|
 |
44eea6 |
From 7014c398140eb02e651639e22b85c0b9e91938fd Mon Sep 17 00:00:00 2001
|
|
|
44eea6 |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
44eea6 |
Date: Tue, 3 Sep 2019 14:02:02 +0200
|
|
|
44eea6 |
Subject: [PATCH] Improved Bash code based on shellcheck feedback.
|
|
|
44eea6 |
|
|
|
44eea6 |
* Quote `find` glob, arguments, so they are protected from the shell.
|
|
|
44eea6 |
* Quote the whole `awk` command, so shellcheck is not confused by unquoted curly braces.
|
|
|
44eea6 |
* Fix a typo of `file_to_inspect` vs `files_to_inspect`.
|
|
|
44eea6 |
* Made vars expansion explicit when they are followed by square brackets,
|
|
|
44eea6 |
i.e. `$x[[:space:]]` to `${x}[[:space:]]`
|
|
|
44eea6 |
* Separated `local` declarations from assignments using subsells.
|
|
|
44eea6 |
`local` shadows the subshell return code in those cases.
|
|
|
44eea6 |
* Removed `local` from the Jinja macro, as there is no function there.
|
|
|
44eea6 |
* Changed `sed` separator in `FSTAB_TARGET_ROW` definition to `|`, got rid of `TARGET_ESCAPED`.
|
|
|
44eea6 |
* Double-quoted backslashes in double quotes.
|
|
|
44eea6 |
* Commented out unused def of `TARGET_OPTS`.
|
|
|
44eea6 |
---
|
|
|
44eea6 |
.../audit_rules_immutable/bash/shared.sh | 2 +-
|
|
|
44eea6 |
.../audit_rules_system_shutdown/bash/shared.sh | 2 +-
|
|
|
44eea6 |
.../dir_perms_world_writable_sticky_bits/bash/shared.sh | 2 +-
|
|
|
44eea6 |
.../bash/rhel6.sh | 9 +++------
|
|
|
44eea6 |
.../bash_remediation_functions/fix_audit_syscall_rule.sh | 2 +-
|
|
|
44eea6 |
.../include_mount_options_functions.sh | 2 +-
|
|
|
44eea6 |
...form_audit_adjtimex_settimeofday_stime_remediation.sh | 2 +-
|
|
|
44eea6 |
shared/bash_remediation_functions/service_command.sh | 4 +++-
|
|
|
44eea6 |
shared/macros-bash.jinja | 4 ++--
|
|
|
44eea6 |
9 files changed, 14 insertions(+), 15 deletions(-)
|
|
|
44eea6 |
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
|
|
|
44eea6 |
index ce411358a7..20282296d7 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
|
|
|
44eea6 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
|
|
|
44eea6 |
@@ -8,7 +8,7 @@
|
|
|
44eea6 |
# files to check if '-e .*' setting is present in that '*.rules' file already.
|
|
|
44eea6 |
# If found, delete such occurrence since auditctl(8) manual page instructs the
|
|
|
44eea6 |
# '-e 2' rule should be placed as the last rule in the configuration
|
|
|
44eea6 |
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
|
|
|
44eea6 |
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
|
|
|
44eea6 |
|
|
|
44eea6 |
# Append '-e 2' requirement at the end of both:
|
|
|
44eea6 |
# * /etc/audit/audit.rules file (for auditctl case)
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
|
|
44eea6 |
index 58047353cf..1c9748ce9b 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
|
|
44eea6 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
|
|
44eea6 |
@@ -8,7 +8,7 @@
|
|
|
44eea6 |
# files to check if '-f .*' setting is present in that '*.rules' file already.
|
|
|
44eea6 |
# If found, delete such occurrence since auditctl(8) manual page instructs the
|
|
|
44eea6 |
# '-f 2' rule should be placed as the last rule in the configuration
|
|
|
44eea6 |
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
|
|
|
44eea6 |
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
|
|
|
44eea6 |
|
|
|
44eea6 |
# Append '-f 2' requirement at the end of both:
|
|
|
44eea6 |
# * /etc/audit/audit.rules file (for auditctl case)
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
|
|
44eea6 |
index 57b1ef0198..150244d4cd 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
|
|
44eea6 |
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
|
|
44eea6 |
@@ -1,5 +1,5 @@
|
|
|
44eea6 |
# platform = multi_platform_rhel
|
|
|
44eea6 |
-df --local -P | awk {'if (NR!=1) print $6'} \
|
|
|
44eea6 |
+df --local -P | awk '{if (NR!=1) print $6}' \
|
|
|
44eea6 |
| xargs -I '{}' find '{}' -xdev -type d \
|
|
|
44eea6 |
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
|
|
|
44eea6 |
| xargs chmod a+t
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh
|
|
|
44eea6 |
index 609658410a..0e56752ae4 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh
|
|
|
44eea6 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh
|
|
|
44eea6 |
@@ -44,23 +44,20 @@ do
|
|
|
44eea6 |
MOUNT_OPTIONS="$MOUNT_OPTIONS,nodev"
|
|
|
44eea6 |
fi
|
|
|
44eea6 |
|
|
|
44eea6 |
- # Escape possible slash ('/') characters in target for use as sed
|
|
|
44eea6 |
- # expression below
|
|
|
44eea6 |
- TARGET_ESCAPED=${TARGET//$'/'/$'\/'}
|
|
|
44eea6 |
# This target doesn't contain 'nodev' in mount options yet (and meets
|
|
|
44eea6 |
# the above filtering criteria). Therefore obtain particular /etc/fstab's
|
|
|
44eea6 |
# row into FSTAB_TARGET_ROW variable separating the mount options field with
|
|
|
44eea6 |
# hash '#' character
|
|
|
44eea6 |
- FSTAB_TARGET_ROW=$(sed -n "s/\(.*$TARGET_ESCAPED[$SP]\+$FSTYPE[$SP]\+\)\([^$SP]\+\)/\1#\2#/p" /etc/fstab)
|
|
|
44eea6 |
+ FSTAB_TARGET_ROW=$(sed -n "s|\\(.*${TARGET}[$SP]\\+${FSTYPE}[$SP]\\+\\)\\([^$SP]\\+\\)|\\1#\\2#|p" /etc/fstab)
|
|
|
44eea6 |
# Split the retrieved value by the hash '#' delimiter to get the
|
|
|
44eea6 |
# row's head & tail (i.e. columns other than mount options) which won't
|
|
|
44eea6 |
# get modified
|
|
|
44eea6 |
TARGET_HEAD=$(cut -f 1 -d '#' <<< "$FSTAB_TARGET_ROW")
|
|
|
44eea6 |
- TARGET_OPTS=$(cut -f 2 -d '#' <<< "$FSTAB_TARGET_ROW")
|
|
|
44eea6 |
+ # TARGET_OPTS=$(cut -f 2 -d '#' <<< "$FSTAB_TARGET_ROW")
|
|
|
44eea6 |
TARGET_TAIL=$(cut -f 3 -d '#' <<< "$FSTAB_TARGET_ROW")
|
|
|
44eea6 |
# Replace old mount options for particular /etc/fstab's row (for this target
|
|
|
44eea6 |
# and fstype) with new mount options
|
|
|
44eea6 |
- sed -i "s#${TARGET_HEAD}\(.*\)${TARGET_TAIL}#${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}#" /etc/fstab
|
|
|
44eea6 |
+ sed -i "s|${TARGET_HEAD}\(.*\)${TARGET_TAIL}|${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}|" /etc/fstab
|
|
|
44eea6 |
fi
|
|
|
44eea6 |
fi
|
|
|
44eea6 |
done
|
|
|
44eea6 |
diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
|
|
|
44eea6 |
index 0bb5ad2ef4..25f80fe30b 100644
|
|
|
44eea6 |
--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
|
|
|
44eea6 |
+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
|
|
|
44eea6 |
@@ -95,7 +95,7 @@ then
|
|
|
44eea6 |
if [ ${#files_to_inspect[@]} -eq "0" ]
|
|
|
44eea6 |
then
|
|
|
44eea6 |
file_to_inspect="/etc/audit/rules.d/$key.rules"
|
|
|
44eea6 |
- files_to_inspect=("$files_to_inspect")
|
|
|
44eea6 |
+ files_to_inspect=("$file_to_inspect")
|
|
|
44eea6 |
if [ ! -e "$file_to_inspect" ]
|
|
|
44eea6 |
then
|
|
|
44eea6 |
touch "$file_to_inspect"
|
|
|
44eea6 |
diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh
|
|
|
44eea6 |
index 8467b01628..392367dc05 100644
|
|
|
44eea6 |
--- a/shared/bash_remediation_functions/include_mount_options_functions.sh
|
|
|
44eea6 |
+++ b/shared/bash_remediation_functions/include_mount_options_functions.sh
|
|
|
44eea6 |
@@ -8,7 +8,7 @@ function include_mount_options_functions {
|
|
|
44eea6 |
# $4: mount type of new mount point (used when adding new entry in fstab)
|
|
|
44eea6 |
function ensure_mount_option_for_vfstype {
|
|
|
44eea6 |
local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
|
|
|
44eea6 |
- readarray -t _vfstype_points < <(grep -E "[[:space:]]$_vfstype[[:space:]]" /etc/fstab | awk '{print $2}')
|
|
|
44eea6 |
+ readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')
|
|
|
44eea6 |
|
|
|
44eea6 |
for _vfstype_point in "${_vfstype_points[@]}"
|
|
|
44eea6 |
do
|
|
|
44eea6 |
diff --git a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh
|
|
|
44eea6 |
index 8d2f357c0c..be1425b454 100644
|
|
|
44eea6 |
--- a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh
|
|
|
44eea6 |
+++ b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh
|
|
|
44eea6 |
@@ -14,7 +14,7 @@ source fix_audit_syscall_rule.sh
|
|
|
44eea6 |
function perform_audit_adjtimex_settimeofday_stime_remediation {
|
|
|
44eea6 |
|
|
|
44eea6 |
# Retrieve hardware architecture of the underlying system
|
|
|
44eea6 |
-[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
44eea6 |
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
44eea6 |
|
|
|
44eea6 |
for ARCH in "${RULE_ARCHS[@]}"
|
|
|
44eea6 |
do
|
|
|
44eea6 |
diff --git a/shared/bash_remediation_functions/service_command.sh b/shared/bash_remediation_functions/service_command.sh
|
|
|
44eea6 |
index feb8a9648f..e1eb18cd95 100644
|
|
|
44eea6 |
--- a/shared/bash_remediation_functions/service_command.sh
|
|
|
44eea6 |
+++ b/shared/bash_remediation_functions/service_command.sh
|
|
|
44eea6 |
@@ -13,7 +13,9 @@ function service_command {
|
|
|
44eea6 |
# Load function arguments into local variables
|
|
|
44eea6 |
local service_state=$1
|
|
|
44eea6 |
local service=$2
|
|
|
44eea6 |
-local xinetd=$(echo $3 | cut -d'=' -f2)
|
|
|
44eea6 |
+local xinetd
|
|
|
44eea6 |
+
|
|
|
44eea6 |
+xinetd=$(echo $3 | cut -d = -f 2)
|
|
|
44eea6 |
|
|
|
44eea6 |
# Check sanity of the input
|
|
|
44eea6 |
if [ $# -lt "2" ]
|
|
|
44eea6 |
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
|
|
44eea6 |
index 135531991a..969989e59f 100644
|
|
|
44eea6 |
--- a/shared/macros-bash.jinja
|
|
|
44eea6 |
+++ b/shared/macros-bash.jinja
|
|
|
44eea6 |
@@ -173,7 +173,7 @@ printf '%s\n' "{{{ line }}}" > "{{{ path }}}"
|
|
|
44eea6 |
cat "{{{ path }}}.bak" >> "{{{ path }}}"
|
|
|
44eea6 |
{{%- elif insert_after %}}
|
|
|
44eea6 |
# Insert after the line matching the regex '{{{ insert_after }}}'
|
|
|
44eea6 |
-local line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')"
|
|
|
44eea6 |
+line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')"
|
|
|
44eea6 |
if [ -z "$line_number" ]; then
|
|
|
44eea6 |
# There was no match of '{{{ insert_after }}}', insert at
|
|
|
44eea6 |
# the end of the file.
|
|
|
44eea6 |
@@ -185,7 +185,7 @@ else
|
|
|
44eea6 |
fi
|
|
|
44eea6 |
{{%- elif insert_before %}}
|
|
|
44eea6 |
# Insert before the line matching the regex '{{{ insert_before }}}'.
|
|
|
44eea6 |
-local line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')"
|
|
|
44eea6 |
+line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')"
|
|
|
44eea6 |
if [ -z "$line_number" ]; then
|
|
|
44eea6 |
# There was no match of '{{{ insert_before }}}', insert at
|
|
|
44eea6 |
# the end of the file.
|