From 7014c398140eb02e651639e22b85c0b9e91938fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Tue, 3 Sep 2019 14:02:02 +0200 Subject: [PATCH] Improved Bash code based on shellcheck feedback. * Quote `find` glob, arguments, so they are protected from the shell. * Quote the whole `awk` command, so shellcheck is not confused by unquoted curly braces. * Fix a typo of `file_to_inspect` vs `files_to_inspect`. * Made vars expansion explicit when they are followed by square brackets, i.e. `$x[[:space:]]` to `${x}[[:space:]]` * Separated `local` declarations from assignments using subsells. `local` shadows the subshell return code in those cases. * Removed `local` from the Jinja macro, as there is no function there. * Changed `sed` separator in `FSTAB_TARGET_ROW` definition to `|`, got rid of `TARGET_ESCAPED`. * Double-quoted backslashes in double quotes. * Commented out unused def of `TARGET_OPTS`. --- .../audit_rules_immutable/bash/shared.sh | 2 +- .../audit_rules_system_shutdown/bash/shared.sh | 2 +- .../dir_perms_world_writable_sticky_bits/bash/shared.sh | 2 +- .../bash/rhel6.sh | 9 +++------ .../bash_remediation_functions/fix_audit_syscall_rule.sh | 2 +- .../include_mount_options_functions.sh | 2 +- ...form_audit_adjtimex_settimeofday_stime_remediation.sh | 2 +- shared/bash_remediation_functions/service_command.sh | 4 +++- shared/macros-bash.jinja | 4 ++-- 9 files changed, 14 insertions(+), 15 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh index ce411358a7..20282296d7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh @@ -8,7 +8,7 @@ # files to check if '-e .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-e 2' rule should be placed as the last rule in the configuration -find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' +find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' # Append '-e 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh index 58047353cf..1c9748ce9b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh @@ -8,7 +8,7 @@ # files to check if '-f .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-f 2' rule should be placed as the last rule in the configuration -find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' +find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' # Append '-f 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh index 57b1ef0198..150244d4cd 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh @@ -1,5 +1,5 @@ # platform = multi_platform_rhel -df --local -P | awk {'if (NR!=1) print $6'} \ +df --local -P | awk '{if (NR!=1) print $6}' \ | xargs -I '{}' find '{}' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ | xargs chmod a+t diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh index 609658410a..0e56752ae4 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh @@ -44,23 +44,20 @@ do MOUNT_OPTIONS="$MOUNT_OPTIONS,nodev" fi - # Escape possible slash ('/') characters in target for use as sed - # expression below - TARGET_ESCAPED=${TARGET//$'/'/$'\/'} # This target doesn't contain 'nodev' in mount options yet (and meets # the above filtering criteria). Therefore obtain particular /etc/fstab's # row into FSTAB_TARGET_ROW variable separating the mount options field with # hash '#' character - FSTAB_TARGET_ROW=$(sed -n "s/\(.*$TARGET_ESCAPED[$SP]\+$FSTYPE[$SP]\+\)\([^$SP]\+\)/\1#\2#/p" /etc/fstab) + FSTAB_TARGET_ROW=$(sed -n "s|\\(.*${TARGET}[$SP]\\+${FSTYPE}[$SP]\\+\\)\\([^$SP]\\+\\)|\\1#\\2#|p" /etc/fstab) # Split the retrieved value by the hash '#' delimiter to get the # row's head & tail (i.e. columns other than mount options) which won't # get modified TARGET_HEAD=$(cut -f 1 -d '#' <<< "$FSTAB_TARGET_ROW") - TARGET_OPTS=$(cut -f 2 -d '#' <<< "$FSTAB_TARGET_ROW") + # TARGET_OPTS=$(cut -f 2 -d '#' <<< "$FSTAB_TARGET_ROW") TARGET_TAIL=$(cut -f 3 -d '#' <<< "$FSTAB_TARGET_ROW") # Replace old mount options for particular /etc/fstab's row (for this target # and fstype) with new mount options - sed -i "s#${TARGET_HEAD}\(.*\)${TARGET_TAIL}#${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}#" /etc/fstab + sed -i "s|${TARGET_HEAD}\(.*\)${TARGET_TAIL}|${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}|" /etc/fstab fi fi done diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh index 0bb5ad2ef4..25f80fe30b 100644 --- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh @@ -95,7 +95,7 @@ then if [ ${#files_to_inspect[@]} -eq "0" ] then file_to_inspect="/etc/audit/rules.d/$key.rules" - files_to_inspect=("$files_to_inspect") + files_to_inspect=("$file_to_inspect") if [ ! -e "$file_to_inspect" ] then touch "$file_to_inspect" diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh index 8467b01628..392367dc05 100644 --- a/shared/bash_remediation_functions/include_mount_options_functions.sh +++ b/shared/bash_remediation_functions/include_mount_options_functions.sh @@ -8,7 +8,7 @@ function include_mount_options_functions { # $4: mount type of new mount point (used when adding new entry in fstab) function ensure_mount_option_for_vfstype { local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=() - readarray -t _vfstype_points < <(grep -E "[[:space:]]$_vfstype[[:space:]]" /etc/fstab | awk '{print $2}') + readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}') for _vfstype_point in "${_vfstype_points[@]}" do diff --git a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh index 8d2f357c0c..be1425b454 100644 --- a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh +++ b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh @@ -14,7 +14,7 @@ source fix_audit_syscall_rule.sh function perform_audit_adjtimex_settimeofday_stime_remediation { # Retrieve hardware architecture of the underlying system -[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do diff --git a/shared/bash_remediation_functions/service_command.sh b/shared/bash_remediation_functions/service_command.sh index feb8a9648f..e1eb18cd95 100644 --- a/shared/bash_remediation_functions/service_command.sh +++ b/shared/bash_remediation_functions/service_command.sh @@ -13,7 +13,9 @@ function service_command { # Load function arguments into local variables local service_state=$1 local service=$2 -local xinetd=$(echo $3 | cut -d'=' -f2) +local xinetd + +xinetd=$(echo $3 | cut -d = -f 2) # Check sanity of the input if [ $# -lt "2" ] diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja index 135531991a..969989e59f 100644 --- a/shared/macros-bash.jinja +++ b/shared/macros-bash.jinja @@ -173,7 +173,7 @@ printf '%s\n' "{{{ line }}}" > "{{{ path }}}" cat "{{{ path }}}.bak" >> "{{{ path }}}" {{%- elif insert_after %}} # Insert after the line matching the regex '{{{ insert_after }}}' -local line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" +line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then # There was no match of '{{{ insert_after }}}', insert at # the end of the file. @@ -185,7 +185,7 @@ else fi {{%- elif insert_before %}} # Insert before the line matching the regex '{{{ insert_before }}}'. -local line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" +line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then # There was no match of '{{{ insert_before }}}', insert at # the end of the file.