IMP(shellcheck): replace ls parsing by stat

2024-11-22 05:27:01 +01:00 · 2020-12-14 16:14:37 +01:00 · 2020-12-14 16:14:37 +01:00 · f4ba90352b
commit f4ba90352b
parent cdaee7786a
6 changed files with 13 additions and 10 deletions
--- a/bin/hardening/4.1.12_record_privileged_commands.sh
+++ b/bin/hardening/4.1.12_record_privileged_commands.sh
@ -19,7 +19,7 @@ DESCRIPTION="Collect use of privileged commands."

 # Find all files with setuid or setgid set
 SUDO_CMD='sudo -n'
-AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | \
+AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
    awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
 FILE='/etc/audit/audit.rules'

--- a/bin/hardening/5.4.2_disable_system_accounts.sh
+++ b/bin/hardening/5.4.2_disable_system_accounts.sh
@ -27,6 +27,7 @@ ACCEPTED_SHELLS_GREP=''
 audit() {
    shells_to_grep_helper
    info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS"
+    # shellcheck disable=SC2086
    RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true)
    IFS_BAK=$IFS
    IFS=$'\n'
@ -55,6 +56,7 @@ audit() {

 # This function will be called if the script status is on enabled mode
 apply() {
+    # shellcheck disable=SC2086
    RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true)
    IFS_BAK=$IFS
    IFS=$'\n'
--- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh
+++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh
@ -25,7 +25,7 @@ audit() {
        debug "Working on $DIR"
        for FILE in "$DIR"/.[A-Za-z0-9]*; do
            if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
-                FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
+                FILEPERM=$(stat -c "%A" "$FILE")
                if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
                    crit "Group Write permission set on FILE $FILE"
                    ERRORS=$((ERRORS + 1))
@ -48,7 +48,7 @@ apply() {
    for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        for FILE in "$DIR"/.[A-Za-z0-9]*; do
            if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
-                FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
+                FILEPERM=$(stat -c "%A" "$FILE")
                if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
                    warn "Group Write permission set on FILE $FILE"
                    chmod g-w "$FILE"
--- a/bin/hardening/6.2.6_sanitize_root_path.sh
+++ b/bin/hardening/6.2.6_sanitize_root_path.sh
@ -34,6 +34,7 @@ audit() {
        ERRORS=$((ERRORS + 1))
    fi
    FORMATTED_PATH=$(echo "$path" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
+    # shellcheck disable=SC2086
    set -- $FORMATTED_PATH
    while [ "${1:-}" != "" ]; do
        if [ "$1" = "." ]; then
@ -41,7 +42,8 @@ audit() {
            ERRORS=$((ERRORS + 1))
        else
            if [ -d "$1" ]; then
-                dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
+                dirperm=$(stat -L -c "%A" "$1")
+                dirown=$(stat -c "%U" "$1")
                if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
                    crit "Group Write permission set on directory $1"
                    ERRORS=$((ERRORS + 1))
@ -50,7 +52,6 @@ audit() {
                    crit "Other Write permission set on directory $1"
                    ERRORS=$((ERRORS + 1))
                fi
-                dirown=$(ls -ldH "$1" | awk '{print $3}')
                if [ "$dirown" != "root" ]; then
                    crit "$1 is not owned by root"
                    ERRORS=$((ERRORS + 1))