diff --git a/bin/hardening/1.1.10_var_tmp_noexec.sh b/bin/hardening/1.1.10_var_tmp_noexec.sh index eb023c4..de5a24d 100755 --- a/bin/hardening/1.1.10_var_tmp_noexec.sh +++ b/bin/hardening/1.1.10_var_tmp_noexec.sh @@ -26,19 +26,19 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.11_var_log_partition.sh b/bin/hardening/1.1.11_var_log_partition.sh index 8e2a752..ab048f9 100755 --- a/bin/hardening/1.1.11_var_log_partition.sh +++ b/bin/hardening/1.1.11_var_log_partition.sh @@ -25,13 +25,13 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted" FNRET=1 else diff --git a/bin/hardening/1.1.12_var_log_audit_partition.sh b/bin/hardening/1.1.12_var_log_audit_partition.sh index 43c2d00..404e4e7 100755 --- a/bin/hardening/1.1.12_var_log_audit_partition.sh +++ b/bin/hardening/1.1.12_var_log_audit_partition.sh @@ -24,13 +24,13 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted" FNRET=1 else diff --git a/bin/hardening/1.1.13_home_partition.sh b/bin/hardening/1.1.13_home_partition.sh index 55e3453..e51559c 100755 --- a/bin/hardening/1.1.13_home_partition.sh +++ b/bin/hardening/1.1.13_home_partition.sh @@ -25,13 +25,13 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted" FNRET=1 else diff --git a/bin/hardening/1.1.14_home_nodev.sh b/bin/hardening/1.1.14_home_nodev.sh index e2dfd09..5da7307 100755 --- a/bin/hardening/1.1.14_home_nodev.sh +++ b/bin/hardening/1.1.14_home_nodev.sh @@ -26,19 +26,19 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.15_run_shm_nodev.sh b/bin/hardening/1.1.15_run_shm_nodev.sh index 57697a9..bffe454 100755 --- a/bin/hardening/1.1.15_run_shm_nodev.sh +++ b/bin/hardening/1.1.15_run_shm_nodev.sh @@ -27,19 +27,19 @@ audit() { PARTITION=$(readlink -e "$PARTITION") FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.16_run_shm_nosuid.sh b/bin/hardening/1.1.16_run_shm_nosuid.sh index d92ab84..705fec8 100755 --- a/bin/hardening/1.1.16_run_shm_nosuid.sh +++ b/bin/hardening/1.1.16_run_shm_nosuid.sh @@ -27,19 +27,19 @@ audit() { PARTITION=$(readlink -e "$PARTITION") FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.17_run_shm_noexec.sh b/bin/hardening/1.1.17_run_shm_noexec.sh index 1631041..a3bc331 100755 --- a/bin/hardening/1.1.17_run_shm_noexec.sh +++ b/bin/hardening/1.1.17_run_shm_noexec.sh @@ -27,19 +27,19 @@ audit() { PARTITION=$(readlink -e "$PARTITION") FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.18_removable_device_nodev.sh b/bin/hardening/1.1.18_removable_device_nodev.sh index 95cf314..5365205 100755 --- a/bin/hardening/1.1.18_removable_device_nodev.sh +++ b/bin/hardening/1.1.18_removable_device_nodev.sh @@ -28,13 +28,13 @@ audit() { info "Verifying if there is $PARTITION like partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then ok "There is no partition like $PARTITION" FNRET=0 else info "detected $PARTITION like" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else diff --git a/bin/hardening/1.1.19_removable_device_nosuid.sh b/bin/hardening/1.1.19_removable_device_nosuid.sh index a4e372c..0dc6a9e 100755 --- a/bin/hardening/1.1.19_removable_device_nosuid.sh +++ b/bin/hardening/1.1.19_removable_device_nosuid.sh @@ -28,13 +28,13 @@ audit() { info "Verifying if there is $PARTITION like partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then ok "There is no partition like $PARTITION" FNRET=0 else info "detected $PARTITION like" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else diff --git a/bin/hardening/1.1.20_removable_device_noexec.sh b/bin/hardening/1.1.20_removable_device_noexec.sh index 1a7c8db..ee64f67 100755 --- a/bin/hardening/1.1.20_removable_device_noexec.sh +++ b/bin/hardening/1.1.20_removable_device_noexec.sh @@ -28,13 +28,13 @@ audit() { info "Verifying if there is $PARTITION like partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then ok "There is no partition like $PARTITION" FNRET=0 else info "detected $PARTITION like" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else diff --git a/bin/hardening/1.1.2_tmp_partition.sh b/bin/hardening/1.1.2_tmp_partition.sh index 71172dc..75a5458 100755 --- a/bin/hardening/1.1.2_tmp_partition.sh +++ b/bin/hardening/1.1.2_tmp_partition.sh @@ -25,13 +25,13 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted" FNRET=1 else diff --git a/bin/hardening/1.1.3_tmp_nodev.sh b/bin/hardening/1.1.3_tmp_nodev.sh index 176412e..9996b80 100755 --- a/bin/hardening/1.1.3_tmp_nodev.sh +++ b/bin/hardening/1.1.3_tmp_nodev.sh @@ -26,19 +26,19 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.4_tmp_nosuid.sh b/bin/hardening/1.1.4_tmp_nosuid.sh index cfa608e..d6e3c47 100755 --- a/bin/hardening/1.1.4_tmp_nosuid.sh +++ b/bin/hardening/1.1.4_tmp_nosuid.sh @@ -26,19 +26,19 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.5_tmp_noexec.sh b/bin/hardening/1.1.5_tmp_noexec.sh index 159a645..7d673cd 100755 --- a/bin/hardening/1.1.5_tmp_noexec.sh +++ b/bin/hardening/1.1.5_tmp_noexec.sh @@ -26,19 +26,19 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.6_var_partition.sh b/bin/hardening/1.1.6_var_partition.sh index e415873..7e5ee9c 100755 --- a/bin/hardening/1.1.6_var_partition.sh +++ b/bin/hardening/1.1.6_var_partition.sh @@ -25,13 +25,13 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted" FNRET=1 else diff --git a/bin/hardening/1.1.7_var_tmp_partition.sh b/bin/hardening/1.1.7_var_tmp_partition.sh index fe2b9fe..29dacac 100755 --- a/bin/hardening/1.1.7_var_tmp_partition.sh +++ b/bin/hardening/1.1.7_var_tmp_partition.sh @@ -25,13 +25,13 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted" FNRET=1 else diff --git a/bin/hardening/1.1.8_var_tmp_nodev.sh b/bin/hardening/1.1.8_var_tmp_nodev.sh index 5d6b191..f7fbd9e 100755 --- a/bin/hardening/1.1.8_var_tmp_nodev.sh +++ b/bin/hardening/1.1.8_var_tmp_nodev.sh @@ -26,19 +26,19 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.1.9_var_tmp_nosuid.sh b/bin/hardening/1.1.9_var_tmp_nosuid.sh index fc746a5..1125594 100755 --- a/bin/hardening/1.1.9_var_tmp_nosuid.sh +++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh @@ -26,19 +26,19 @@ audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION is not a partition" FNRET=2 else ok "$PARTITION is a partition" has_mount_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$PARTITION has no option $OPTION in fstab!" FNRET=1 else ok "$PARTITION has $OPTION in fstab" has_mounted_option "$PARTITION" "$OPTION" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=3 else diff --git a/bin/hardening/1.4.1_bootloader_ownership.sh b/bin/hardening/1.4.1_bootloader_ownership.sh index ef6c136..2309d63 100755 --- a/bin/hardening/1.4.1_bootloader_ownership.sh +++ b/bin/hardening/1.4.1_bootloader_ownership.sh @@ -48,7 +48,7 @@ apply() { ok "$FILE has correct ownership" else info "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" diff --git a/bin/hardening/1.7.1.4_motd_perms.sh b/bin/hardening/1.7.1.4_motd_perms.sh index 9c2ffa0..1f316f0 100755 --- a/bin/hardening/1.7.1.4_motd_perms.sh +++ b/bin/hardening/1.7.1.4_motd_perms.sh @@ -55,7 +55,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/1.7.1.5_etc_issue_perms.sh b/bin/hardening/1.7.1.5_etc_issue_perms.sh index dacacc9..438460d 100755 --- a/bin/hardening/1.7.1.5_etc_issue_perms.sh +++ b/bin/hardening/1.7.1.5_etc_issue_perms.sh @@ -55,7 +55,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh index 3ffe232..1209642 100755 --- a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh +++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh @@ -55,7 +55,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/1.8_install_updates.sh b/bin/hardening/1.8_install_updates.sh index 59d9e17..00d1128 100755 --- a/bin/hardening/1.8_install_updates.sh +++ b/bin/hardening/1.8_install_updates.sh @@ -23,7 +23,7 @@ audit() { apt_update_if_needed info "Fetching upgrades ..." apt_check_updates "CIS_APT" - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then crit "$RESULT" FNRET=1 else @@ -34,7 +34,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - if [ $FNRET -gt 0 ]; then + if [ "$FNRET" -gt 0 ]; then info "Applying Upgrades..." DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y else diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh index 7775a57..3d6e979 100755 --- a/bin/hardening/4.2.4_logs_permissions.sh +++ b/bin/hardening/4.2.4_logs_permissions.sh @@ -33,7 +33,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "Logs in $DIR have correct permissions" fi } @@ -51,7 +51,7 @@ apply() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "Logs in $DIR have correct permissions" fi } diff --git a/bin/hardening/5.1.2_crontab_perm_ownership.sh b/bin/hardening/5.1.2_crontab_perm_ownership.sh index 1b380b7..4693fe5 100755 --- a/bin/hardening/5.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh @@ -50,7 +50,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh index 6a71213..28b5d5f 100755 --- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh @@ -50,7 +50,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh index 7df44fb..f2665af 100755 --- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh @@ -50,7 +50,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh index fe7f827..dad3f52 100755 --- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh @@ -50,7 +50,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh index 3b733b8..6f1bae9 100755 --- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh @@ -50,7 +50,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.1.7_cron_d_perm_ownership.sh b/bin/hardening/5.1.7_cron_d_perm_ownership.sh index 65ce568..ad74f4b 100755 --- a/bin/hardening/5.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/5.1.7_cron_d_perm_ownership.sh @@ -50,7 +50,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.1.8_cron_users.sh b/bin/hardening/5.1.8_cron_users.sh index d6d364e..3c97225 100755 --- a/bin/hardening/5.1.8_cron_users.sh +++ b/bin/hardening/5.1.8_cron_users.sh @@ -76,7 +76,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh index 2df728e..ae08dc8 100755 --- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh +++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh @@ -50,7 +50,7 @@ apply() { ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then diff --git a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh index dbfdb9f..9ba57b7 100755 --- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh +++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh @@ -36,7 +36,7 @@ audit() { done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "SSH private keys in $DIR have correct permissions" fi @@ -52,7 +52,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "SSH private keys in $DIR have correct ownership" fi } @@ -65,7 +65,7 @@ apply() { ok "$FILE ownership was set to $USER:$GROUP" else warn "fixing $DIR SSH private keys permissions to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi done diff --git a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh index 8406fea..9b4f113 100755 --- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh +++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh @@ -46,7 +46,7 @@ audit() { done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "SSH public keys in $DIR have correct permissions" fi @@ -62,7 +62,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "SSH public keys in $DIR have correct ownership" fi } @@ -95,7 +95,7 @@ apply() { ok "$FILE ownership was set to $USER:$GROUP" else warn "fixing $DIR SSH public keys ownership to $PERMISSIONS" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi done diff --git a/bin/hardening/5.4.4_default_umask.sh b/bin/hardening/5.4.4_default_umask.sh index 043d014..96438ac 100755 --- a/bin/hardening/5.4.4_default_umask.sh +++ b/bin/hardening/5.4.4_default_umask.sh @@ -58,7 +58,7 @@ audit() { apply() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do - if [ $SEARCH_RES = 1 ]; then break; fi + if [ "$SEARCH_RES" = 1 ]; then break; fi if test -d $FILE_SEARCHED; then debug "$FILE_SEARCHED is a directory" for file_in_dir in $(ls $FILE_SEARCHED); do @@ -81,10 +81,10 @@ apply() { fi fi done - if [ $SEARCH_RES = 0 ]; then + if [ "$SEARCH_RES" = 0 ]; then warn "$PATTERN is not present in $FILES_TO_SEARCH" - touch $FILE - chmod 644 $FILE + touch "$FILE" + chmod 644 "$FILE" add_end_of_file $FILE "$PATTERN" fi } diff --git a/bin/hardening/6.1.5_etc_passwd_permissions.sh b/bin/hardening/6.1.5_etc_passwd_permissions.sh index e59ed63..a64aac8 100755 --- a/bin/hardening/6.1.5_etc_passwd_permissions.sh +++ b/bin/hardening/6.1.5_etc_passwd_permissions.sh @@ -52,7 +52,7 @@ apply() { ok "$FILE has correct ownership" else info "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi } diff --git a/bin/hardening/6.1.6_etc_shadow_permissions.sh b/bin/hardening/6.1.6_etc_shadow_permissions.sh index 7a740b0..cdad8be 100755 --- a/bin/hardening/6.1.6_etc_shadow_permissions.sh +++ b/bin/hardening/6.1.6_etc_shadow_permissions.sh @@ -52,7 +52,7 @@ apply() { ok "$FILE has correct ownership" else info "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi } diff --git a/bin/hardening/6.1.7_etc_group_permissions.sh b/bin/hardening/6.1.7_etc_group_permissions.sh index e720eeb..05aa1ca 100755 --- a/bin/hardening/6.1.7_etc_group_permissions.sh +++ b/bin/hardening/6.1.7_etc_group_permissions.sh @@ -52,7 +52,7 @@ apply() { ok "$FILE has correct ownership" else info "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi } diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index 8a912c5..10ebbc0 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -38,7 +38,7 @@ audit() { done done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "Dot file permission in users directories are correct" fi } @@ -51,11 +51,11 @@ apply() { FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") if [ $(echo $FILEPERM | cut -c6) != "-" ]; then warn "Group Write permission set on FILE $FILE" - chmod g-w $FILE + chmod g-w "$FILE" fi if [ $(echo $FILEPERM | cut -c9) != "-" ]; then warn "Other Write permission set on FILE $FILE" - chmod o-w $FILE + chmod o-w "$FILE" fi fi done diff --git a/bin/hardening/6.2.11_find_user_forward_files.sh b/bin/hardening/6.2.11_find_user_forward_files.sh index d00f438..86a085d 100755 --- a/bin/hardening/6.2.11_find_user_forward_files.sh +++ b/bin/hardening/6.2.11_find_user_forward_files.sh @@ -32,7 +32,7 @@ audit() { done done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "No $FILENAME present in users home directory" fi } diff --git a/bin/hardening/6.2.12_find_user_netrc_files.sh b/bin/hardening/6.2.12_find_user_netrc_files.sh index fa5d4c2..b653ed9 100755 --- a/bin/hardening/6.2.12_find_user_netrc_files.sh +++ b/bin/hardening/6.2.12_find_user_netrc_files.sh @@ -32,7 +32,7 @@ audit() { done done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "No $FILENAME present in users home directory" fi } diff --git a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh index e1a6852..f53e089 100755 --- a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh +++ b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh @@ -37,7 +37,7 @@ audit() { done done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "permission $PERMISSIONS set on .netrc users files" fi @@ -54,7 +54,7 @@ apply() { ok "$FILE has correct permissions" else warn "$FILE permissions were not set to $PERMISSIONS" - chmod 600 $FILE + chmod 600 "$FILE" fi fi done diff --git a/bin/hardening/6.2.14_find_user_rhosts_files.sh b/bin/hardening/6.2.14_find_user_rhosts_files.sh index 333f85b..a4e28ed 100755 --- a/bin/hardening/6.2.14_find_user_rhosts_files.sh +++ b/bin/hardening/6.2.14_find_user_rhosts_files.sh @@ -32,7 +32,7 @@ audit() { done done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "No $FILENAME present in users home directory" fi } diff --git a/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh b/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh index c03aa0a..e59339b 100755 --- a/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh +++ b/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh @@ -30,7 +30,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "passwd and group Groups are consistent" fi } diff --git a/bin/hardening/6.2.16_check_duplicate_uid.sh b/bin/hardening/6.2.16_check_duplicate_uid.sh index f50aaec..621d8d7 100755 --- a/bin/hardening/6.2.16_check_duplicate_uid.sh +++ b/bin/hardening/6.2.16_check_duplicate_uid.sh @@ -41,7 +41,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "No duplicate UIDs${FOUND_EXCEPTIONS:+ apart from configured exceptions:}${FOUND_EXCEPTIONS}" fi } diff --git a/bin/hardening/6.2.17_check_duplicate_gid.sh b/bin/hardening/6.2.17_check_duplicate_gid.sh index 7378f77..977074c 100755 --- a/bin/hardening/6.2.17_check_duplicate_gid.sh +++ b/bin/hardening/6.2.17_check_duplicate_gid.sh @@ -33,7 +33,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "No duplicate GIDs" fi } diff --git a/bin/hardening/6.2.18_check_duplicate_username.sh b/bin/hardening/6.2.18_check_duplicate_username.sh index 8d1304c..11defe9 100755 --- a/bin/hardening/6.2.18_check_duplicate_username.sh +++ b/bin/hardening/6.2.18_check_duplicate_username.sh @@ -33,7 +33,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "No duplicate usernames" fi } diff --git a/bin/hardening/6.2.19_check_duplicate_groupname.sh b/bin/hardening/6.2.19_check_duplicate_groupname.sh index 5398971..f2dbb1f 100755 --- a/bin/hardening/6.2.19_check_duplicate_groupname.sh +++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh @@ -33,7 +33,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "No duplicate groupnames" fi } diff --git a/bin/hardening/6.2.6_sanitize_root_path.sh b/bin/hardening/6.2.6_sanitize_root_path.sh index 4adc692..5d9f06c 100755 --- a/bin/hardening/6.2.6_sanitize_root_path.sh +++ b/bin/hardening/6.2.6_sanitize_root_path.sh @@ -63,7 +63,7 @@ audit() { shift done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "root PATH is secure" fi } diff --git a/bin/hardening/6.2.7_users_valid_homedir.sh b/bin/hardening/6.2.7_users_valid_homedir.sh index 0b9a2ba..923f473 100755 --- a/bin/hardening/6.2.7_users_valid_homedir.sh +++ b/bin/hardening/6.2.7_users_valid_homedir.sh @@ -33,7 +33,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "All home directories exists" fi } diff --git a/bin/hardening/6.2.8_check_user_dir_perm.sh b/bin/hardening/6.2.8_check_user_dir_perm.sh index e4779eb..de47ffe 100755 --- a/bin/hardening/6.2.8_check_user_dir_perm.sh +++ b/bin/hardening/6.2.8_check_user_dir_perm.sh @@ -52,7 +52,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "No incorrect permissions on home directories" fi @@ -74,19 +74,19 @@ apply() { dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") if [ $(echo $dirperm | cut -c6) != "-" ]; then warn "Group Write permission set on directory $dir" - chmod g-w $dir + chmod g-w "$dir" fi if [ $(echo $dirperm | cut -c8) != "-" ]; then warn "Other Read permission set on directory $dir" - chmod o-r $dir + chmod o-r "$dir" fi if [ $(echo $dirperm | cut -c9) != "-" ]; then warn "Other Write permission set on directory $dir" - chmod o-w $dir + chmod o-w "$dir" fi if [ $(echo $dirperm | cut -c10) != "-" ]; then warn "Other Execute permission set on directory $dir" - chmod o-x $dir + chmod o-x "$dir" fi fi done diff --git a/bin/hardening/6.2.9_users_valid_homedir.sh b/bin/hardening/6.2.9_users_valid_homedir.sh index 1128290..589eda9 100755 --- a/bin/hardening/6.2.9_users_valid_homedir.sh +++ b/bin/hardening/6.2.9_users_valid_homedir.sh @@ -36,7 +36,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "All home directories exists" fi debug "Checking homedir ownership" @@ -65,7 +65,7 @@ audit() { fi done - if [ $ERRORS = 0 ]; then + if [ "$ERRORS" = 0 ]; then ok "All home directories have correct ownership" fi } diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh index 7ba9cd0..a7a9654 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/99.1_timeout_tty.sh @@ -50,7 +50,7 @@ audit() { fi fi done - if [ $SEARCH_RES = 0 ]; then + if [ "$SEARCH_RES" = 0 ]; then crit "$PATTERN is not present in $FILES_TO_SEARCH" fi } @@ -83,10 +83,10 @@ apply() { fi fi done - if [ $SEARCH_RES = 0 ]; then + if [ "$SEARCH_RES" = 0 ]; then warn "$PATTERN is not present in $FILES_TO_SEARCH" - touch $FILE - chmod 644 $FILE + touch "$FILE" + chmod 644 "$FILE" add_end_of_file $FILE "$PATTERN$VALUE" add_end_of_file $FILE "readonly TMOUT" add_end_of_file $FILE "export TMOUT" diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 56e045a..abb5e73 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -47,7 +47,7 @@ audit() { fi fi done - if [ $SEARCH_RES = 0 ]; then + if [ "$SEARCH_RES" = 0 ]; then crit "$PATTERN is not present in $FILES_TO_SEARCH" fi } @@ -79,10 +79,10 @@ apply() { fi fi done - if [ $SEARCH_RES = 0 ]; then + if [ "$SEARCH_RES" = 0 ]; then warn "$PATTERN is not present in $FILES_TO_SEARCH" - touch $FILE - chmod 644 $FILE + touch "$FILE" + chmod 644 "$FILE" add_end_of_file $FILE ' # By default, disable all. ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"