elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shellcheck): quoting variables

Browse Source
This commit is contained in:
Thibault Ayanides 2020-12-07 15:53:14 +01:00
parent ac66cdacd0
commit e2f7426664
18 changed files with 90 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
bin/hardening.sh
View File

@ -10,7 +10,7 @@
# Main script : Execute hardening considering configuration # Main script : Execute hardening considering configuration
# #
LONG_SCRIPT_NAME=$(basename $0) LONG_SCRIPT_NAME=$(basename "$0")
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
DISABLED_CHECKS=0 DISABLED_CHECKS=0
PASSED_CHECKS=0 PASSED_CHECKS=0
@ -197,7 +197,7 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2) template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template" [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
done done
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ") echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
exit 0 exit 0
fi fi
@ -209,7 +209,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
fi fi
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh) SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2) script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ]; then if [ -z "$script_level" ]; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it" echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
@ -217,7 +217,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
fi fi
wantedstatus=disabled wantedstatus=disabled
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
done done
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL" echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
exit 0 exit 0
@ -230,9 +230,9 @@ fi
# Parse every scripts and execute them in the required mode # Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ]; then if [ "${#TEST_LIST[@]}" -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ? # --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)") SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX") SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list # not in the list
@ -241,21 +241,21 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
fi fi
info "Treating $SCRIPT" info "Treating $SCRIPT"
if [ $CREATE_CONFIG = 1 ]; then if [ "$CREATE_CONFIG" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
$SCRIPT --create-config-files-only $BATCH_MODE "$SCRIPT" --create-config-files-only "$BATCH_MODE"
elif [ $AUDIT = 1 ]; then elif [ "$AUDIT" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit $SUDO_MODE $BATCH_MODE "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
elif [ $AUDIT_ALL = 1 ]; then elif [ "$AUDIT_ALL" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
elif [ $APPLY = 1 ]; then elif [ "$APPLY" = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT "$SCRIPT"
fi fi
SCRIPT_EXITCODE=$? SCRIPT_EXITCODE=$?
@ -265,9 +265,9 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
0) 0)
debug "$SCRIPT passed" debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS + 1)) PASSED_CHECKS=$((PASSED_CHECKS + 1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh) SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi fi
;; ;;
@ -287,18 +287,18 @@ done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS)) TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
if [ $BATCH_MODE ]; then if [ "$BATCH_MODE" ]; then
BATCH_SUMMARY="AUDIT_SUMMARY " BATCH_SUMMARY="AUDIT_SUMMARY "
BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} " BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} " BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}" BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")" BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi fi
becho $BATCH_SUMMARY becho "$BATCH_SUMMARY"
else else
printf "%40s\n" "################### SUMMARY ###################" printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
@ -309,7 +309,7 @@ else
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100") ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE" printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE" printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
else else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0

4
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -29,7 +29,7 @@ audit() {
ok "Nothing listens on 25 port, probably unix socket configured" ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<<$RESULT); then if $(grep -q "127.0.0.1" <<<"$RESULT"); then
ok "MTA is configured to localhost only" ok "MTA is configured to localhost only"
else else
crit "MTA listens worldwide" crit "MTA listens worldwide"
@ -47,7 +47,7 @@ apply() {
ok "Nothing listens on 25 port, probably unix socket configured" ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<<$RESULT); then if $(grep -q "127.0.0.1" <<<"$RESULT"); then
ok "MTA is configured to localhost only" ok "MTA is configured to localhost only"
else else
warn "MTA listens worldwide, correct this considering your MTA" warn "MTA listens worldwide, correct this considering your MTA"

8
bin/hardening/4.1.10_record_dac_edit.sh
View File

@ -34,7 +34,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -50,11 +50,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.11_record_failed_access_file.sh
View File

@ -32,7 +32,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -48,11 +48,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.12_record_privileged_commands.sh
View File

@ -33,7 +33,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +49,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.13_record_successful_mount.sh
View File

@ -30,7 +30,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.14_record_file_deletions.sh
View File

@ -30,7 +30,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.15_record_sudoers_edit.sh
View File

@ -30,7 +30,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.16_record_sudo_usage.sh
View File

@ -29,7 +29,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.17_record_kernel_modules.sh
View File

@ -32,7 +32,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -48,11 +48,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.18_freeze_auditd_conf.sh
View File

@ -29,7 +29,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.4_record_date_time_edit.sh
View File

@ -33,7 +33,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +49,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.5_record_user_group_edit.sh
View File

@ -33,7 +33,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +49,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.6_record_network_edit.sh
View File

@ -34,7 +34,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -50,11 +50,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.7_record_mac_edit.sh
View File

@ -29,7 +29,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.8_record_login_logout.sh
View File

@ -31,7 +31,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -47,11 +47,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/4.1.9_record_session_init.sh
View File

@ -31,7 +31,7 @@ audit() {
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
@ -47,11 +47,11 @@ apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file "$FILE" "$AUDIT_VALUE"
eval $(pkill -HUP -P 1 auditd) eval "$(pkill -HUP -P 1 auditd)"
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi

8
bin/hardening/5.4.4_default_umask.sh
View File

@ -27,9 +27,9 @@ audit() {
SEARCH_RES=0 SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then if test -d "$FILE_SEARCHED"; then
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do for file_in_dir in $(ls "$FILE_SEARCHED"); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
@ -59,9 +59,9 @@ apply() {
SEARCH_RES=0 SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ "$SEARCH_RES" = 1 ]; then break; fi if [ "$SEARCH_RES" = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then if test -d "$FILE_SEARCHED"; then
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do for file_in_dir in $(ls "$FILE_SEARCHED"); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"