diff --git a/bin/hardening.sh b/bin/hardening.sh index f5b5806..ffafa01 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -10,7 +10,7 @@ # Main script : Execute hardening considering configuration # -LONG_SCRIPT_NAME=$(basename $0) +LONG_SCRIPT_NAME=$(basename "$0") SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} DISABLED_CHECKS=0 PASSED_CHECKS=0 @@ -197,7 +197,7 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ]; then template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2) [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template" done - echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ") + echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")" exit 0 fi @@ -209,7 +209,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then fi for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do - SCRIPT_BASENAME=$(basename $SCRIPT .sh) + SCRIPT_BASENAME=$(basename "$SCRIPT" .sh) script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2) if [ -z "$script_level" ]; then echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it" @@ -217,7 +217,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then fi wantedstatus=disabled [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled - sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg + sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" done echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL" exit 0 @@ -230,9 +230,9 @@ fi # Parse every scripts and execute them in the required mode for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do - if [ ${#TEST_LIST[@]} -gt 0 ]; then + if [ "${#TEST_LIST[@]}" -gt 0 ]; then # --only X has been specified at least once, is this script in my list ? - SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)") + SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")") SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX") if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then # not in the list @@ -241,21 +241,21 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do fi info "Treating $SCRIPT" - if [ $CREATE_CONFIG = 1 ]; then + if [ "$CREATE_CONFIG" = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only" - $SCRIPT --create-config-files-only $BATCH_MODE - elif [ $AUDIT = 1 ]; then + "$SCRIPT" --create-config-files-only "$BATCH_MODE" + elif [ "$AUDIT" = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" - $SCRIPT --audit $SUDO_MODE $BATCH_MODE - elif [ $AUDIT_ALL = 1 ]; then + "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE" + elif [ "$AUDIT_ALL" = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" - $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE - elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then - debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE - $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE - elif [ $APPLY = 1 ]; then + "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE" + elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" + "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE" + elif [ "$APPLY" = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" - $SCRIPT + "$SCRIPT" fi SCRIPT_EXITCODE=$? @@ -265,9 +265,9 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do 0) debug "$SCRIPT passed" PASSED_CHECKS=$((PASSED_CHECKS + 1)) - if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then - SCRIPT_BASENAME=$(basename $SCRIPT .sh) - sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg + if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then + SCRIPT_BASENAME=$(basename "$SCRIPT" .sh) + sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" fi ;; @@ -287,18 +287,18 @@ done TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS)) -if [ $BATCH_MODE ]; then +if [ "$BATCH_MODE" ]; then BATCH_SUMMARY="AUDIT_SUMMARY " BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} " BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} " BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}" - if [ $TOTAL_TREATED_CHECKS != 0 ]; then + if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")" else BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 fi - becho $BATCH_SUMMARY + becho "$BATCH_SUMMARY" else printf "%40s\n" "################### SUMMARY ###################" printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" @@ -309,7 +309,7 @@ else ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE" - if [ $TOTAL_TREATED_CHECKS != 0 ]; then + if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE" else printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 diff --git a/bin/hardening/2.2.15_mta_localhost.sh b/bin/hardening/2.2.15_mta_localhost.sh index 17246e5..7e3240c 100755 --- a/bin/hardening/2.2.15_mta_localhost.sh +++ b/bin/hardening/2.2.15_mta_localhost.sh @@ -29,7 +29,7 @@ audit() { ok "Nothing listens on 25 port, probably unix socket configured" else info "Checking $RESULT" - if $(grep -q "127.0.0.1" <<<$RESULT); then + if $(grep -q "127.0.0.1" <<<"$RESULT"); then ok "MTA is configured to localhost only" else crit "MTA listens worldwide" @@ -47,7 +47,7 @@ apply() { ok "Nothing listens on 25 port, probably unix socket configured" else info "Checking $RESULT" - if $(grep -q "127.0.0.1" <<<$RESULT); then + if $(grep -q "127.0.0.1" <<<"$RESULT"); then ok "MTA is configured to localhost only" else warn "MTA listens worldwide, correct this considering your MTA" diff --git a/bin/hardening/4.1.10_record_dac_edit.sh b/bin/hardening/4.1.10_record_dac_edit.sh index b774e15..f284824 100755 --- a/bin/hardening/4.1.10_record_dac_edit.sh +++ b/bin/hardening/4.1.10_record_dac_edit.sh @@ -34,7 +34,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -50,11 +50,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.11_record_failed_access_file.sh b/bin/hardening/4.1.11_record_failed_access_file.sh index 02f3b9a..f91a270 100755 --- a/bin/hardening/4.1.11_record_failed_access_file.sh +++ b/bin/hardening/4.1.11_record_failed_access_file.sh @@ -32,7 +32,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -48,11 +48,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.12_record_privileged_commands.sh b/bin/hardening/4.1.12_record_privileged_commands.sh index cf92e54..edca803 100755 --- a/bin/hardening/4.1.12_record_privileged_commands.sh +++ b/bin/hardening/4.1.12_record_privileged_commands.sh @@ -33,7 +33,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -49,11 +49,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.13_record_successful_mount.sh b/bin/hardening/4.1.13_record_successful_mount.sh index 73d4bc5..1cbfd1e 100755 --- a/bin/hardening/4.1.13_record_successful_mount.sh +++ b/bin/hardening/4.1.13_record_successful_mount.sh @@ -30,7 +30,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -46,11 +46,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.14_record_file_deletions.sh b/bin/hardening/4.1.14_record_file_deletions.sh index 60eadd9..9ce7448 100755 --- a/bin/hardening/4.1.14_record_file_deletions.sh +++ b/bin/hardening/4.1.14_record_file_deletions.sh @@ -30,7 +30,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -46,11 +46,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.15_record_sudoers_edit.sh b/bin/hardening/4.1.15_record_sudoers_edit.sh index 6447550..757fc8f 100755 --- a/bin/hardening/4.1.15_record_sudoers_edit.sh +++ b/bin/hardening/4.1.15_record_sudoers_edit.sh @@ -30,7 +30,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -46,11 +46,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.16_record_sudo_usage.sh b/bin/hardening/4.1.16_record_sudo_usage.sh index 20a8740..c70bbb6 100755 --- a/bin/hardening/4.1.16_record_sudo_usage.sh +++ b/bin/hardening/4.1.16_record_sudo_usage.sh @@ -29,7 +29,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -45,11 +45,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.17_record_kernel_modules.sh b/bin/hardening/4.1.17_record_kernel_modules.sh index 0620299..9123396 100755 --- a/bin/hardening/4.1.17_record_kernel_modules.sh +++ b/bin/hardening/4.1.17_record_kernel_modules.sh @@ -32,7 +32,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -48,11 +48,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.18_freeze_auditd_conf.sh b/bin/hardening/4.1.18_freeze_auditd_conf.sh index 1b99ed7..9b7e37b 100755 --- a/bin/hardening/4.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/4.1.18_freeze_auditd_conf.sh @@ -29,7 +29,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -45,11 +45,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.4_record_date_time_edit.sh b/bin/hardening/4.1.4_record_date_time_edit.sh index 7aebb06..8ed450b 100755 --- a/bin/hardening/4.1.4_record_date_time_edit.sh +++ b/bin/hardening/4.1.4_record_date_time_edit.sh @@ -33,7 +33,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -49,11 +49,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.5_record_user_group_edit.sh b/bin/hardening/4.1.5_record_user_group_edit.sh index fc0897d..f7d4e7c 100755 --- a/bin/hardening/4.1.5_record_user_group_edit.sh +++ b/bin/hardening/4.1.5_record_user_group_edit.sh @@ -33,7 +33,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -49,11 +49,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.6_record_network_edit.sh b/bin/hardening/4.1.6_record_network_edit.sh index b07a9c3..1df373a 100755 --- a/bin/hardening/4.1.6_record_network_edit.sh +++ b/bin/hardening/4.1.6_record_network_edit.sh @@ -34,7 +34,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -50,11 +50,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.7_record_mac_edit.sh b/bin/hardening/4.1.7_record_mac_edit.sh index dccae10..db908b7 100755 --- a/bin/hardening/4.1.7_record_mac_edit.sh +++ b/bin/hardening/4.1.7_record_mac_edit.sh @@ -29,7 +29,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -45,11 +45,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.8_record_login_logout.sh b/bin/hardening/4.1.8_record_login_logout.sh index acab050..5855dca 100755 --- a/bin/hardening/4.1.8_record_login_logout.sh +++ b/bin/hardening/4.1.8_record_login_logout.sh @@ -31,7 +31,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -47,11 +47,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/4.1.9_record_session_init.sh b/bin/hardening/4.1.9_record_session_init.sh index a7dbd1c..5e5759a 100755 --- a/bin/hardening/4.1.9_record_session_init.sh +++ b/bin/hardening/4.1.9_record_session_init.sh @@ -31,7 +31,7 @@ audit() { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" IFS=$c_IFS if [ "$FNRET" != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" @@ -47,11 +47,11 @@ apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE $AUDIT_VALUE + does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" if [ "$FNRET" != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + add_end_of_file "$FILE" "$AUDIT_VALUE" + eval "$(pkill -HUP -P 1 auditd)" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/5.4.4_default_umask.sh b/bin/hardening/5.4.4_default_umask.sh index 96438ac..18df5f7 100755 --- a/bin/hardening/5.4.4_default_umask.sh +++ b/bin/hardening/5.4.4_default_umask.sh @@ -27,9 +27,9 @@ audit() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ $SEARCH_RES = 1 ]; then break; fi - if test -d $FILE_SEARCHED; then + if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" - for file_in_dir in $(ls $FILE_SEARCHED); do + for file_in_dir in $(ls "$FILE_SEARCHED"); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" @@ -59,9 +59,9 @@ apply() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ "$SEARCH_RES" = 1 ]; then break; fi - if test -d $FILE_SEARCHED; then + if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" - for file_in_dir in $(ls $FILE_SEARCHED); do + for file_in_dir in $(ls "$FILE_SEARCHED"); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"