @@ -52,20 +52,20 @@ apply() { ok "$FILE exists" fi for AUDIT_OPTION in $OPTIONS; do - AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) - AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1) + AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2) debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" != 0 ]; then warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" + does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM" if [ "$FNRET" != 0 ]; then info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" - add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" + add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE" else info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" fi else ok "$PATTERN is present in $FILE" diff --git a/bin/hardening/4.1.2_enable_auditd.sh b/bin/hardening/4.1.2_enable_auditd.sh index 87bf2b9..1b226e2 100755 --- a/bin/hardening/4.1.2_enable_auditd.sh +++ b/bin/hardening/4.1.2_enable_auditd.sh @@ -50,8 +50,8 @@ apply() { ok "$SERVICE_NAME is enabled" else warn "$SERVICE_NAME is not enabled, enabling it" - update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 - update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 + update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1 + update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1 fi } diff --git a/bin/hardening/4.1.3_audit_bootloader.sh b/bin/hardening/4.1.3_audit_bootloader.sh index eefb27e..44e30cc 100755 --- a/bin/hardening/4.1.3_audit_bootloader.sh +++ b/bin/hardening/4.1.3_audit_bootloader.sh @@ -22,7 +22,7 @@ OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' # This function will be called if the script status is on enabled / audit mode audit() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else @@ -44,7 +44,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" touch "$FILE" diff --git a/bin/hardening/4.2.2.1_enable_syslog-ng.sh b/bin/hardening/4.2.2.1_enable_syslog-ng.sh index b172f67..7fe0dfe 100755 --- a/bin/hardening/4.2.2.1_enable_syslog-ng.sh +++ b/bin/hardening/4.2.2.1_enable_syslog-ng.sh @@ -36,8 +36,8 @@ apply() { is_service_enabled "$SERVICE_NAME" if [ "$FNRET" != 0 ]; then info "Enabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 - update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 + update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1 + update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1 else ok "$SERVICE_NAME is enabled" fi diff --git a/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh b/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh index a5739f7..6881a61 100755 --- a/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh +++ b/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh @@ -22,7 +22,7 @@ PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].] # This function will be called if the script status is on enabled / audit mode audit() { FOUND=0 - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)" + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" for FILE in $FILES; do does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -30,7 +30,7 @@ audit() { fi done - if [ $FOUND = 1 ]; then + if [ "$FOUND" = 1 ]; then ok "$PATTERN is present in $FILES" else crit "$PATTERN is not present in $FILES" @@ -40,14 +40,14 @@ audit() { # This function will be called if the script status is on enabled mode apply() { FOUND=0 - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)" + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" for FILE in $FILES; do does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then FOUND=1 fi done - if [ $FOUND = 1 ]; then + if [ "$FOUND" = 1 ]; then ok "$PATTERN is present in $FILES" else crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" diff --git a/bin/hardening/5.1.1_enable_cron.sh b/bin/hardening/5.1.1_enable_cron.sh index 74ae378..bdd1f98 100755 --- a/bin/hardening/5.1.1_enable_cron.sh +++ b/bin/hardening/5.1.1_enable_cron.sh @@ -47,8 +47,8 @@ apply() { is_service_enabled "$SERVICE_NAME" if [ "$FNRET" != 0 ]; then info "Enabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 - update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 + update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1 + update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1 else ok "$SERVICE_NAME is enabled" fi diff --git a/bin/hardening/5.1.2_crontab_perm_ownership.sh b/bin/hardening/5.1.2_crontab_perm_ownership.sh index 4693fe5..cde6cad 100755 --- a/bin/hardening/5.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh @@ -40,10 +40,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -63,12 +63,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh index 28b5d5f..d66779a 100755 --- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh @@ -40,10 +40,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -63,12 +63,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh index f2665af..8bc79a7 100755 --- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh @@ -40,10 +40,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -63,12 +63,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh index dad3f52..425cb06 100755 --- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh @@ -40,10 +40,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -63,12 +63,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh index 6f1bae9..0462153 100755 --- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh @@ -40,10 +40,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -63,12 +63,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.1.7_cron_d_perm_ownership.sh b/bin/hardening/5.1.7_cron_d_perm_ownership.sh index ad74f4b..36334b3 100755 --- a/bin/hardening/5.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/5.1.7_cron_d_perm_ownership.sh @@ -40,10 +40,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -63,12 +63,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.1.8_cron_users.sh b/bin/hardening/5.1.8_cron_users.sh index ad3f1b6..64723df 100755 --- a/bin/hardening/5.1.8_cron_users.sh +++ b/bin/hardening/5.1.8_cron_users.sh @@ -90,12 +90,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.2.10_disable_root_login.sh b/bin/hardening/5.2.10_disable_root_login.sh index 7c02be7..48b08b9 100755 --- a/bin/hardening/5.2.10_disable_root_login.sh +++ b/bin/hardening/5.2.10_disable_root_login.sh @@ -55,7 +55,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.12_disable_sshd_setenv.sh b/bin/hardening/5.2.12_disable_sshd_setenv.sh index ff237f1..0eed930 100755 --- a/bin/hardening/5.2.12_disable_sshd_setenv.sh +++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh @@ -60,7 +60,7 @@ apply() { ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/5.2.13_sshd_ciphers.sh b/bin/hardening/5.2.13_sshd_ciphers.sh index 9564456..3134a72 100755 --- a/bin/hardening/5.2.13_sshd_ciphers.sh +++ b/bin/hardening/5.2.13_sshd_ciphers.sh @@ -55,7 +55,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.14_ssh_cry_mac.sh b/bin/hardening/5.2.14_ssh_cry_mac.sh index e6d8537..0a8e431 100755 --- a/bin/hardening/5.2.14_ssh_cry_mac.sh +++ b/bin/hardening/5.2.14_ssh_cry_mac.sh @@ -55,7 +55,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.15_ssh_cry_kex.sh b/bin/hardening/5.2.15_ssh_cry_kex.sh index 72eb636..e77f960 100755 --- a/bin/hardening/5.2.15_ssh_cry_kex.sh +++ b/bin/hardening/5.2.15_ssh_cry_kex.sh @@ -55,7 +55,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh index 160cc3f..b843dde 100755 --- a/bin/hardening/5.2.18_sshd_limit_access.sh +++ b/bin/hardening/5.2.18_sshd_limit_access.sh @@ -34,7 +34,7 @@ audit() { # shellcheck disable=SC2001 SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE") PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.19_ssh_banner.sh b/bin/hardening/5.2.19_ssh_banner.sh index 3a50778..5822514 100755 --- a/bin/hardening/5.2.19_ssh_banner.sh +++ b/bin/hardening/5.2.19_ssh_banner.sh @@ -31,7 +31,7 @@ audit() { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) PATTERN="^${SSH_PARAM}[[:space:]]*" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -54,7 +54,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh index ae08dc8..dde8f11 100755 --- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh +++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh @@ -40,10 +40,10 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_file_exist $FILE + does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -63,12 +63,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh index e38ca42..3285791 100755 --- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh +++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh @@ -83,12 +83,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh index 446ce9f..bef6154 100755 --- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh +++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh @@ -103,12 +103,12 @@ apply() { # This function will check config parameters required check_config() { - does_user_exist $USER + does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" exit 128 fi - does_group_exist $GROUP + does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" exit 128 diff --git a/bin/hardening/5.2.5_sshd_loglevel.sh b/bin/hardening/5.2.5_sshd_loglevel.sh index a69c62a..b6d2a4f 100755 --- a/bin/hardening/5.2.5_sshd_loglevel.sh +++ b/bin/hardening/5.2.5_sshd_loglevel.sh @@ -56,7 +56,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.6_disable_x11_forwarding.sh b/bin/hardening/5.2.6_disable_x11_forwarding.sh index a26dfde..5c262bf 100755 --- a/bin/hardening/5.2.6_disable_x11_forwarding.sh +++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh @@ -55,7 +55,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.7_sshd_maxauthtries.sh b/bin/hardening/5.2.7_sshd_maxauthtries.sh index a56c699..a5b1c8a 100755 --- a/bin/hardening/5.2.7_sshd_maxauthtries.sh +++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh @@ -55,7 +55,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh index 97654fc..bdbcfd1 100755 --- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh @@ -55,7 +55,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh index 5495680..96a8b1b 100755 --- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh @@ -55,7 +55,7 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.3.1_enable_pwquality.sh b/bin/hardening/5.3.1_enable_pwquality.sh index 2099dff..d966cc8 100755 --- a/bin/hardening/5.3.1_enable_pwquality.sh +++ b/bin/hardening/5.3.1_enable_pwquality.sh @@ -67,7 +67,7 @@ apply() { ok "$PATTERN_COMMON is present in $FILE_COMMON" else warn "$PATTERN_COMMON is not present in $FILE_COMMON" - add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details." + add_line_file_before_pattern "$FILE_COMMON" "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details." fi for PW_OPT in $OPTIONS; do diff --git a/bin/hardening/5.3.2_enable_lockout_failed_password.sh b/bin/hardening/5.3.2_enable_lockout_failed_password.sh index d832091..9c9f2b2 100755 --- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh +++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh @@ -30,13 +30,13 @@ audit() { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH" + does_pattern_exist_in_file "$FILE_AUTH" "$PATTERN_AUTH" if [ "$FNRET" = 0 ]; then ok "$PATTERN_AUTH is present in $FILE_AUTH" else crit "$PATTERN_AUTH is not present in $FILE_AUTH" fi - does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT" + does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT" if [ "$FNRET" = 0 ]; then ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT" else @@ -54,19 +54,19 @@ apply() { crit "$PACKAGE is absent, installing it" apt_install "$PACKAGE" fi - does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH" + does_pattern_exist_in_file "$FILE_AUTH" "$PATTERN_AUTH" if [ "$FNRET" = 0 ]; then ok "$PATTERN_AUTH is present in $FILE_AUTH" else warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it" - add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details." + add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details." fi - does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT" + does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT" if [ "$FNRET" = 0 ]; then ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT" else warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it" - add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details." + add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally.so" "# pam-auth-update(8) for details." fi } diff --git a/bin/hardening/5.3.3_limit_password_reuse.sh b/bin/hardening/5.3.3_limit_password_reuse.sh index e1eb350..3845db7 100755 --- a/bin/hardening/5.3.3_limit_password_reuse.sh +++ b/bin/hardening/5.3.3_limit_password_reuse.sh @@ -28,7 +28,7 @@ audit() { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -46,12 +46,12 @@ apply() { crit "$PACKAGE is absent, installing it" apt_install "$PACKAGE" fi - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." + add_line_file_before_pattern "$FILE" "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." fi } diff --git a/bin/hardening/5.3.4_acc_pam_sha512.sh b/bin/hardening/5.3.4_acc_pam_sha512.sh index ec86c89..c7e31f2 100755 --- a/bin/hardening/5.3.4_acc_pam_sha512.sh +++ b/bin/hardening/5.3.4_acc_pam_sha512.sh @@ -21,11 +21,11 @@ CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512" # This function will be called if the script status is on enabled / audit mode audit() { # Check conf file for default SHA512 hash - if $SUDO_CMD [ ! -r $CONF_FILE ]; then + if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then crit "$CONF_FILE is not readable" else # shellcheck disable=SC2001 - does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" + does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" else @@ -36,16 +36,16 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - if $SUDO_CMD [ ! -r $CONF_FILE ]; then + if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then crit "$CONF_FILE is not readable" else # shellcheck disable=SC2001 - does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" + does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" else warn "$CONF_LINE is not present in $CONF_FILE" - add_line_file_before_pattern $CONF_FILE "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details." + add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details." fi fi } diff --git a/bin/hardening/5.4.1.2_set_password_min_days_change.sh b/bin/hardening/5.4.1.2_set_password_min_days_change.sh index 3c81992..378fa56 100755 --- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh +++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh @@ -60,7 +60,7 @@ apply() { ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^${SHADOW_PARAM}" + does_pattern_exist_in_file "$FILE" "^${SHADOW_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file "$FILE" "$SHADOW_PARAM $SHADOW_VALUE" else diff --git a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh index ab523ef..ab5631a 100755 --- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh @@ -32,7 +32,7 @@ audit() { SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1) SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2) PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -55,7 +55,7 @@ apply() { SHADOW_PARAM=$(echo "$SHADOW_OPTION" | cut -d= -f 1) SHADOW_VALUE=$(echo "$SHADOW_OPTION" | cut -d= -f 2) PATTERN="^${SHADOW_PARAM}[[:space:]]*$SHADOW_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" + does_pattern_exist_in_file "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/5.4.2_disable_system_accounts.sh b/bin/hardening/5.4.2_disable_system_accounts.sh index 2aeb9b4..9fa9d79 100755 --- a/bin/hardening/5.4.2_disable_system_accounts.sh +++ b/bin/hardening/5.4.2_disable_system_accounts.sh @@ -27,7 +27,7 @@ ACCEPTED_SHELLS_GREP='' audit() { shells_to_grep_helper info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS" - RESULT=$(grep -Ev "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true) + RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true) IFS_BAK=$IFS IFS=$'\n' for LINE in $RESULT; do @@ -55,7 +55,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - RESULT=$(grep -Ev "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true) + RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true) IFS_BAK=$IFS IFS=$'\n' for LINE in $RESULT; do diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index 8fc1d0e..3221eaf 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -25,7 +25,7 @@ audit() { if [ -n "$RESULT" ]; then crit "Some world writable files are present" # shellcheck disable=SC2001 - FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No world writable files found" diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index 3f2d494..8dc73bf 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -32,7 +32,7 @@ audit() { if [ -n "$RESULT" ]; then crit "Some unowned files are present" # shellcheck disable=SC2001 - FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unowned files found" @@ -48,7 +48,7 @@ apply() { fi if [ -n "$RESULT" ]; then warn "Applying chown on all unowned files in the system" - df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown "$USER" else ok "No unowned files found, nothing to apply" fi diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index 64639f3..99bd08e 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -48,7 +48,7 @@ apply() { fi if [ -n "$RESULT" ]; then warn "Applying chgrp on all ungrouped files in the system" - df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp "$GROUP" else ok "No ungrouped files found, nothing to apply" fi diff --git a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh index f430fac..44e78d4 100755 --- a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh @@ -34,8 +34,8 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - if grep '^+:' $FILE -q; then - RESULT=$(grep '^+:' $FILE) + if grep '^+:' "$FILE" -q; then + RESULT=$(grep '^+:' "$FILE") warn "Some accounts have a legacy password entry" for LINE in $RESULT; do info "Removing $LINE from $FILE" diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh index a7a9654..83b1958 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/99.1_timeout_tty.sh @@ -26,7 +26,7 @@ FILE='/etc/profile.d/CIS_99.1_timeout.sh' audit() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do - if [ $SEARCH_RES = 1 ]; then break; fi + if [ "$SEARCH_RES" = 1 ]; then break; fi if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" # shellcheck disable=2044 @@ -59,7 +59,7 @@ audit() { apply() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do - if [ $SEARCH_RES = 1 ]; then break; fi + if [ "$SEARCH_RES" = 1 ]; then break; fi if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" # shellcheck disable=2044 @@ -87,9 +87,9 @@ apply() { warn "$PATTERN is not present in $FILES_TO_SEARCH" touch "$FILE" chmod 644 "$FILE" - add_end_of_file $FILE "$PATTERN$VALUE" - add_end_of_file $FILE "readonly TMOUT" - add_end_of_file $FILE "export TMOUT" + add_end_of_file "$FILE" "$PATTERN$VALUE" + add_end_of_file "$FILE" "readonly TMOUT" + add_end_of_file "$FILE" "export TMOUT" else ok "$PATTERN is present in $FILES_TO_SEARCH" fi diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 2acae0c..c0ad231 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -24,8 +24,8 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh' audit() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do - if [ $SEARCH_RES = 1 ]; then break; fi - if $SUDO_CMD test -d $FILE_SEARCHED; then + if [ "$SEARCH_RES" = 1 ]; then break; fi + if $SUDO_CMD test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" for file_in_dir in $($SUDO_CMD ls $FILE_SEARCHED); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" @@ -56,8 +56,8 @@ audit() { apply() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do - if [ $SEARCH_RES = 1 ]; then break; fi - if test -d $FILE_SEARCHED; then + if [ "$SEARCH_RES" = 1 ]; then break; fi + if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" for file_in_dir in $(ls $FILE_SEARCHED); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" @@ -83,7 +83,7 @@ apply() { warn "$PATTERN is not present in $FILES_TO_SEARCH" touch "$FILE" chmod 644 "$FILE" - add_end_of_file $FILE ' + add_end_of_file "$FILE" ' # By default, disable all. ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" diff --git a/bin/hardening/99.3.4_acc_logindefs_sha512.sh b/bin/hardening/99.3.4_acc_logindefs_sha512.sh index d4995ac..e596138 100755 --- a/bin/hardening/99.3.4_acc_logindefs_sha512.sh +++ b/bin/hardening/99.3.4_acc_logindefs_sha512.sh @@ -21,10 +21,10 @@ CONF_LINE="ENCRYPT_METHOD SHA512" # This function will be called if the script status is on enabled / audit mode audit() { # Check conf file for default SHA512 hash - if $SUDO_CMD [ ! -r $CONF_FILE ]; then + if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then crit "$CONF_FILE is not readable" else - does_pattern_exist_in_file $CONF_FILE "^ *${CONF_LINE/ /[[:space:]]+}" + does_pattern_exist_in_file "$CONF_FILE" "^ *${CONF_LINE/ /[[:space:]]+}" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" else @@ -35,14 +35,14 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - does_pattern_exist_in_file $CONF_FILE "^ *${CONF_LINE/ /[[:space:]]+}" + does_pattern_exist_in_file "$CONF_FILE" "^ *${CONF_LINE/ /[[:space:]]+}" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" else warn "$CONF_LINE is not present in $CONF_FILE, adding it" does_pattern_exist_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)" if [ "$FNRET" != 0 ]; then - add_end_of_file $CONF_FILE "$CONF_LINE" + add_end_of_file "$CONF_FILE" "$CONF_LINE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE" diff --git a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh index 23afd16..46d7284 100755 --- a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh +++ b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh @@ -32,7 +32,7 @@ audit() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]+$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -60,9 +60,9 @@ apply() { ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^${SSH_PARAM}[[:space:]]+.*" "$SSH_PARAM $SSH_VALUE" diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh index 63d52bb..ae60936 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -44,10 +44,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -67,22 +67,22 @@ apply() { apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then # shellcheck disable=SC2001 SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE") - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.3_ssh_disable_features.sh b/bin/hardening/99.5.3_ssh_disable_features.sh index 9988acc..df31af8 100755 --- a/bin/hardening/99.5.3_ssh_disable_features.sh +++ b/bin/hardening/99.5.3_ssh_disable_features.sh @@ -31,7 +31,7 @@ audit() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -54,17 +54,17 @@ apply() { SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index 31d68f2..b27d340 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -55,13 +55,13 @@ check_ip() { ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}") # shellcheck disable=SC2001 bad_ips=$(sed 's/ $//' <<<"${bad_ips}") - if [[ -z $bad_ips ]]; then - if [[ -n $ok_ips ]]; then + if [[ -z "$bad_ips" ]]; then + if [[ -n "$ok_ips" ]]; then ok "Line $linum of $file allows ssh access only from allowed IPs ($ok_ips)." fi else crit "Line $linum of $file allows ssh access from (${bad_ips}) that are not allowed." - if [[ -n $ok_ips ]]; then + if [[ -n "$ok_ips" ]]; then ok "Line $linum of $file allows ssh access from at least allowed IPs ($ok_ips)." fi fi @@ -143,7 +143,7 @@ audit() { continue fi check_dir /home/"${user}" - if [ $FOUND_AUTHKF = 0 ]; then + if [ "$FOUND_AUTHKF" = 0 ]; then warn "$user has a valid shell but no authorized_keys file" fi fi diff --git a/bin/hardening/99.5.5_ssh_strict_modes.sh b/bin/hardening/99.5.5_ssh_strict_modes.sh index 341279a..9488b04 100755 --- a/bin/hardening/99.5.5_ssh_strict_modes.sh +++ b/bin/hardening/99.5.5_ssh_strict_modes.sh @@ -27,10 +27,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -50,20 +50,20 @@ apply() { apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.6_ssh_sys_accept_env.sh index d3ae5d7..635ad0d 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.6_ssh_sys_accept_env.sh @@ -28,7 +28,7 @@ audit() { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -46,19 +46,19 @@ apply() { crit "$PACKAGE is absent, installing it" apt_install "$PACKAGE" fi - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "^$PATTERN" # shellcheck disable=SC2001 PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g') if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$PATTERN" + add_end_of_file "$FILE" "$PATTERN" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$PATTERN" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$PATTERN" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.8_ssh_sys_sandbox.sh b/bin/hardening/99.5.8_ssh_sys_sandbox.sh index 99f5ee2..2fb0a82 100755 --- a/bin/hardening/99.5.8_ssh_sys_sandbox.sh +++ b/bin/hardening/99.5.8_ssh_sys_sandbox.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -52,20 +52,20 @@ apply() { apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/bin/hardening/99.5.9_ssh_loglevel.sh b/bin/hardening/99.5.9_ssh_loglevel.sh index 99d0f3f..0d81e49 100755 --- a/bin/hardening/99.5.9_ssh_loglevel.sh +++ b/bin/hardening/99.5.9_ssh_loglevel.sh @@ -29,10 +29,10 @@ audit() { else ok "$PACKAGE is installed" for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -52,20 +52,20 @@ apply() { apt_install "$PACKAGE" fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" + does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi /etc/init.d/ssh reload >/dev/null 2>&1 fi diff --git a/lib/common.sh b/lib/common.sh index a5e34f4..f351873 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -70,7 +70,7 @@ crit() { if [ "${BATCH_MODE:-0}" -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}" else - if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger "$BRED" "[ KO ] $*"; fi + if [ "$MACHINE_LOG_LEVEL" -ge 1 ]; then _logger "$BRED" "[ KO ] $*"; fi fi # This variable incrementation is used to measure failure or success in tests CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER + 1)) @@ -80,7 +80,7 @@ warn() { if [ "${BATCH_MODE:-0}" -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}" else - if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger "$BYELLOW" "[WARN] $*"; fi + if [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then _logger "$BYELLOW" "[WARN] $*"; fi fi } @@ -88,7 +88,7 @@ ok() { if [ "${BATCH_MODE:-0}" -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}" else - if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger "$BGREEN" "[ OK ] $*"; fi + if [ "$MACHINE_LOG_LEVEL" -ge 3 ]; then _logger "$BGREEN" "[ OK ] $*"; fi fi } diff --git a/lib/main.sh b/lib/main.sh index 6a81b6b..e43f140 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -128,7 +128,7 @@ disabled | false) esac if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then - if [ $BATCH_MODE -eq 1 ]; then + if [ "$BATCH_MODE" -eq 1 ]; then BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT" becho "$BATCH_OUTPUT" else diff --git a/lib/utils.sh b/lib/utils.sh index bf60961..b1ca276 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -13,7 +13,7 @@ has_sysctl_param_expected_result() { if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then FNRET=0 - elif [ $? = 255 ]; then + elif [ "$?" = 255 ]; then debug "$SYSCTL_PARAM does not exist" FNRET=255 else @@ -147,7 +147,7 @@ does_pattern_exist_in_file_multiline() { debug "Checking if multiline pattern: $PATTERN is present in $FILE" if $SUDO_CMD [ -r "$FILE" ]; then - debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"" + debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- $PATTERN" if $SUDO_CMD grep -v '^[[:space:]]*#' "$FILE" | tr '\n' ' ' | grep -Pq -- "$PATTERN"; then debug "Pattern found in $FILE" FNRET=0 @@ -239,7 +239,7 @@ does_group_exist() { is_service_enabled() { local SERVICE=$1 - if [ $($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then + if [ "$($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l)" -gt 0 ]; then debug "Service $SERVICE is enabled" FNRET=0 else @@ -385,7 +385,7 @@ apt_update_if_needed() { if [ -e /var/cache/apt/pkgcache.bin ]; then UPDATE_AGE=$(($(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin))) - if [ $UPDATE_AGE -gt 21600 ]; then + if [ "$UPDATE_AGE" -gt 21600 ]; then # update too old, refresh database $SUDO_CMD apt-get update -y >/dev/null 2>/dev/null fi @@ -438,7 +438,7 @@ is_pkg_installed() { get_debian_major_version() { DEB_MAJ_VER="" does_file_exist /etc/debian_version - if [ $FNRET ]; then + if [ "$FNRET" = 0 ]; then DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version) else # shellcheck disable=2034 diff --git a/shellcheck/launch_shellcheck.sh b/shellcheck/launch_shellcheck.sh index c75aa02..c54d455 100755 --- a/shellcheck/launch_shellcheck.sh +++ b/shellcheck/launch_shellcheck.sh @@ -5,7 +5,7 @@ files="" retval=0 -if [ $# -eq 0 ]; then +if [ "$#" -eq 0 ]; then files=$(find . -name "*.sh" | sort -V) else files="$*"