From f4ba90352b1482f8a6f7b0044c3200e92f973775 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Mon, 14 Dec 2020 16:14:37 +0100 Subject: [PATCH] IMP(shellcheck): replace ls parsing by stat --- bin/hardening/4.1.12_record_privileged_commands.sh | 4 ++-- bin/hardening/5.4.2_disable_system_accounts.sh | 2 ++ bin/hardening/5.4.4_default_umask.sh | 4 ++-- bin/hardening/6.2.10_check_user_dot_file_perm.sh | 4 ++-- bin/hardening/6.2.6_sanitize_root_path.sh | 5 +++-- bin/hardening/99.2_disable_usb_devices.sh | 4 ++-- 6 files changed, 13 insertions(+), 10 deletions(-) diff --git a/bin/hardening/4.1.12_record_privileged_commands.sh b/bin/hardening/4.1.12_record_privileged_commands.sh index b96090f..581dafd 100755 --- a/bin/hardening/4.1.12_record_privileged_commands.sh +++ b/bin/hardening/4.1.12_record_privileged_commands.sh @@ -19,8 +19,8 @@ DESCRIPTION="Collect use of privileged commands." # Find all files with setuid or setgid set SUDO_CMD='sudo -n' -AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | \ -awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') +AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | + awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') FILE='/etc/audit/audit.rules' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/5.4.2_disable_system_accounts.sh b/bin/hardening/5.4.2_disable_system_accounts.sh index 9fa9d79..fe320a1 100755 --- a/bin/hardening/5.4.2_disable_system_accounts.sh +++ b/bin/hardening/5.4.2_disable_system_accounts.sh @@ -27,6 +27,7 @@ ACCEPTED_SHELLS_GREP='' audit() { shells_to_grep_helper info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS" + # shellcheck disable=SC2086 RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true) IFS_BAK=$IFS IFS=$'\n' @@ -55,6 +56,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { + # shellcheck disable=SC2086 RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true) IFS_BAK=$IFS IFS=$'\n' diff --git a/bin/hardening/5.4.4_default_umask.sh b/bin/hardening/5.4.4_default_umask.sh index ac775d5..8a64f1c 100755 --- a/bin/hardening/5.4.4_default_umask.sh +++ b/bin/hardening/5.4.4_default_umask.sh @@ -30,7 +30,7 @@ audit() { if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" for file_in_dir in "$FILE_SEARCHED"/*; do - [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir + [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $file_in_dir" @@ -63,7 +63,7 @@ apply() { if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" for file_in_dir in "$FILE_SEARCHED"/*; do - [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir + [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $file_in_dir" diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index f9d41ea..b892ce7 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -25,7 +25,7 @@ audit() { debug "Working on $DIR" for FILE in "$DIR"/.[A-Za-z0-9]*; do if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then - FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") + FILEPERM=$(stat -c "%A" "$FILE") if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then crit "Group Write permission set on FILE $FILE" ERRORS=$((ERRORS + 1)) @@ -48,7 +48,7 @@ apply() { for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for FILE in "$DIR"/.[A-Za-z0-9]*; do if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then - FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") + FILEPERM=$(stat -c "%A" "$FILE") if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then warn "Group Write permission set on FILE $FILE" chmod g-w "$FILE" diff --git a/bin/hardening/6.2.6_sanitize_root_path.sh b/bin/hardening/6.2.6_sanitize_root_path.sh index 967b9a3..1b9ca71 100755 --- a/bin/hardening/6.2.6_sanitize_root_path.sh +++ b/bin/hardening/6.2.6_sanitize_root_path.sh @@ -34,6 +34,7 @@ audit() { ERRORS=$((ERRORS + 1)) fi FORMATTED_PATH=$(echo "$path" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') + # shellcheck disable=SC2086 set -- $FORMATTED_PATH while [ "${1:-}" != "" ]; do if [ "$1" = "." ]; then @@ -41,7 +42,8 @@ audit() { ERRORS=$((ERRORS + 1)) else if [ -d "$1" ]; then - dirperm=$(ls -ldH "$1" | cut -f1 -d" ") + dirperm=$(stat -L -c "%A" "$1") + dirown=$(stat -c "%U" "$1") if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then crit "Group Write permission set on directory $1" ERRORS=$((ERRORS + 1)) @@ -50,7 +52,6 @@ audit() { crit "Other Write permission set on directory $1" ERRORS=$((ERRORS + 1)) fi - dirown=$(ls -ldH "$1" | awk '{print $3}') if [ "$dirown" != "root" ]; then crit "$1 is not owned by root" ERRORS=$((ERRORS + 1)) diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 24b7076..8ddf7c3 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -59,9 +59,9 @@ apply() { if [ "$SEARCH_RES" = 1 ]; then break; fi if test -d "$FILE_SEARCHED"; then debug "$FILE_SEARCHED is a directory" - + for file_in_dir in "$FILE_SEARCHED"/*; do - [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir + [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $file_in_dir"