diff options
author | hlein <hlein@korelogic.com> | 2017-03-06 10:41:21 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2017-03-06 10:41:21 +0300 |
commit | b595cc0fb5f0dafe3604f2d2d4915de1acd9c754 (patch) | |
tree | 285792c98f8d9d404d55a0d258c8e274868c74d7 | |
parent | b9ae378edb9ab109eeb25cc27599b76b2f6f6bfb (diff) |
Various cleanups (#363)
* Typo fix.
* Style change: always use $(), never ``.
The Lynis code already mostly used $(), but backticks were sprinkled
around. Converted all of them.
* Lots of minor spelling/typo fixes.
FWIW these were found with:
find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less
And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
34 files changed, 457 insertions, 456 deletions
diff --git a/extras/build-lynis.sh b/extras/build-lynis.sh index b4f4402e..409b3c80 100755 --- a/extras/build-lynis.sh +++ b/extras/build-lynis.sh @@ -82,7 +82,7 @@ # ######################################################################### # - MYUSER=`whoami` + MYUSER=$(whoami) if [ "${MYUSER}" = "" ]; then echo "[X] Could not determine user" fi @@ -91,7 +91,7 @@ fi - MYWORKDIR=`pwd | awk -F / '{ for (i=1;i<=NF-2;i++){ printf $i"/" }; printf "\n"}' | sed 's./$..'` + MYWORKDIR=$(pwd | awk -F / '{ for (i=1;i<=NF-2;i++){ printf $i"/" }; printf "\n"}' | sed 's./$..') if [ ! -d ${MYWORKDIR} ]; then echo "[X] Could not determine workdir (result: ${MYWORKDIR} seems invalid)" ExitFatal @@ -126,7 +126,7 @@ # Check binaries - GITBUILDPACKAGEBINARY=`which git-buildpackage` + GITBUILDPACKAGEBINARY=$(which git-buildpackage) if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}" else @@ -135,7 +135,7 @@ ExitFatal fi - RPMBUILDBINARY=`which rpmbuild` + RPMBUILDBINARY=$(which rpmbuild) if [ ! "${RPMBUILDBINARY}" = "" ]; then echo "[=] rpmbuild = ${RPMBUILDBINARY}" else @@ -168,7 +168,7 @@ #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Create temporary build directory - TMPDIR=`mktemp -d /tmp/lynis-BUILDROOT.XXXXXX` + TMPDIR=$(mktemp -d /tmp/lynis-BUILDROOT.XXXXXX) if [ $? -eq 0 ]; then echo "[V] Creating temporary build directory" #echo " BUILDROOT: ${TMPDIR}" @@ -202,8 +202,8 @@ fi fi - TARBALL_MD5=`md5sum ${TARBALL}` - TARBALL_SHA1=`sha1sum ${TARBALL}` + TARBALL_MD5=$(md5sum ${TARBALL}) + TARBALL_SHA1=$(sha1sum ${TARBALL}) echo "[*] Starting with RPM building process" @@ -212,7 +212,7 @@ if [ -f ${SOURCEFILE_RPM} ]; then if [ -f lynis.spec ]; then # adjust version in spec file - VERSION_IN_SPECFILE=`awk '/^Version:/ { print $2 }' lynis.spec` + VERSION_IN_SPECFILE=$(awk '/^Version:/ { print $2 }' lynis.spec) echo "[=] Found version ${VERSION_IN_SPECFILE}" if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then echo "[X] Version in specfile is outdated" @@ -241,9 +241,9 @@ echo "[*] Starting with DEB building process" - DEBCHANGELOGFULLVERSION=`head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//'` - DEBCHANGELOGVERSION=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }'` - DEBCHANGELOGVERSIONREV=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }'` + DEBCHANGELOGFULLVERSION=$(head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//') + DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }') + DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }') if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then echo "[V] Debian/changelog up-to-date" else @@ -251,12 +251,12 @@ ExitFatal fi -# BZRSTATUS=`${BZRBINARY} status . 2>&1 > /dev/null; echo $?` +# BZRSTATUS=$(${BZRBINARY} status . 2>&1 > /dev/null; echo $?) # if [ "${BZRSTATUS}" = "0" ]; then # echo "[V] bzr has proper directory tree" -# DEBCHANGELOGFULLVERSION=`head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//'` -# DEBCHANGELOGVERSION=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }'` -# DEBCHANGELOGVERSIONREV=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }'` +# DEBCHANGELOGFULLVERSION=$(head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//') +# DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }') +# DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }') # echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})" # if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then # echo "[V] Debian/changelog up-to-date" @@ -343,7 +343,7 @@ Exit if [ ! -f ${OPTION_BINARY_FILE} ]; then echo "BAD (can't find ${OPTION_BINARY_FILE})"; exit 1; fi # Check script - FIND=`sh -n ${OPTION_BINARY_FILE} ; echo $?` + FIND=$(sh -n ${OPTION_BINARY_FILE} ; echo $?) if [ $FIND -eq 0 ]; then echo "OK" else @@ -354,7 +354,7 @@ Exit # Create SHA1 hashes echo -n "- Create SHA1 hashes " - SHA1HASH_LYNIS=`grep -v '^#' ${OPTION_BINARY_FILE} | sha1` + SHA1HASH_LYNIS=$(grep -v '^#' ${OPTION_BINARY_FILE} | sha1) echo "DONE" echo " Lynis (SHA1): ${SHA1HASH_LYNIS}" @@ -372,16 +372,16 @@ Exit #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= echo -n "- Creating MD5 hashes..." - PACKAGE_LIST_FILES=`grep "^file:" files.dat | cut -d ':' -f3` + PACKAGE_LIST_FILES=$(grep "^file:" files.dat | cut -d ':' -f3) for I in ${PACKAGE_LIST_FILES}; do echo -n "${I} " - #FULLNAME=`grep ":file:include:" files.dat + #FULLNAME=$(grep ":file:include:" files.dat) #echo "${FULLNAME}" >> ${OPENBSD_CONTENTS} echo "${I}" >> ${OPENBSD_CONTENTS} FILE="../${I}" - MD5HASH=`md5 -q ${FILE}` + MD5HASH=$(md5 -q ${FILE}) echo "@md5 ${MD5HASH}" >> ${OPENBSD_CONTENTS} echo "@size 0000" >> ${OPENBSD_CONTENTS} done diff --git a/include/binaries b/include/binaries index 25aa0649..81a9c99d 100644 --- a/include/binaries +++ b/include/binaries @@ -64,7 +64,7 @@ fi # Add a space to make sure we discover a related directory if it was already scanned - FIND=`echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}"` + FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}") if [ ! "${FIND}" = "" ]; then SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned" fi @@ -72,7 +72,7 @@ if [ ${SKIPDIR} -eq 0 ]; then BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}" LogText "Directory ${SCANDIR} exists. Starting directory scanning..." - FIND=`ls ${SCANDIR}` + FIND=$(ls ${SCANDIR}) for I in ${FIND}; do N=$((N + 1)) BINARY="${SCANDIR}/${I}" @@ -114,7 +114,7 @@ chkrootkit) CHKROOTKITFOUND=1; CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;; - curl) CURLFOUND=1; CURLBINARY="${BINARY}"; CURLVERSION=`${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'`; LogText " Found known binary: curl (browser) - ${BINARY}" ;; + curl) CURLFOUND=1; CURLBINARY="${BINARY}"; CURLVERSION=$(${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'); LogText " Found known binary: curl (browser) - ${BINARY}" ;; cut) CUTBINARY="${BINARY}" LogText " Found known binary: cut (text stream editor) - ${BINARY}" ;; @@ -127,14 +127,14 @@ domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; - exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; LogText "Found ${BINARY} (version ${EXIMVERSION})" ;; + exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;; fail2ban-server) FAIL2BANFOUND=1; FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;; file) FILEBINARY="${BINARY}" LogText " Found known binary: file (file type detection) - ${BINARY}" ;; find) FINDFOUND=1; FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;; g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: g++ (compiler) - ${BINARY}" ;; - # additional file check due to existance /usr/libexec/gcc (directory) + # additional file check due to existence /usr/libexec/gcc (directory) gcc) if [ -f ${BINARY} ]; then GCCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: gcc (compiler) - ${BINARY}"; fi ;; getent) GETENT_BINARY="${BINARY}" LogText " Found known binary: getent (query tool for name service switch libraries) - ${BINARY}" @@ -173,7 +173,7 @@ lsattr) LSATTRFOUND=1; LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;; lsmod) LSMODFOUND=1; LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;; lsof) LSOFFOUND=1; LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;; - lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=`${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3`; LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;; + lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;; maldet) LMDFOUND=1; LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;; md5) MD5FOUND=1; MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;; md5sum) MD5FOUND=1; MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;; @@ -182,17 +182,17 @@ LogText " Found known binary: mount (disk utility) - ${BINARY}" ;; mtree) MTREEFOUND=1; MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;; - mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=`${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g'` ; LogText "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;; + mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=$(${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g') ; LogText "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;; netstat) NETSTATFOUND=1; NETSTATBINARY="${BINARY}"; LogText " Found known binary: netstat (network statistics) - ${BINARY}" ;; nft) NFTFOUND=1; NFTBINARY="${BINARY}"; LogText " Found known binary: nft (nftables client) - ${BINARY}" ;; - nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=`${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'`; LogText "Found ${BINARY} (version ${NMAPVERSION})" ;; + nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=$(${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${NMAPVERSION})" ;; ntpq) NTPQFOUND=1; NTPQBINARY="${BINARY}"; LogText " Found known binary ntpq (time daemon client) - ${BINARY}" ;; osiris) OSIRISFOUND=1; OSIRISBINARY="${BINARY}"; LogText " Found known binary: osiris - ${BINARY}" ;; - openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;; + openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;; pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; LogText " Found known binary: pacman (package manager) - ${BINARY}" ;; - perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; LogText "Found ${BINARY} (version ${PERLVERSION})" ;; + perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=$(${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs); LogText "Found ${BINARY} (version ${PERLVERSION})" ;; pgrep) PGREPBINARY=${BINARY}; LogText " Found known binary: pgrep (search in process list) - ${BINARY}" ;; - php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; LogText "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;; + php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;; pkg) PKG_BINARY="${BINARY}" LogText " Found known binary: pkg (software package administration) - ${BINARY}" @@ -205,9 +205,9 @@ ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;; puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;; puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;; - python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;; - python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;; - python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;; + python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;; + python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;; + python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;; readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; @@ -223,21 +223,21 @@ ;; sestatus) SESTATUSFOUND=1; SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux client) - ${BINARY}" ;; slocate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; LogText " Found known binary: slocate (file database) - ${BINARY}" ;; - smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=`${BINARY} -V | grep "^Version" | awk '{ print $2 }'`; fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;; + smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;; smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;; showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;; sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;; sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;; squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;; ss) SSFOUND=1; SSBINARY="${BINARY}"; LogText " Found known binary: ss (show sockets) - ${BINARY}" ;; - sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=`${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'`; LogText "Found ${BINARY} (version ${SSHDVERSION})" ;; + sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=$(${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'); LogText "Found ${BINARY} (version ${SSHDVERSION})" ;; stat) STATFOUND=1; STATBINARY="${BINARY}"; LogText " Found known binary: stat (file information) - ${BINARY}" ;; strings) STRINGSFOUND=1; STRINGSBINARY="${BINARY}"; LogText " Found known binary: strings (text strings search) - ${BINARY}" ;; sha1|sha1sum|shasum) SHA1SUMFOUND=1; SHA1SUMBINARY="${BINARY}"; LogText " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;; sha256|sha256sum) SHA256SUMFOUND=1; SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;; ssh-keyscan) SSHKEYSCANFOUND=1; SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;; sysctl) SYSCTLFOUND=1; SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; - syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=`${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'`; LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; + syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; systemctl) SYSTEMCTLFOUND=1; SYSTEMCTLBINARY="${BINARY}"; SERVICE_MANAGER="systemd"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; timedatectl) TIMEDATECTLFOUND=1; TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;; tr) TRFOUND=1; TRBINARY="${BINARY}"; LogText " Found known binary: tr (text transformation) - ${BINARY}" ;; @@ -254,7 +254,7 @@ wc) WCBINARY="${BINARY}" LogText " Found known binary: wc (word count) - ${BINARY}" ;; - wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=`${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'`; LogText "Found ${BINARY} (version ${WGETVERSION})" ;; + wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=$(${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${WGETVERSION})" ;; yum) YUMFOUND=1; YUMBINARY="${BINARY}"; LogText " Found known binary: yum (package manager) - ${BINARY}" ;; xargs) XARGSBINARY="${BINARY}" LogText " Found known binary: xargs (command output redirection) - ${BINARY}" @@ -271,7 +271,7 @@ LogText "Result: Directory ${SCANDIR} does NOT exist" fi done - BINARY_PATHS_FOUND=`echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g'` + BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g') LogText "Discovered directories: ${BINARY_PATHS_FOUND}" Report "binary_paths=${BINARY_PATHS_FOUND}" BINARY_SCAN_FINISHED=1 diff --git a/include/functions b/include/functions index 848d2393..5ea2e6d2 100644 --- a/include/functions +++ b/include/functions @@ -190,11 +190,11 @@ else # If 'file' is an directory, use -d if [ -d ${CHECKFILE} ]; then - FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3` + FILEVALUE=$(ls -d -l ${CHECKFILE} | cut -c 2-10) + PROFILEVALUE=$(grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3) else - FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3` + FILEVALUE=$(ls -l ${CHECKFILE} | cut -c 2-10) + PROFILEVALUE=$(grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3) fi if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi fi @@ -218,7 +218,7 @@ if [ ! "${REPORTFILE}" = "/dev/null" ]; then # Check if we can find the main type (with or without brackets) LogText "Test: search string $2 in earlier discovered results" - FIND=`egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2"` + FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2") if [ ! "${FIND}" = "" ]; then ITEM_FOUND=1 RETVAL=0 @@ -298,7 +298,7 @@ ContainsString() { RETVAL=1 if [ $# -ne 2 ]; then ReportException "ContainsString" "Incorrect number of arguments for ContainsStrings function"; fi - FIND=`echo "$2" | egrep "$1"` + FIND=$(echo "$2" | egrep "$1") if [ ! "${FIND}" = "" ]; then RETVAL=0; fi return ${RETVAL} } @@ -334,11 +334,11 @@ CreateTempFile() { TEMP_FILE="" if [ "${OS}" = "AIX" ]; then - RANDOMSTRING1=`echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')` + RANDOMSTRING1=$(echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')) TEMP_FILE="/tmp/${RANDOMSTRING1}" touch ${TEMP_FILE} else - TEMP_FILE=`mktemp /tmp/lynis.XXXXXXXXXX` || exit 1 + TEMP_FILE=$(mktemp /tmp/lynis.XXXXXXXXXX) || exit 1 fi if [ ! "${TEMP_FILE}" = "" ]; then LogText "Action: created temporary file ${TEMP_FILE}" @@ -398,7 +398,7 @@ VALUE=$1 LogText "Value is now: ${VALUE}" if [ ! "${AWKBINARY}" = "" ]; then - VALUE=`echo ${VALUE} | grep -Eo '[0-9]{1,}'` + VALUE=$(echo ${VALUE} | grep -Eo '[0-9]{1,}') fi LogText "Returning value: ${VALUE}" } @@ -454,7 +454,7 @@ echo "Search paths used --> ${tPROFILE_TARGETS}" ExitCustom 66 else - PROFILES=`echo ${PROFILES} | sed 's/^ //'` + PROFILES=$(echo ${PROFILES} | sed 's/^ //') fi } @@ -525,7 +525,7 @@ # Display: # - counting with -m instead of -c, to support language locale # - wc needs LANG to deal with multi-bytes characters but LANG has been unset in include/consts... - LINESIZE=`export LC_ALL= ; export LANG="${DISPLAY_LANG}";echo "${TEXT}" | wc -m | tr -d ' '` + LINESIZE=$(export LC_ALL= ; export LANG="${DISPLAY_LANG}";echo "${TEXT}" | wc -m | tr -d ' ') if [ ${SHOWDEBUG} -eq 1 ]; then DEBUGTEXT=" [${PURPLE}DEBUG${NORMAL}]"; else DEBUGTEXT=""; fi if [ ${INDENT} -gt 0 ]; then SPACES=$((62 - INDENT - LINESIZE)); fi if [ ${SPACES} -lt 0 ]; then SPACES=0; fi @@ -793,18 +793,18 @@ "AIX") # Common interfaces: en0 en1 en2, ent0 ent1 ent2 - FIND=`entstat en0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }'` + FIND=$(entstat en0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }') if [ "${FIND}" = "" ]; then - FIND=`entstat ent0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }'` + FIND=$(entstat ent0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }') fi if [ ! "${FIND}" = "" ]; then # We have a MAC address, now hashing it if [ ! "${SHA1SUMBINARY}" = "" ]; then - HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'` + HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') elif [ ! "${CSUMBINARY}" = "" ]; then - HOSTID=`echo ${FIND} | ${CSUMBINARY} -h SHA1 - | awk '{ print $1 }'` + HOSTID=$(echo ${FIND} | ${CSUMBINARY} -h SHA1 - | awk '{ print $1 }') elif [ ! "${OPENSSLBINARY}" = "" ]; then - HOSTID=`echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }'` + HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }') else ReportException "GetHostID" "No sha1, sha1sum, csum or openssl binary available on AIX" fi @@ -814,9 +814,9 @@ ;; "DragonFly" | "FreeBSD") - FIND=`${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` + FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if [ ! "${FIND}" = "" ]; then - HOSTID=`echo ${FIND} | sha1` + HOSTID=$(echo ${FIND} | sha1) else ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD" fi @@ -829,20 +829,20 @@ # Only use ifconfig if no ip binary has been found if [ ! "${IFCONFIGBINARY}" = "" ]; then # Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch) - HASETH0=`${IFCONFIGBINARY} | grep "^eth0"` + HASETH0=$(${IFCONFIGBINARY} | grep "^eth0") # Check if we can find it with HWaddr on the line - FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'` + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') # If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch) if [ "${FIND}" = "" ]; then - FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr` + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr) if [ "${FIND}" = "" ]; then # If possible directly address eth0 to avoid risking gathering the incorrect MAC address. # If not, then falling back to getting first interface. Better than nothing. if [ ! "${HASETH0}" = "" ]; then - FIND=`${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` + FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') else - FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]'` + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]') if [ "${FIND}" = "" ]; then ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)" else @@ -850,7 +850,7 @@ fi fi else - FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'` + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig" fi fi @@ -858,10 +858,10 @@ # See if we can use ip binary instead if [ ! "${IPBINARY}" = "" ]; then # Determine if we have the common available eth0 interface - FIND=`${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` + FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if [ "${FIND}" = "" ]; then # Determine the MAC address of first interface with the ip command - FIND=`${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` + FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if [ "${FIND}" = "" ]; then ReportException "GetHostID" "Can't create hostid (no MAC addresses found)" fi @@ -874,7 +874,7 @@ # Check if we found a HostID if [ ! "${FIND}" = "" ]; then LogText "Info: using hardware address ${FIND} to create ID" - HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'` + HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') LogText "Result: Found HostID: ${HOSTID}" else ReportException "GetHostID" "Can't create HOSTID, command ip not found" @@ -904,18 +904,18 @@ ;; "NetBSD") - FIND=`${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` + FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if [ ! "${FIND}" = "" ]; then - HOSTID=`echo ${FIND} | sha1` + HOSTID=$(echo ${FIND} | sha1) else ReportException "GetHostID" "No MAC address returned on NetBSD" fi ;; "OpenBSD") - FIND=`${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` + FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if [ ! "${FIND}" = "" ]; then - HOSTID=`echo ${FIND} | sha1` + HOSTID=$(echo ${FIND} | sha1) else ReportException "GetHostID" "No MAC address returned on OpenBSD" fi @@ -925,17 +925,17 @@ INTERFACES_TO_TEST="e1000g1 net0" FOUND=0 for I in ${INTERFACES_TO_TEST}; do - FIND=`${IFCONFIGBINARY} -a | grep "^${I}"` + FIND=$(${IFCONFIGBINARY} -a | grep "^${I}") if [ ! "${FIND}" = "" ]; then FOUND=1; LogText "Found interface ${I} on Solaris" fi done if [ ${FOUND} -eq 1 ]; then - FIND=`${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}'` + FIND=$(${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}') if [ ! "${SHA1SUMBINARY}" = "" ]; then - HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'` + HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') elif [ ! "${OPENSSLBINARY}" = "" ]; then - HOSTID=`echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }'` + HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }') else ReportException "GetHostID" "Can not find sha1/sha1sum or openssl" fi @@ -966,7 +966,7 @@ # Optional: DBUS creates ID as well with dbus-uuidgen and is stored in /var/lib/dbus-machine-id (might be symlinked to /etc/machine-id) sMACHINEIDFILE="/etc/machine-id" if [ -f ${sMACHINEIDFILE} ]; then - FIND=`head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]"` + FIND=$(head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]") if [ "${FIND}" = "" ]; then MACHINEID="${FIND}" fi @@ -982,7 +982,7 @@ if [ -f /etc/ssh/${I} ]; then LogText "Result: found ${I} in /etc/ssh" if [ ! "${SHA1SUMBINARY}" = "" ]; then - HOSTID=`cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }'` + HOSTID=$(cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }') LogText "result: Created HostID with SSH key ($I): ${HOSTID}" else ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing" @@ -1159,7 +1159,7 @@ RUNNING=0 PSOPTIONS="" if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi - FIND=`${PSBINARY} ${PSOPTIONS} | egrep "( |/)$1" | grep -v "grep"` + FIND=$(${PSBINARY} ${PSOPTIONS} | egrep "( |/)$1" | grep -v "grep") if [ ! "${FIND}" = "" ]; then RUNNING=1 LogText "IsRunning: process '$1' found (${FIND})" @@ -1201,18 +1201,18 @@ FILE="$1" case $OS in "AIX") - if [ ! "${ISTATBINARY}" = "" ]; then PERMS=`${ISTATBINARY} ${FILE} | sed "s/Owner: //" | sed "s/[a-zA-Z() ]//g"`; fi + if [ ! "${ISTATBINARY}" = "" ]; then PERMS=$(${ISTATBINARY} ${FILE} | sed "s/Owner: //" | sed "s/[a-zA-Z() ]//g"); fi ;; "Linux") - if [ ! "${STATBINARY}" = "" ]; then PERMS=`${STATBINARY} -c "%u:%g" ${FILE}`; fi + if [ ! "${STATBINARY}" = "" ]; then PERMS=$(${STATBINARY} -c "%u:%g" ${FILE}); fi ;; "FreeBSD") - if [ ! "${STATBINARY}" = "" ]; then PERMS=`${STATBINARY} -f "%u:%g" ${FILE}`; fi + if [ ! "${STATBINARY}" = "" ]; then PERMS=$(${STATBINARY} -f "%u:%g" ${FILE}); fi ;; esac # Fallback with ls (for other platforms, or when a test did not reveal any output) if [ "${PERMS}" = "" ]; then - PERMS=`ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }'` + PERMS=$(ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }') fi else ReportException "IsOwnedByRoot" "Functions needs 1 argument" @@ -1255,9 +1255,9 @@ # facter if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/facter ] || [ -x /usr/local/bin/facter ]; then - case "`facter is_virtual`" in + case "$(facter is_virtual)" in "true") - SHORT=`facter virtual` + SHORT=$(facter virtual) LogText "Result: found ${SHORT}" ;; "false") @@ -1275,7 +1275,7 @@ if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/systemd-detect-virt ]; then LogText "Test: trying to guess virtualization technology with systemd-detect-virt" - FIND=`/usr/bin/systemd-detect-virt` + FIND=$(/usr/bin/systemd-detect-virt) if [ ! "${FIND}" = "" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" @@ -1292,7 +1292,7 @@ if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/lscpu ]; then LogText "Test: trying to guess virtualization with lscpu" - FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'` + FIND=$(lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g') if [ ! "${FIND}" = "" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" @@ -1315,7 +1315,7 @@ fi if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then LogText "Test: trying to guess virtualization with dmidecode" - FIND=`/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }'` + FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }') if [ ! "${FIND}" = "" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" @@ -1370,7 +1370,7 @@ # FreeBSD: hw.hv_vendor (remains empty for VirtualBox) # NetBSD: machdep.dmi.system-product # OpenBSD: hw.product - FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` + FIND=$(sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }') if [ ! "${FIND}" = "" ]; then SHORT="${FIND}" fi @@ -1383,7 +1383,7 @@ if [ ${PRIVILEGED} -eq 1 ]; then if [ -x /usr/bin/lshw ]; then LogText "Test: trying to guess virtualization with lshw" - FIND=`lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}'` + FIND=$(lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}') if [ ! "${FIND}" = "" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" @@ -1398,10 +1398,10 @@ LogText "Result: skipped lshw test, as we already found machine type" fi - # Check if we catched some string along all tests + # Check if we caught some string along all tests if [ ! "${SHORT}" = "" ]; then # Lowercase and see if we found a match - SHORT=`echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]` + SHORT=$(echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]) case ${SHORT} in amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;; @@ -1455,7 +1455,7 @@ if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi fi if [ -f ${sFILE} -o -d ${sFILE} ]; then - FINDVAL=`ls -ld ${sFILE} | cut -c 8` + FINDVAL=$(ls -ld ${sFILE} | cut -c 8) if [ "${FINDVAL}" = "r" ]; then return 0; else return 1; fi else return 255 @@ -1481,7 +1481,7 @@ if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi fi if [ -f ${sFILE} -o -d ${sFILE} ]; then - FINDVAL=`ls -l ${sFILE} | cut -c 10` + FINDVAL=$(ls -l ${sFILE} | cut -c 10) if [ "${FINDVAL}" = "x" ]; then return 0; else return 1; fi else return 255 @@ -1504,7 +1504,7 @@ # Only check if target is a file or directory if [ -f ${sFILE} -o -d ${sFILE} ]; then - FINDVAL=`ls -ld ${sFILE} | cut -c 9` + FINDVAL=$(ls -ld ${sFILE} | cut -c 9) if IsDeveloperMode; then Debug "File mode of ${sFILE} is ${FINDVAL}"; fi if [ "${FINDVAL}" = "w" ]; then return 0; else return 1; fi else @@ -1637,9 +1637,9 @@ FIND=$(cat ${TMP_NGINX_FILE} | sed 's/ /:space:/g') DEPTH=0 for I in ${FIND}; do - I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//'` - OPTION=`echo ${I} | awk '{ print $1 }'` - VALUE=`echo ${I}| cut -d' ' -f2-` + I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//') + OPTION=$(echo ${I} | awk '{ print $1 }') + VALUE=$(echo ${I}| cut -d' ' -f2-) LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'" STORE_SETTING=1 case ${OPTION} in @@ -1679,7 +1679,7 @@ else if [ ! "${VALUE}" = "" ]; then # If multiple values follow, select first one - VALUE=`echo ${VALUE} | awk '{ print $1 }'` + VALUE=$(echo ${VALUE} | awk '{ print $1 }') if [ ! -f ${VALUE} ]; then LogText "Result: could not find referenced log file ${VALUE} in nginx configuration" NGINX_ACCESS_LOG_MISSING=1 @@ -1689,8 +1689,8 @@ ;; # Headers add_header) - HEADER=`echo ${VALUE} | awk '{ print $1 }'` - HEADER_VALUE=`echo ${VALUE} | cut -d' ' -f2-` + HEADER=$(echo ${VALUE} | awk '{ print $1 }') + HEADER_VALUE=$(echo ${VALUE} | cut -d' ' -f2-) LogText "Result: found header ${HEADER} with value ${HEADER_VALUE}" #Report "nginx_header[]=${HEADER}|${HEADER_VALUE}|" ;; @@ -1710,12 +1710,12 @@ ;; error_log) # Check if debug is appended - FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'` + FIND=$(echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}') if [ ${FIND} -eq 1 ]; then NGINX_ERROR_LOG_DEBUG=1 fi # Check if log file exists - FILE=`echo ${VALUE} | awk '{ print $1 }'` + FILE=$(echo ${VALUE} | awk '{ print $1 }') if [ ! "${FILE}" = "" ]; then if [ ! -f ${FILE} ]; then NGINX_ERROR_LOG_MISSING=1 @@ -1759,7 +1759,7 @@ listen) NGINX_LISTEN_FOUND=1 # Test for ssl on listen statement - FIND_SSL=`echo ${VALUE} | grep ssl` + FIND_SSL=$(echo ${VALUE} | grep ssl) if [ ! "${FIND_SSL}" = "" ]; then NGINX_SSL_ON=1; fi ;; location) @@ -1789,7 +1789,7 @@ ;; ssl_protocols) NGINX_SSL_PROTOCOLS=1 - VALUE=`echo ${VALUE} | sed 's/;$//' | tr '[:upper:]' '[:lower:]'` + VALUE=$(echo ${VALUE} | sed 's/;$//' | tr '[:upper:]' '[:lower:]') for ITEM in ${VALUE}; do LogText "Result: found protocol ${ITEM}" case ${ITEM} in @@ -1835,7 +1835,7 @@ else if [ $# -eq 2 ] && [ $1 = "TCP" -o $1 = "UDP" ]; then LogText "Test: find service listening on $1:$2" - if [ $1 = "TCP" ]; then FIND=`${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "`; else FIND=`${LSOFBINARY} -i${1} -P -n | grep ":${2} "`; fi + if [ $1 = "TCP" ]; then FIND=$(${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "); else FIND=$(${LSOFBINARY} -i${1} -P -n | grep ":${2} "); fi if [ ! "${FIND}" = "" ]; then LogText "Result: found service listening on port $2 ($1)" return 0 @@ -1895,7 +1895,7 @@ fi if [ $# -eq 0 ]; then SIZE=16; else SIZE=$1; fi CSIZE=$((SIZE / 2)) - RANDOMSTRING=`head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE}` + RANDOMSTRING=$(head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE}) } @@ -1975,13 +1975,13 @@ # Skip test if it's configured in profile (old style) if [ ${SKIPTEST} -eq 0 ]; then - FIND=`echo "${TEST_SKIP_ALWAYS}" | grep "${TEST_NO}" | tr '[:lower:]' '[:upper:]'` + FIND=$(echo "${TEST_SKIP_ALWAYS}" | grep "${TEST_NO}" | tr '[:lower:]' '[:upper:]') if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi fi # Check if this test is on the list to skip if [ ${SKIPTEST} -eq 0 ]; then - VALUE=`echo ${TEST_NO} | tr '[:lower:]' '[:upper:]'` + VALUE=$(echo ${TEST_NO} | tr '[:lower:]' '[:upper:]') for I in ${SKIP_TESTS}; do if [ "${I}" = "${VALUE}" ]; then SKIPTEST=1; SKIPREASON="Skipped by profile setting (skip-test)"; fi done @@ -1989,7 +1989,7 @@ # Skip if test is not in the list if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then - FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"` + FIND=$(echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}") if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi fi @@ -2109,7 +2109,7 @@ # Clean up temp files for FILE in ${TEMP_FILES}; do # Temporary files should be in /tmp - TMPFILE=`echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\."` + TMPFILE=$(echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\.") if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then LogText "Action: removing temporary file ${TMPFILE}" @@ -2300,17 +2300,17 @@ PERMS_OK=0 LogText "Checking permissions of $1" if [ $# -eq 1 ]; then - IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"` + IS_PARAMETERS_FILE=$(echo $1 | grep "/parameters") # Check file permissions if [ ! -f "$1" ]; then LogText "Fatal error: file $1 does not exist. Quitting." echo "Fatal error: file $1 does not exist" ExitFatal else - PERMS=`ls -l $1` + PERMS=$(ls -l $1) # Owner permissions - OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'` - OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'` + OWNER=$(echo ${PERMS} | awk -F" " '{ print $3 }') + OWNERID=$(ls -n $1 | awk -F" " '{ print $3 }') if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})." @@ -2318,8 +2318,8 @@ fi fi # Group permissions - GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'` - GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'` + GROUP=$(echo ${PERMS} | awk -F" " '{ print $4 }') + GROUPID=$(ls -n $1 | awk -F" " '{ print $4 }') if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then @@ -2329,21 +2329,21 @@ fi # Owner permissions - OWNER_PERMS=`echo ${PERMS} | cut -c2-4` + OWNER_PERMS=$(echo ${PERMS} | cut -c2-4) if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1" ExitFatal fi # Owner permissions - GROUP_PERMS=`echo ${PERMS} | cut -c5-7` + GROUP_PERMS=$(echo ${PERMS} | cut -c5-7) if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1" ExitFatal fi # Other permissions - OTHER_PERMS=`echo ${PERMS} | cut -c8-10` + OTHER_PERMS=$(echo ${PERMS} | cut -c8-10) if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod 600 $1" ExitFatal @@ -2401,7 +2401,7 @@ if [ -f ${FILE} ]; then # Check if we can find the main type (with or without brackets) LogText "Test: search string ${STRING} in file ${FILE}" - FIND=`egrep "${STRING}" ${FILE}` + FIND=$(egrep "${STRING}" ${FILE}) if [ ! "${FIND}" = "" ]; then ITEM_FOUND=1 LogText "Result: found search string '${STRING}'" @@ -2547,25 +2547,25 @@ if [ "${OS}" = "macOS" ]; then # If a Python binary is found, use the one in path if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then - FIND=`which python 2> /dev/null` + FIND=$(which python 2> /dev/null) if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi fi if [ ! "${PYTHONBINARY}" = "" ]; then SYMLINK_USE_PYTHON=1 LogText "Note: using Python to determine symlinks" - tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1` + tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1) fi else if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then - FIND=`which readlink 2> /dev/null` + FIND=$(which readlink 2> /dev/null) if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi fi if [ ! "${READLINKBINARY}" = "" ]; then SYMLINK_USE_READLINK=1 LogText "Note: Using real readlink binary to determine symlink on ${sFILE}" - tFILE=`${READLINKBINARY} -f ${sFILE}` + tFILE=$(${READLINKBINARY} -f ${sFILE}) LogText "Result: readlink shows ${tFILE} as output" fi fi @@ -2590,15 +2590,15 @@ FOUNDPATH=1 else # Check the full path of the symlink, strip the filename, copy the path and linked filename together - tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'` + tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}') tFILE="${tDIR}/${tFILE}" if [ -L ${tFILE} ]; then LogText "Result: this symlink links to another symlink" # Ensure that we use a second try with the right tool as well if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then - tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE}` + tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE}) elif [ ${SYMLINK_USE_READLINK} -eq 1 ]; then - tFILE=`${READLINKBINARY} -f ${tFILE}` + tFILE=$(${READLINKBINARY} -f ${tFILE}) fi # Check if we now have a normal file if [ -f ${tFILE} ]; then @@ -2656,7 +2656,7 @@ RETVAL=1 # Check if this test is on the list to skip for I in ${SKIP_TESTS}; do - STRING=`echo $1 | tr '[:lower:]' '[:upper:]'` + STRING=$(echo $1 | tr '[:lower:]' '[:upper:]') if [ "${I}" = "${STRING}" ]; then RETVAL=0; LogText "Atomic test ($1) skipped by configuration (skip-test)"; fi done else @@ -2768,13 +2768,13 @@ # Apply the related function case ${FUNCTION} in "contains") - FIND=`echo ${VALUE} | egrep "${SEARCH}"` + FIND=$(echo ${VALUE} | egrep "${SEARCH}") if [ "${FIND}" = "" ]; then RETVAL=1; else RETVAL=0; fi ;; #"gt" | "greater-than") COLOR=$GREEN ;; "equals") - CMP1=`echo ${SEARCH} | tr '[:upper:]' '[:lower:']` - CMP2=`echo ${VALUE} | tr '[:upper:]' '[:lower:']` + CMP1=$(echo ${SEARCH} | tr '[:upper:]' '[:lower:']) + CMP2=$(echo ${VALUE} | tr '[:upper:]' '[:lower:']) if [ "${CMP1}" = "${CMP2}" ]; then RETVAL=0; else RETVAL=1; fi ;; #"not-equal") COLOR=$WHITE ;; @@ -2819,7 +2819,7 @@ ViewGroups() { if [ ! "${INCLUDEDIR}" = "" ]; then InsertSection "Available test groups" - for I in `ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"`; do + for I in $(ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"); do echo "${I}" done fi diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 7607da21..86c90c81 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -24,7 +24,7 @@ if [ $# -eq 0 ]; then Display --text " "; Display --text " " ExitFatal else - FILE=`echo $1 | egrep "^http|https"` + FILE=$(echo $1 | egrep "^http|https") if [ ! "${FILE}" = "" ] ; then CreateTempFile TMP_FILE="${TEMP_FILE}" @@ -59,12 +59,12 @@ fi InsertSection "Image" PKGMGR="" - FIND=`grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g'` + FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g') for I in ${FIND}; do - IMAGE=`echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}'` + IMAGE=$(echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}') Display --indent 2 --text "Found image:" --result "${IMAGE}" - IS_UBUNTU=`echo ${IMAGE} | grep -i ubuntu` + IS_UBUNTU=$(echo ${IMAGE} | grep -i ubuntu) if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi @@ -95,11 +95,11 @@ fi InsertSection "Basics" - FIND=`egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g'` + FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g') if [ "${FIND}" = "" ]; then ReportWarning "dockerfile" "No maintainer found. Unclear who created this file." else - MAINTAINER=`echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}'` + MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}') Display --indent 2 --text "Maintainer" --result "${MAINTAINER}" fi @@ -111,7 +111,7 @@ InsertSection "Basics" case $PKGMGR in "apt") - FIND=`egrep "apt-get(.*) install" ${AUDIT_FILE}` + FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE}) if [ ! "${FIND}" = "" ]; then LogText "Found installation via apt-get" else @@ -123,14 +123,14 @@ InsertSection "Basics" ;; esac - FIND=`egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#"` + FIND=$(egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#") if [ ! "${FIND}" = "" ]; then ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment" LogText "Details: ${FIND}" fi # SSH - FIND_OPENSSH=`grep openssh ${AUDIT_FILE}` + FIND_OPENSSH=$(grep openssh ${AUDIT_FILE}) if [ ! "${FIND_OPENSSH}" = "" ]; then Display --indent 2 --text "OpenSSH" --result "FOUND" --color RED ReportSuggestion "dockerfile" "Don't use OpenSSH in container, use 'docker exec' instead" @@ -143,21 +143,21 @@ InsertSection "Basics" FILE_DOWNLOAD=0 LogText "Checking usage of cURL" - FIND_CURL=`grep curl ${AUDIT_FILE}` + FIND_CURL=$(grep curl ${AUDIT_FILE}) if [ ! "${FIND_CURL}" = "" ]; then Display --indent 4 --text "Download tool" --result "curl" FILE_DOWNLOAD=1 fi LogText "Checking usage of wget" - FIND_WGET=`grep wget ${AUDIT_FILE}` + FIND_WGET=$(grep wget ${AUDIT_FILE}) if [ ! "${FIND_WGET}" = "" ]; then Display --indent 4 --text "Download tool" --result "wget" FILE_DOWNLOAD=1 fi - FIND=`grep "^ADD http" ${AUDIT_FILE}` + FIND=$(grep "^ADD http" ${AUDIT_FILE}) if [ ! "${FIND}" = "" ]; then FILE_DOWNLOAD=1 ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed" @@ -166,7 +166,7 @@ InsertSection "Basics" if [ ${FILE_DOWNLOAD} -eq 1 ]; then - SSL_USED_FIND=`egrep "(https)" ${AUDIT_FILE}` + SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE}) if [ ! "${SSL_USED_FIND}" = "" ]; then SSL_USED="YES" @@ -177,9 +177,9 @@ InsertSection "Basics" ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)" fi Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR} - HASHING_USED=`egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE}` + HASHING_USED=$(egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE}) Display --indent 2 --text "Hashing" --result "${HASHING_USED}" - KEYS_USED=`egrep "(apt-key adv)" ${AUDIT_FILE}` + KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE}) Display --indent 2 --text "Signing keys used" --result ${SSL_USED} Display --indent 2 --text "All downloads properly checked" --result "?" else @@ -191,7 +191,7 @@ InsertSection "Basics" # InsertSection "Permissions" - FIND=`grep -i "chmod 777" ${AUDIT_FILE}` + FIND=$(grep -i "chmod 777" ${AUDIT_FILE}) if [ ! "${FIND}" = "" ]; then ReportWarning "dockerfile" "Warning: chmod 777 found" fi diff --git a/include/helper_system_remote_scan b/include/helper_system_remote_scan index 89f18b70..58d3e121 100644 --- a/include/helper_system_remote_scan +++ b/include/helper_system_remote_scan @@ -49,8 +49,8 @@ # Enable screen output again QUIET=0 - SCP_BINARY=`which scp 2> /dev/null` - SSH_BINARY=`which ssh 2> /dev/null` + SCP_BINARY=$(which scp 2> /dev/null) + SSH_BINARY=$(which ssh 2> /dev/null) if [ "${SCP_BINARY}" = "" ]; then echo "Could not find scp binary"; ExitFatal; fi if [ "${SSH_BINARY}" = "" ]; then echo "Could not find ssh binary"; ExitFatal; fi diff --git a/include/helper_update b/include/helper_update index 092d3369..44f939a6 100644 --- a/include/helper_update +++ b/include/helper_update @@ -51,7 +51,7 @@ if [ "$1" = "release" ]; then elif [ "$1" = "info" ]; then # CV - Current Version - PROGRAM_AC=`echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g'` + PROGRAM_AC=$(echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g') PROGRAM_LV=0 CheckUpdates diff --git a/include/parameters b/include/parameters index 878fa63f..1b095fab 100644 --- a/include/parameters +++ b/include/parameters @@ -287,7 +287,7 @@ --plugindir | --plugin-dir | --plugins-dir) shift PLUGINDIR=$1 - LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'` + LASTCHAR=$(echo $1 | awk '{ print substr($0, length($0))}') if [ "${LASTCHAR}" = "/" ]; then echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}" ExitCustom 65 diff --git a/include/report b/include/report index e53dc5ea..bdb23a92 100644 --- a/include/report +++ b/include/report @@ -140,7 +140,7 @@ fi # Show suggestions from logfile - SSUGGESTIONS=`grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g'` + SSUGGESTIONS=$(grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g') if [ "${SSUGGESTIONS}" = "" ]; then echo " ${OK}No suggestions${NORMAL}"; echo "" @@ -159,7 +159,7 @@ if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi fi done - IS_CUSTOM=`echo ${ADDLINK} | grep "^CUST"` + IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST") echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}" if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi @@ -228,7 +228,7 @@ if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then # Determine if the quality of the program can be increased by filtering out the exceptions - FIND=`${GREPBINARY} "^exception" ${REPORTFILE}` + FIND=$(${GREPBINARY} "^exception" ${REPORTFILE}) if [ ! "${FIND}" = "" ]; then echo "" echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}" @@ -248,12 +248,12 @@ echo "" echo " ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}${NORMAL}" - FIND=`echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g'` + FIND=$(echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g') # Split entries - FIND=`echo ${FIND} | sed 's/====/ /g'` + FIND=$(echo ${FIND} | sed 's/====/ /g') # Display found entries for I in ${FIND}; do - J=`echo ${I} | sed 's/:space:/ /g'` + J=$(echo ${I} | sed 's/:space:/ /g') echo " ${J}" done echo "" diff --git a/include/tests_authentication b/include/tests_authentication index 5077e408..9e56223e 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -102,7 +102,7 @@ Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." LogText "Test: Testing consistency of /etc/group file" - FIND=`/usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine'` + FIND=$(/usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine') if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN LogText "Result: chkgrp test performed, Group file seems to be ok." @@ -158,7 +158,7 @@ LogText "Test: Checking login shells" if [ -f /etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent - FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g'` + FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN else @@ -202,7 +202,7 @@ LogText "Test: Checking login shells" if [ -f /etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent - FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g'` + FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN else @@ -488,7 +488,7 @@ Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" - FIND=`ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10` + FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10) LogText "Result: Found file permissions: ${FIND}" if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then LogText "Result: file ${SUDOERS_FILE} has correct permissions" @@ -650,7 +650,7 @@ if [ -d ${DIR} -a ! -L ${DIR} ]; then LogText "Result: directory ${DIR} exists" # Search in the specified directory - FIND=`find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort` + FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort) if [ ! "${FIND}" = "" ]; then FOUND=1; fi for FILE in ${FIND}; do LogText "Found file: ${FILE}" @@ -680,7 +680,7 @@ if [ -f /etc/pam.d/common-auth ]; then LogText "Result: file /etc/pam.d/common-auth exists" LogText "Test: checking presence LDAP module" - FIND=`${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth` + FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth) if [ ! "${FIND}" = "" ]; then LogText "Result: LDAP module present" LogText "Output: ${FIND}" @@ -809,7 +809,7 @@ Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Checking for expired passwords" if [ ${SKIPTEST} -eq 0 ]; then if FileIsReadable /etc/shadow; then - DAYS_SINCE_EPOCH=$((`date --utc +%s`/86400)) + DAYS_SINCE_EPOCH=$(($(date --utc +%s)/86400)) LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}" LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)" # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed) @@ -921,7 +921,7 @@ TEST_PERFORMED=1 LogText "Result: file /etc/sysconfig/init exists" LogText "Test: checking presence sulogin for single user mode" - FIND=`${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init` + FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init) if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" @@ -943,7 +943,7 @@ # Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support) TEST_PERFORMED=1 LogText "Result: found target ${I}" - FIND=`${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin"` + FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin") if [ "${FIND}" = "" ]; then LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication" else @@ -1075,7 +1075,7 @@ if [ -f /etc/passwd ]; then LogText "Result: file /etc/passwd exists" LogText "Test: Checking umask value in /etc/passwd" - FIND=`${GREPBINARY} "umask=" /etc/passwd` + FIND=$(${GREPBINARY} "umask=" /etc/passwd) if [ "${FIND}" = "" ]; then ReportManual "AUTH-9328:03" fi @@ -1088,7 +1088,7 @@ if [ -f /etc/login.defs ]; then LogText "Result: file /etc/login.defs exists" LogText "Test: Checking umask value in /etc/login.defs" - FIND=`${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }'` + FIND=$(${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "" ]; then LogText "Result: umask value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW @@ -1113,7 +1113,7 @@ if [ -f /etc/init.d/functions ]; then LogText "Result: file /etc/init.d/functions exists" LogText "Test: Checking umask value in /etc/init.d/functions" - FIND=`${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }'` + FIND=$(${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "" ]; then LogText "Result: umask is not configured" Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE @@ -1135,7 +1135,7 @@ if [ -f /etc/init.d/rc ]; then LogText "Result: file /etc/init.d/rc exists" LogText "Test: Checking UMASK value in /etc/init.d/rc" - FIND=`${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }'` + FIND=$(${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW @@ -1160,7 +1160,7 @@ FOUND=0 WEAK_UMASK=0 LogText "Result: file /etc/login.conf exists" - FIND=`${GREPBINARY} "umask" /etc/login.conf | ${SEDBINARY} 's/#.*//' | ${SEDBINARY} -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}'` + FIND=$(${GREPBINARY} "umask" /etc/login.conf | ${SEDBINARY} 's/#.*//' | ${SEDBINARY} -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}') if [ ! "${FIND}" = "" ]; then for UMASK_VALUE in ${FIND}; do case ${UMASK_VALUE} in @@ -1196,9 +1196,9 @@ if [ -f /etc/init.d/rcS ]; then LogText "Result: file /etc/init.d/rcS exists" LogText "Test: Checking if script runs another script." - FIND=`${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'` + FIND=$(${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "" ]; then - FIND2=`${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'` + FIND2=$(${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }') if [ "${FIND2}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW @@ -1234,7 +1234,7 @@ FOUND=0 if [ -f /etc/security/policy.conf ]; then LogText "Result: found /etc/security/policy.conf" - FIND=`${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` + FIND=$(${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf) if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: account locking option set" @@ -1254,7 +1254,7 @@ LogText "Test: checking /etc/default/login" if [ -f /etc/default/login ]; then LogText "Result: file /etc/default/login exists" - FIND=`${GREPBINARY} "^RETRIES" /etc/default/login` + FIND=$(${GREPBINARY} "^RETRIES" /etc/default/login) if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: retries option configured" @@ -1331,7 +1331,7 @@ Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs " - FIND=`${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` + FIND=$(${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }') # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value) if [ "${FIND}" = "yes" ]; then AUTH_FAILED_LOGINS_LOGGED=1 diff --git a/include/tests_banners b/include/tests_banners index 2a08de80..ef6199f1 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -100,7 +100,7 @@ # N=0 # LogText "Test: Checking file /etc/motd contents for legal key words" # for I in ${LEGAL_BANNER_STRINGS}; do - # FIND=`${GREPBINARY} -i "${I}" /etc/motd` + # FIND=$(${GREPBINARY} -i "${I}" /etc/motd) # if [ ! "${FIND}" = "" ]; then # LogText "Result: found string '${I}'" # N=$((N + 1)) @@ -205,7 +205,7 @@ N=0 LogText "Test: Checking file /etc/issue.net contents for legal key words" for I in ${LEGAL_BANNER_STRINGS}; do - FIND=`${GREPBINARY} -i "${I}" /etc/issue.net` + FIND=$(${GREPBINARY} -i "${I}" /etc/issue.net) if [ ! "${FIND}" = "" ]; then LogText "Result: found string '${I}'" N=$((N + 1)) diff --git a/include/tests_boot_services b/include/tests_boot_services index eef7f6ef..f7591acd 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -99,6 +99,7 @@ ;; *) CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd") + if [ ! -z "${CONTAINS_SYSTEMD}" ]; then SERVICE_MANAGER="systemd" else @@ -259,7 +260,7 @@ # Some OSes like Gentoo do not have /boot mounted by default # TODO: root directory and rewrite ls statement if [ -d /boot ]; then - if [ "`ls /boot/* 2> /dev/null`" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then + if [ "$(ls /boot/* 2> /dev/null)" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then BOOT_LOADER_FOUND=1 LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted" Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW diff --git a/include/tests_containers b/include/tests_containers index b5a1017a..90b56d95 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -65,10 +65,10 @@ #Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests" #if [ ${SKIPTEST} -eq 0 ]; then # Show Xen guests - #FIND=`xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}'` + #FIND=$(xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}') #for I in ${FIND}; do - #XENGUESTNAME=`echo ${I} | ${CUTBINARY} -d ':' -f1` - #XENGUESTID=`echo ${I} | ${CUTBINARY} -d ':' -f2` + #XENGUESTNAME=$(echo ${I} | ${CUTBINARY} -d ':' -f1) + #XENGUESTID=$(echo ${I} | ${CUTBINARY} -d ':' -f2) #LogText "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" #done #fi diff --git a/include/tests_databases b/include/tests_databases index ab9dd667..2f37b3c8 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -37,7 +37,7 @@ # Description : Check if MySQL is being used Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep"` + FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep") if [ "${FIND}" = "" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: MySQL process not active" @@ -209,7 +209,7 @@ #Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths" #if [ ${SKIPTEST} -eq 0 ]; then # if [ -f /etc/oratab ]; then - # FIND=`${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }"` + # FIND=$(${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }") # fi #fi # diff --git a/include/tests_filesystems b/include/tests_filesystems index 731198e7..fa178a12 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -247,9 +247,9 @@ # Can be ^/dev/partition # Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>) - HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="` + HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=") if [ ! -z "${HAS_UUID}" ]; then - UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'` + UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }') LogText "Result: Using ${UUID} as UUID" if [ ! -z "${BLKIDBINARY}" ]; then FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//') @@ -303,7 +303,7 @@ else Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})" - #ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap parition (${FIND})" + #ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap partition (${FIND})" ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" fi @@ -429,7 +429,7 @@ FIND1="${ROOTDIR}dev/root" else # Only determine device if it is EXT2/3/4 - #FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'` + #FIND1=$(mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}') FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }') fi # Trying to determine default mount options from EXT2/EXT3/EXT4 file systems @@ -538,7 +538,7 @@ PARTIALLY_HARDENED=0 FULLY_HARDENED=1 for FLAG in ${EXPECTED_FLAGS}; do - FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}` + FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}) if [ "${FLAG_AVAILABLE}" = "" ]; then LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" FULLY_HARDENED=0 diff --git a/include/tests_firewalls b/include/tests_firewalls index c9933bf9..4fe18533 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -106,7 +106,7 @@ TABLES="filter" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'` + FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') done echo "${FIND}" | while read line; do @@ -336,7 +336,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" Report "firewall_software[]=ipfw" - IPFW_ENABLED=`service -e | ${GREPBINARY} -o ipfw` + IPFW_ENABLED=$(service -e | ${GREPBINARY} -o ipfw) if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" diff --git a/include/tests_kernel b/include/tests_kernel index 8f492c19..096c0957 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -43,12 +43,12 @@ if [ -L /etc/systemd/system/default.target ]; then LogText "Result: symlink found" if [ ! "${READLINKBINARY}" = "" ]; then - FIND=`${READLINKBINARY} /etc/systemd/system/default.target` + FIND=$(${READLINKBINARY} /etc/systemd/system/default.target) if [ "${FIND}" = "" ]; then LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" ReportException "${TEST_NO}:01" else - FIND2=`echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical"` + FIND2=$(echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical") if [ ! "${FIND2}" = "" ]; then LogText "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN @@ -69,7 +69,7 @@ if [ -f /etc/inittab ]; then LogText "Result: file /etc/inittab found" LogText "Test: Checking default Linux run level" - FIND=`${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` + FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1) if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Can't determine default run level from /etc/inittab" @@ -82,7 +82,7 @@ LogText "Result: file /etc/inittab not found" if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then LogText "Test: Checking run level with who -r, for Debian based systems" - FIND=`who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }'` + FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') if [ ! "${FIND}" = "" ]; then LogText "Result: Found default run level '${FIND}'" Report "linux_default_runlevel=${FIND}" @@ -109,9 +109,9 @@ if [ -f /proc/cpuinfo ]; then LogText "Result: found /proc/cpuinfo" LogText "Test: Checking CPU options (XD/NX/PAE)" - FIND_PAE_NX=`${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx "` - FIND_PAE=`${GREPBINARY} " pae " /proc/cpuinfo` - FIND_NX=`${GREPBINARY} " nx " /proc/cpuinfo` + FIND_PAE_NX=$(${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx ") + FIND_PAE=$(${GREPBINARY} " pae " /proc/cpuinfo) + FIND_NX=$(${GREPBINARY} " nx " /proc/cpuinfo) FOUND=0 if [ ! "${FIND_PAE_NX}" = "" ]; then LogText "PAE: Yes" @@ -165,11 +165,11 @@ Register --test-no KRNL-5695 --os Linux --weight L --network NO --category security --description "Determine Linux kernel version and release number" if [ ${SKIPTEST} -eq 0 ]; then # Kernel number (and suffix) - LINUX_KERNEL_RELEASE=`uname -r` + LINUX_KERNEL_RELEASE=$(uname -r) Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}" LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}" # Type and build date - LINUX_KERNEL_VERSION=`uname -v` + LINUX_KERNEL_VERSION=$(uname -v) Report "linux_kernel_version=${LINUX_KERNEL_VERSION}" LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}" Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN @@ -184,7 +184,7 @@ if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then LogText "Test: checking if kernel is monolithic or modular" # Checking if any modules are loaded - FIND=`${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' '` + FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ') Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN if [ "${FIND}" = "0" ]; then LogText "Result: Found monolithic kernel" @@ -207,7 +207,7 @@ Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then - FIND=`${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort` + FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort) Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN if [ ! "${FIND}" = "" ]; then LogText "Loaded modules according lsmod:" @@ -233,7 +233,7 @@ # Description : Checking for available Linux kernel configuration file in /boot Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" if [ ${SKIPTEST} -eq 0 ]; then - CHECKFILE="/boot/config-`uname -r`" + CHECKFILE="/boot/config-$(uname -r)" if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" LogText "Result: found config (${LINUXCONFIGFILE})" @@ -267,7 +267,7 @@ if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ! "${GREPTOOL}" = "" ]; then LogText "Test: Checking the default I/O kernel scheduler" - LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g` + LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g) if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN @@ -292,7 +292,7 @@ LogText "Description: View all active kernel modules (including kernel)" LogText "Test: Checking modules" if [ -f /sbin/kldstat ]; then - FIND=`kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6` + FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" N=0 @@ -323,7 +323,7 @@ LogText "Description: View all active kernel modules (including kernel)" LogText "Test: Checking modules" if [ -f /sbin/kldstat ]; then - FIND=`kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6` + FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" N=0 @@ -350,7 +350,7 @@ Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching loaded kernel modules" - FIND=`modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort` + FIND=$(modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort) if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do LogText "Found module: ${I}" @@ -394,7 +394,7 @@ LogText "Kernel candidate: ${FINDCAND}" if [ -z "${FINDINST}" ]; then Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Result: Exception occured, no output from apt-cache policy" + LogText "Result: Exception occurred, no output from apt-cache policy" ReportException "${TEST_NO}:01" LogText "Exception: apt-cache policy did not return an installed kernel version" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" @@ -523,7 +523,7 @@ fi done if [ ! -z "${FINDVERSION}" ]; then - CURRENT_KERNEL=`uname -r` + CURRENT_KERNEL=$(uname -r) if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then LogText "Result: reboot needed, as current kernel is different than the one loaded" REBOOT_NEEDED=1 diff --git a/include/tests_logging b/include/tests_logging index f2b03afd..26930809 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -189,7 +189,7 @@ LogText "Test: Searching kernel logger daemon (klogd)" if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then # Search for klogd, but ignore other lines related to klogd (like dd with input/output file) - #FIND=`${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep"` + #FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep") IsRunning klogd if [ ${RUNNING} -eq 1 ]; then LogText "Result: klogd running" @@ -285,7 +285,7 @@ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u` + FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) if [ "${FIND}" = "" ]; then LogText "Result: nothing found" else @@ -319,7 +319,7 @@ # Try name resolving if no entry is present in local host file LogText "Result: Checking for loghost via name resolving" - FIND=`getent hosts loghost | ${GREPBINARY} loghost` + FIND=$(getent hosts loghost | ${GREPBINARY} loghost) if [ ! -z "${FIND}" ]; then SOLARIS_LOGHOST_FOUND=1 LogText "Result: name resolving was succesful" diff --git a/include/tests_nameservices b/include/tests_nameservices index eaa2ca10..a1f3168d 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -155,7 +155,7 @@ LogText "Test: checking /etc/nodename" if [ -f /etc/nodename ]; then LogText "Result: file /etc/nodename exists" - FIND=`cat /etc/nodename` + FIND=$(cat /etc/nodename) LogText "Output: ${FIND}" Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN else @@ -176,7 +176,7 @@ #LogText "Test: Checking file /etc/domainname" #if [ -f /etc/domainname ]; then # LogText "Result: file /etc/domainname exists" - # FIND2=`cat /etc/domainname` + # FIND2=$(cat /etc/domainname) # if [ ! "${FIND}" = "" ]; then # LogText "Found domain name: ${FIND}" # DOMAINNAME="${FIND}" @@ -267,11 +267,11 @@ if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Unbound configuration file" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`which unbound-checkconf` + FIND=$(which unbound-checkconf) if [ ! "${FIND}" = "" ]; then LogText "Test: running unbound-checkconf" # Don't capture any output, just gather exit code (0 is fine, otherwise bad) - FIND=`unbound-checkconf > /dev/null 2>&1` + FIND=$(unbound-checkconf > /dev/null 2>&1) if [ $? -eq 0 ]; then UNBOUND_CONFIG_OK=1 LogText "Result: Configuration is fine" @@ -335,7 +335,7 @@ LogText "Test: searching for named-checkconf binary" if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then LogText "Result: named-checkconf is installed" - FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?` + FIND=$(${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN @@ -364,7 +364,7 @@ Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to determine version from banner" - FIND=`${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*"` + FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*") if [ "${FIND}" = "" ]; then LogText "Result: no useful information in banner found" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN @@ -470,29 +470,29 @@ ################################################################################# # # Test : NAME-4238 - # Description : Check PowerDNS authoritive status + # Description : Check PowerDNS authoritative status if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status" + Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS master status" FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) if [ ! -z "${FIND}" ]; then LogText "Found master=yes in configuration file" - Display --indent 4 --text "- PowerDNS authoritive master: YES" + Display --indent 4 --text "- PowerDNS authoritative master: YES" POWERDNS_AUTH_MASTER=1 else LogText "Result: most likely not master (no master=yes)" - Display --indent 4 --text "- PowerDNS authoritive master: NO" + Display --indent 4 --text "- PowerDNS authoritative master: NO" fi LogText "Test: Checking for PowerDNS slave status" FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) if [ ! -z "${FIND}" ]; then LogText "Found slave=yes in configuration file" - Display --indent 4 --text "- PowerDNS authoritive slave: YES" + Display --indent 4 --text "- PowerDNS authoritative slave: YES" POWERDNS_AUTH_SLAVE=1 else LogText "Result: most likely not slave (no slave=yes)" - Display --indent 4 --text "- PowerDNS authoritive slave: NO" + Display --indent 4 --text "- PowerDNS authoritative slave: NO" fi fi # @@ -529,7 +529,7 @@ if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking `domainname` for NIS domain value" + LogText "Test: Checking $(domainname) for NIS domain value" FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)") if [ ! -z "${FIND}" ]; then LogText "Value: ${FIND}" @@ -541,7 +541,7 @@ LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain" if [ -f ${ROOTDIR}etc/defaultdomain ]; then LogText "Result: file ${ROOTDIR}etc/defaultdomain exists" - FIND2=`cat ${ROOTDIR}etc/defaultdomain` + FIND2=$(cat ${ROOTDIR}etc/defaultdomain) if [ ! -z "${FIND2}" ]; then LogText "Output: ${FIND2}" NISDOMAIN="${FIND2}" @@ -641,7 +641,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in /etc/hosts" - sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}` + sFIND=$(${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}) if [ ! "${sFIND}" = "" ]; then LogText "Result: Found this server hostname mapped to a local address" LogText "Output: ${sFIND}" diff --git a/include/tests_networking b/include/tests_networking index 8c2724f6..f8b189ca 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -46,12 +46,12 @@ IPV6_ONLY=255 IPV6_MISCONFIGURED=0 IPV6_MISCONFIGURED_MTU=0 - FIND=`sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/"` + FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/") if [ ! "${FIND}" = "" ]; then IPV6_CONFIGURED=1 for I in ${FIND}; do - SYSCTL_KEY=`echo ${I} | ${AWKBINARY} -F= '{ print $1 }'` - SYSCTL_VALUE=`echo ${I} | ${AWKBINARY} -F= '{ print $2 }'` + SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }') + SYSCTL_VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }') case ${SYSCTL_KEY} in "net.ipv6.conf.default.accept_ra") if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi @@ -89,7 +89,7 @@ LogText "Result: IPV6 mode is ${IPV6_MODE}" if [ ${IPV6_CONFIGURED} -eq 1 ]; then Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE - STATUS=`echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]'` + STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]') Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi LogText "Result: IPv6 only configuration: ${STATUS}" @@ -123,7 +123,7 @@ LogText "Test: Checking /etc/resolv.conf file" if [ -f /etc/resolv.conf ]; then LogText "Result: Found /etc/resolv.conf file" - FIND=`${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq` + FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq) if [ ! "${FIND}" = "" ]; then Display --indent 4 --text "- Testing nameservers" LogText "Test: Querying nameservers" @@ -137,7 +137,7 @@ if [ ! "${DIGBINARY}" = "" ]; then # See if we can query something at the nameserver # 0=good, other=bad - DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?` + DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?) if [ "${DNSRESPONSE}" = "0" ]; then Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN LogText "Nameserver ${I} seems to respond to queries from this host." @@ -196,7 +196,7 @@ Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then LogText "Test: Searching default gateway(s)" - FIND=`${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2` + FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2) if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do LogText "Result: Found default gateway ${I}" @@ -260,34 +260,34 @@ FIND="" case ${OS} in AIX) - FIND=`lscfg -vl ent* | ${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'` + FIND=$(lscfg -vl ent* | ${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }') ;; DragonFly|FreeBSD) - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u) ;; Linux) if [ ! "${IFCONFIGBINARY}" = "" ]; then - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u) else if [ ! "${IPBINARY}" = "" ]; then LogText "Test: Using ip binary to gather hardware addresses" - FIND=`${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }'` + FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }') else ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)" fi fi ;; macOS) - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u) ;; NetBSD) - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u) ;; OpenBSD) - FIND=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u` + FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u) ;; Solaris) - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u) ;; *) # Having a system currently unsupported? Share your details to determine MAC information @@ -311,39 +311,39 @@ FIND=""; FIND2="" case ${OS} in AIX) - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }') + FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }') ;; DragonFly|FreeBSD|NetBSD) - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }') + FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }') ;; Linux) if [ ! "${IFCONFIGBINARY}" = "" ]; then - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2) # Version which works for multiple types of ifconfig (e.g. Slackware) - FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'` + FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }') else if [ ! "${IPBINARY}" = "" ]; then LogText "Test: Using ip binary to gather IP addresses" - FIND=`${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//'` - FIND2=`${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//'` + FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//') + FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//') else ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)" fi fi ;; macOS) - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }') + FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }') ;; OpenBSD) - FIND=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` + FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }') + FIND2=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }') ;; Solaris) - FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` + FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }') + FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }') ;; *) LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details." @@ -377,7 +377,7 @@ case ${OS} in DragonFly|FreeBSD) if [ ! "${SOCKSTATBINARY}" = "" ]; then - FIND=`${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u` + FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u) # To strip off IP's: ${SEDBINARY} 's/|.*:/|/' else FIND="" @@ -387,15 +387,15 @@ Linux) if [ ! "${NETSTATBINARY}" = "" ]; then # UDP - FIND=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:'` + FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:') # TCP - FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:'` + FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:') else if [ ! "${SSBINARY}" = "" ]; then # UDP - FIND=`${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local` + FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local) # TCP - FIND2=`${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local` + FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local) else ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports" fi @@ -405,7 +405,7 @@ macOS) if [ ! "${LSOFBINARY}" = "" ]; then # UDP and TCP combined - FIND=`${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME"` + FIND=$(${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME") else FIND="" fi @@ -416,7 +416,7 @@ NetBSD) if [ ! "${SOCKSTATBINARY}" = "" ]; then - FIND=`${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u` + FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u) else FIND="" fi @@ -425,9 +425,9 @@ OpenBSD) if [ ! "${NETSTATBINARY}" = "" ]; then # UDP - FIND=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }'` + FIND=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }') # TCP - FIND2=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}'` + FIND2=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}') else ReportException "${TEST_NO}:3" "netstat missing to gather listening ports" fi @@ -472,14 +472,14 @@ Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (FreeBSD)" - FIND=`${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1` + FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1) if [ ! "${FIND}" = "" ]; then LogText "Result: Promiscuous interfaces: ${FIND}" for I in ${FIND}; do WHITELISTED=0 for PROFILE in ${PROFILES}; do Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}" - ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}` + ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}) if [ ! "${ISWHITELISTED}" = "" ]; then WHITELISTED=1 LogText "Result: this interface was whitelisted in profile (${PROFILE})" @@ -514,13 +514,13 @@ Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (Linux)" - NETWORK=`${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1` + NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1) if [ ! "${NETWORK}" = "" ]; then for I in ${NETWORK}; do - FIND=`${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC` + FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC) if [ ! "${FIND}" = "" ]; then LogText "Result: Promiscuous interface: ${I}" - ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}` + ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}) if [ "${ISWHITELISTED}" = "" ]; then FOUNDPROMISC=1 ReportWarning ${TEST_NO} "Found promiscuous interface (${I})" diff --git a/include/tests_ports_packages b/include/tests_ports_packages index d99d8349..273265e9 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -87,7 +87,7 @@ # # Test : PKGS-7303 # Description : Query brew package manager - FIND=`which brew 2> /dev/null` + FIND=$(which brew 2> /dev/null) if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager" if [ ${SKIPTEST} -eq 0 ]; then @@ -97,7 +97,7 @@ LogText "Test: Querying brew to get package list" Display --indent 4 --text "- Querying brew for installed packages" LogText "Output:"; LogText "-----" - GPACKAGES=`brew list` + GPACKAGES=$(brew list) for J in ${GPACKAGES}; do LogText "Found package ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" @@ -166,7 +166,7 @@ LogText "Test: Querying 'rpm -qa' to get package list" Display --indent 6 --text "- Querying RPM package manager" LogText "Output:"; LogText "--------" - SPACKAGES=`${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort` + SPACKAGES=$(${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort) if [ "${SPACKAGES}" = "" ]; then LogText "Result: RPM binary available, but package list seems to be empty" LogText "Info: looks like the rpm binary is installed, but not used for package installation" @@ -199,15 +199,15 @@ LogText "Test: Querying 'pacman -Q' to get package list" Display --indent 6 --text "- Querying pacman package manager" LogText "Output:"; LogText "--------" - SPACKAGES=`${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g'` + SPACKAGES=$(${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g') if [ "${SPACKAGES}" = "" ]; then LogText "Result: pacman binary available, but package list seems to be empty" LogText "Info: looks like the pacman binary is installed, but not used for package installation" else for J in ${SPACKAGES}; do N=$((N + 1)) - PACKAGE_NAME=`echo ${J} | ${AWKBINARY} -F, '{ print $1 }'` - PACKAGE_VERSION=`echo ${J} | ${AWKBINARY} -F, '{ print $2 }'` + PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }') + PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }') LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done @@ -225,7 +225,7 @@ FOUND=0 FIND=$(which checkupdates 2> /dev/null) if [ ! -z "${FIND}" ]; then - FIND=`checkupdates` + FIND=$(checkupdates) for I in ${FIND}; do LogText "Result: update available for ${I}" Report "available_update[]=${I}" @@ -255,17 +255,17 @@ COUNT=0 # Check configuration options (options start with a capital) LogText "Test: searching configured options in ${PACMANCONF}" - FIND=`${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g'` + FIND=$(${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g') for I in ${FIND}; do - PMOPTION=`echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'` - PMVALUE=`echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'` + PMOPTION=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }') + PMVALUE=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }') LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}" Report "pacman_option[]=${PMOPTION}:${PMVALUE}:" done # Check software repositories LogText "Test: checking available repositories" - FIND=`${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]'` + FIND=$(${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]') for I in ${FIND}; do COUNT=$((COUNT + 1)) Report "package_repository[]=${I}" @@ -325,7 +325,7 @@ N=0 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="zypper" - FIND=`${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }'` + FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }') if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do N=$((N + 1)) @@ -346,7 +346,7 @@ if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)"` + FIND=$(${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)") if [ ! "${FIND}" = "" ]; then LogText "Result: No security updates found with Zypper" Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -355,7 +355,7 @@ LogText "Result: Zypper found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line - FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u` + FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) LogText "List of vulnerable packages/version:" for I in ${FIND}; do VULNERABLE_PACKAGES_FOUND=1 @@ -381,11 +381,11 @@ LogText "Test: Querying dpkg -l to get package list" Display --indent 6 --text "- Querying package manager" LogText "Output:" - SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort` + SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort) for J in ${SPACKAGES}; do N=$((N + 1)) - PACKAGE_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f2` - PACKAGE_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f3` + PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2) + PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3) LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done @@ -398,13 +398,13 @@ # # Test : PKGS-7346 # Description : Check packages which are removed, but still own configuration files, cron jobs etc - # Notes : Cleanup: for pkg in `dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3`; do aptitude purge ${pkg}; done + # Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Querying dpkg -l to get unpurged packages" - SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort` + SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort) if [ "${SPACKAGES}" = "" ]; then Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN LogText "Result: no packages found with left overs" @@ -432,7 +432,7 @@ Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/local/sbin/portsclean ]; then - FIND=`/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' '` + FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ') if [ ${FIND} -eq 0 ]; then Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN LogText "Result: no unused distfiles found" @@ -459,11 +459,11 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="dnf" - SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'` + SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}') for J in ${SPACKAGES}; do N=$((N + 1)) - PACKAGE_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f1` - PACKAGE_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f2` + PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1) + PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2) LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done @@ -477,7 +477,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check for security updates LogText "Action: checking updateinfo for security updates" - FIND=`${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}'` + FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}') if [ ! "${FIND}" = "" ]; then VULNERABLE_PACKAGES_FOUND=1 LogText "Result: found vulnerable packages, upgrade of system needed." @@ -503,7 +503,7 @@ Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity" if [ ${SKIPTEST} -eq 0 ]; then # Check if repoquery plugin is available - FIND=`${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery"` + FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery") if [ ! "${FIND}" = "" ]; then LogText "Action: checking integrity of package database" FIND=$(${DNFBINARY} -q repoquery --duplicated) @@ -511,7 +511,7 @@ LogText "Result: found unexpected result on repoquery --duplicated" ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated" fi - FIND=`${DNFBINARY} -q repoquery --unsatisfied` + FIND=$(${DNFBINARY} -q repoquery --unsatisfied) if [ ! "${FIND}" = "" ]; then LogText "Result: found unexpected result on repoquery --unsatisfied" ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied" @@ -566,7 +566,7 @@ Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 # Check in /etc/cron.hourly, daily, weekly, monthly etc - COUNT=`find /etc/cron* -name debsums | wc -l` + COUNT=$(find /etc/cron* -name debsums | wc -l) if [ ${COUNT} -gt 0 ]; then LogText "Result: Cron job is configured for debsums utility." Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN @@ -593,7 +593,7 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Querying portmaster for possible port upgrades" - UPACKAGES=`/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }'` + UPACKAGES=$(/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }') for J in ${UPACKAGES}; do N=$((N + 1)) LogText "Upgrade available (new version): ${J}" @@ -618,7 +618,7 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="pkg_admin audit" if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then - FIND=`/usr/sbin/pkg_admin audit` + FIND=$(/usr/sbin/pkg_admin audit) if [ "${FIND}" = "" ]; then LogText "Result: pkg_admin audit results are clean" Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -628,7 +628,7 @@ LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "Found one or more vulnerable packages." LogText "List of vulnerable packages/version:" - for I in `/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u`; do + for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do VULNERABLE_PACKAGES_FOUND=1 Report "vulnerable_package[]=${I}" LogText "Vulnerable package: ${I}" @@ -697,7 +697,7 @@ Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit" if [ ${SKIPTEST} -eq 0 ]; then PACKAGE_AUDIT_TOOL_FOUND=1 - FIND=`/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found'` + FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found') if [ "${FIND}" = "" ]; then LogText "Result: Portaudit results are clean" Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -708,7 +708,7 @@ ReportWarning ${TEST_NO} "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" LogText "List of vulnerable packages/version:" - for I in `/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u`; do + for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do VULNERABLE_PACKAGES_FOUND=1 Report "vulnerable_package[]=${I}" LogText "Vulnerable package: ${I}" @@ -749,7 +749,7 @@ LogText "Result: found YUM utils package (/usr/bin/package-cleanup)" # Check for duplicates LogText "Test: Checking for duplicate packages" - FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?` + FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: No duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN @@ -762,7 +762,7 @@ # Check for package database problems LogText "Test: Checking for database problems" - FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?` + FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: No package database problems found" Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN @@ -822,7 +822,7 @@ # Check if it's installed as package (this is old style) if [ ${DO_TEST} -eq 0 ]; then - FIND=`rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed"` + FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed") if [ ! "${FIND}" = "" ]; then LogText "Result: found yum-plugin-security package" DO_TEST=1 @@ -834,7 +834,7 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="yum-security" LogText "Test: Checking for vulnerable packages" - FIND2=`/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }'` + FIND2=$(/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }') if [ "${FIND2}" = "" ]; then LogText "Result: no vulnerable packages found" Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN @@ -936,7 +936,7 @@ Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Package database consistency by running apt-get check" - FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` + FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?) if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN LogText "Result: package database seems to be consistent." diff --git a/include/tests_printers_spools b/include/tests_printers_spools index a13f5896..66a8e619 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -48,7 +48,7 @@ LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped." else LogText "Result: /usr/sbin/chkprintcap found" - FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?` + FIND=$(/usr/sbin/chkprintcap > /dev/null ; echo $?) # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN @@ -69,7 +69,7 @@ Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking cupsd status" - #FIND=`${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd` + #FIND=$(${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd) IsRunning cupsd if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN @@ -117,7 +117,7 @@ Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking CUPS configuration file permissions" - FIND=`ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10` + FIND=$(ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10) LogText "Result: found ${FIND}" if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN @@ -139,7 +139,7 @@ FOUND=0 # Checking network addresses LogText "Test: Checking CUPS daemon listening network addresses" - FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }'` + FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') N=0 for I in ${FIND}; do LogText "Found network address: ${I}" @@ -168,7 +168,7 @@ # Checking sockets LogText "Test: Checking cups daemon listening sockets" - FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }'` + FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }') for I in ${FIND}; do LogText "Found socket address: ${I}" N=$((N + 1)) @@ -224,7 +224,7 @@ QDAEMON_CONFIG_FILE="/etc/qconfig" FileIsReadable ${QDAEMON_CONFIG_FILE} if [ ${CANREAD} -eq 1 ]; then - FIND=`${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device"` + FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device") if [ ! "${FIND}" = "" ]; then LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN @@ -271,11 +271,11 @@ LogText "Test: Checking old print jobs" DirectoryExists /var/spool/lpd/qdir if [ ${DIRECTORY_FOUND} -eq 1 ]; then - FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g'` + FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g') if [ ! "${FIND}" = "" ]; then N=0 for I in ${FIND}; do - FILE=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` + FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') LogText "Found old print job: ${FILE}" N=$((N + 1)) done diff --git a/include/tests_shells b/include/tests_shells index c651c7ae..e6f13eee 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -51,7 +51,7 @@ Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking console TTYs" - FIND=`${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure'` + FIND=$(${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure') if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN LogText "Result: console is secured against single user mode without password." @@ -75,7 +75,7 @@ if [ -f /etc/shells ]; then LogText "Result: Found /etc/shells file" LogText "Test: Reading available shells from /etc/shells" - SSHELLS=`${GREPBINARY} "^/" /etc/shells` + SSHELLS=$(${GREPBINARY} "^/" /etc/shells) CSSHELLS=0; CSSHELLS_ALL=0 Display --indent 2 --text "- Checking shells from /etc/shells" for I in ${SSHELLS}; do @@ -117,9 +117,9 @@ if [ -f /etc/profile ]; then # Determine if we can find a TMOUT value - FIND=`${GREPBINARY} 'TMOUT=' /etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` + FIND=$(${GREPBINARY} 'TMOUT=' /etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') # Determine if the value is exported (with export, readonly, or typeset) - FIND2=`${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }'` + FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do @@ -160,12 +160,12 @@ fi if [ -d /etc/profile.d ]; then - FIND=`ls /etc/profile.d/*.sh 2> /dev/null` + FIND=$(ls /etc/profile.d/*.sh 2> /dev/null) if [ ! "${FIND}" = "" ]; then # Determine if we can find a TMOUT value - FIND=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` + FIND=$(cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') # Determine if the value is exported (with export, readonly, or typeset) - FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }'` + FIND2=$(cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 @@ -231,7 +231,7 @@ if [ -f ${FILE} ]; then LogText "Result: file ${FILE} exists" FOUND=1 - FIND=`${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }'` + FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "" ]; then LogText "Result: did not find umask configured in ${FILE}" Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW @@ -280,10 +280,10 @@ LogText "Test: Check if bash is in the list of shells." if [ -f /etc/shells ]; then LogText "Test: checking for bash shell in /etc/shells" - FIND=`${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1` + FIND=$(${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1) else LogText "Test: checking if bash is available via which command" - FIND=`which bash 2> /dev/null | head -1` + FIND=$(which bash 2> /dev/null | head -1) fi LogText "Result: command revealed ${FIND} as output" @@ -296,7 +296,7 @@ # CVE-2014-6271 LogText "Test: Check for first exploit (CVE-2014-6271)" echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null) rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" @@ -313,7 +313,7 @@ # CVE-2014-6278 LogText "Test: Check for CVE-2014-6278" echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null) rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" @@ -328,7 +328,7 @@ # CVE-2014-7169 LogText "Test: Check for taviso bug CVE-2014-7169" echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | ${GREPBINARY} ' vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null) rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" @@ -343,7 +343,7 @@ # CVE-2014-7186 LogText "Test: Check for CVE-2014-7186" echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null) rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" @@ -358,7 +358,7 @@ # CVE-2014-7187 LogText "Test: Check for CVE-2014-7187" echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null) rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" @@ -373,7 +373,7 @@ # CVE-2014-//// LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" echo "env X=' () { }; echo hello' bash -c 'date'| ${GREPBINARY} 'hello'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null) rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" diff --git a/include/tests_solaris b/include/tests_solaris index 95e74d9b..d7416b41 100644 --- a/include/tests_solaris +++ b/include/tests_solaris @@ -32,7 +32,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # LogText "Test: Searching for a SSH daemon" # # Check running processes -# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"` +# FIND=$(${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep") # if [ ! "${FIND}" = "" ]; then # SSH_DAEMON_RUNNING=1 # LogText "Result: Stop-A is disabled" @@ -51,7 +51,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # LogText "Test: Searching for a SSH daemon" # # Check running processes -# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"` +# FIND=$(${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep") # if [ ! "${FIND}" = "" ]; then # SSH_DAEMON_RUNNING=1 # LogText "Result: Stop-A is disabled" diff --git a/include/tests_squid b/include/tests_squid index 37a2eee9..3ae7d7a0 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -42,7 +42,7 @@ LogText "Test: Searching for a Squid daemon" FOUND=0 # Check running processes - FIND=`${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep"` + FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep") if [ ! "${FIND}" = "" ]; then SQUID_DAEMON_RUNNING=1 LogText "Result: Squid daemon is running" @@ -92,9 +92,9 @@ if [ ! "${SQUIDBINARY}" = "" ]; then LogText "Result: Squid binary found (${SQUIDBINARY})" # Skip check if a setuid/setgid bit is found - FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` + FIND=$(find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print) if [ "${FIND}" = "" ]; then - FIND2=`${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }'` + FIND2=$(${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }') Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN SQUID_VERSION="${FIND2}" else @@ -114,9 +114,9 @@ Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" - FIND=`${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g'` + FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g') for I in ${FIND}; do - I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` + I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') LogText "Found Squid option: ${I}" Report "squid_option=${I}" done @@ -131,7 +131,7 @@ Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" - FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` + FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) if [ ! "${FIND}" = "" ]; then LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED @@ -159,7 +159,7 @@ Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check auth_param option for authentication methods" - FIND=`${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'` + FIND=$(${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "" ]; then LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW @@ -180,7 +180,7 @@ Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check external_acl_type option for external authentication helpers" - FIND=`${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG}` + FIND=$(${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG}) if [ "${FIND}" = "" ]; then LogText "No external_acl_type found" Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW @@ -203,14 +203,14 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking ACLs" - FIND=`${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g'` + FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g') if [ "${FIND}" = "" ]; then LogText "Result: No ACLs found" Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED else for I in ${FIND}; do N=$((N + 1)) - I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` + I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') LogText "Found ACL: ${I}" #Report "squid_acl=${I}" done @@ -228,14 +228,14 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking ACL Safe_ports http_access option" - FIND=`${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports"` + FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports") if [ "${FIND}" = "" ]; then LogText "Result: no Safe_ports found" Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" else LogText "Result: checking ACL safe ports" - FIND2=`${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }'` + FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }') if [ "${FIND2}" = "" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" @@ -251,7 +251,7 @@ #SQUID_DAEMON_UNSAFE_PORTS_LIST for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do LogText "Test: Checking port ${I} in Safe_ports list" - FIND2=`${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` + FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}) if [ "${FIND2}" = "" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 1 1 @@ -279,7 +279,7 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking option reply_body_max_size" - FIND=`${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g'` + FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g') if [ "${FIND}" = "" ]; then LogText "Result: option reply_body_max_size not configured" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED @@ -306,10 +306,10 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on"` + FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on") if [ "${FIND}" = "" ]; then LogText "Result: option httpd_suppress_version_string not configured" - Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW + Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 1 2 ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version." else diff --git a/include/tests_ssh b/include/tests_ssh index 7d6491be..581f253e 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -136,18 +136,18 @@ # Go through our list of options for I in ${SSHOPS}; do - OPTIONNAME=`echo ${I} | ${CUTBINARY} -d ':' -f1` - OPTIONNAME_LOWER=`echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }'` - EXPECTEDVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1` - MEDIUMSCOREDVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2` - WEAKVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3` - TESTTYPE=`echo ${I} | ${CUTBINARY} -d ':' -f3` + OPTIONNAME=$(echo ${I} | ${CUTBINARY} -d ':' -f1) + OPTIONNAME_LOWER=$(echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }') + EXPECTEDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1) + MEDIUMSCOREDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2) + WEAKVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3) + TESTTYPE=$(echo ${I} | ${CUTBINARY} -d ':' -f3) RESULT="NONE" if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then # Get value and use the last occurrence - FOUNDVALUE=`${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1` + FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1) LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}" if [ ! "${FOUNDVALUE}" = "" ]; then @@ -262,7 +262,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # AllowUsers - FIND=`${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'` + FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ ! "${FIND}" = "" ]; then LogText "Result: AllowUsers set, with value ${FIND}" Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN @@ -273,7 +273,7 @@ fi # AllowGroups - FIND=`${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'` + FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ ! "${FIND}" = "" ]; then LogText "Result: AllowUsers set ${FIND}" Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_storage b/include/tests_storage index 9cfa3410..8f9c91cd 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -35,10 +35,10 @@ FOUND=0 LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" if [ -d /etc/modprobe.d ]; then - FIND=`ls /etc/modprobe.d/* 2> /dev/null` + FIND=$(ls /etc/modprobe.d/* 2> /dev/null) if [ ! "${FIND}" = "" ]; then - FIND=`${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` - FIND2=`${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*` + FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*) if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state (blacklisted)" @@ -48,7 +48,7 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND=`${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#"` + FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state" @@ -77,11 +77,11 @@ USBDEVICESPATH="/sys/bus/usb/devices/usb" for device in "${USBDEVICESPATH}"*; do if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then - if [ `cat "${device}/authorized_default"` -eq 1 ]; then + if [ $(cat "${device}/authorized_default") -eq 1 ]; then FOUND=1 LogText "Test: ${device} is authorized by default" Report "usb_authorized_default_device[]=${device}" - elif [ `cat "${device}/authorized"` -eq 1 ]; then + elif [ $(cat "${device}/authorized") -eq 1 ]; then FOUND=1 LogText "Test: ${device} is authorized currently" Report "usb_authorized_device[]=${device}" @@ -112,10 +112,10 @@ FOUND=0 LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" if [ -d /etc/modprobe.d ]; then - FIND=`ls /etc/modprobe.d/* 2> /dev/null` + FIND=$(ls /etc/modprobe.d/* 2> /dev/null) if [ ! "${FIND}" = "" ]; then - FIND1=`${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` - FIND2=`${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` + FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" @@ -125,8 +125,8 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND1=`${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#"` - FIND2=`${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#"` + FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#") if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 91533b4e..cad6a65d 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -37,7 +37,7 @@ Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking rpcinfo registered programs" - FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ','` + FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ',') for I in ${FIND}; do LogText "rpcinfo: ${I}" done @@ -52,7 +52,7 @@ Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NFS registered versions" - FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort` + FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort) for I in ${FIND}; do LogText "Found version: ${I}" done @@ -67,7 +67,7 @@ Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NFS registered protocols" - FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` + FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort) for I in ${FIND}; do LogText "Found protocol: ${I}" done @@ -77,7 +77,7 @@ # Check port number LogText "Test: Checking NFS registered ports" - FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` + FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort) for I in ${FIND}; do LogText "Found port: ${I}" done @@ -94,7 +94,7 @@ Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking running NFS daemon" - FIND=`${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep"` + FIND=$(${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep") if [ "${FIND}" = "" ]; then LogText "Output: NFS daemon is not running" Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE @@ -122,10 +122,10 @@ LogText "Test: check /etc/exports" if [ -f /etc/exports ]; then LogText "Result: /etc/exports exists" - FIND=`${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g'` + FIND=$(${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g') if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do - I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` + I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') LogText "Found line: ${I}" done else @@ -161,7 +161,7 @@ Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share" if [ ${SKIPTEST} -eq 0 ]; then #LogText "Test: " - sFIND=`${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d'| ${GREPBINARY} "\*"` + sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d'| ${GREPBINARY} "\*") if [ "${sFIND}" != "" ]; then LogText "Result: all client are allowed to access a NFS share in /etc/exports" Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW diff --git a/include/tests_time b/include/tests_time index cab4db0c..78be08b9 100644 --- a/include/tests_time +++ b/include/tests_time @@ -46,7 +46,7 @@ # TODO: Skip NTP tests if we are in a DomU xen instance FIND=$(cat /sys/hypervisor/type) if [ "${FIND}" = "xen" ]; then PREQS_MET="NO"; else PREQS_MET="YES"; fi - elif [ -f /sbin/sysctl ] && [ "`/sbin/sysctl -n security.jail.jailed 2>/dev/null || echo 0`" -eq 1 ]; then + elif [ -f /sbin/sysctl ] && [ "$(/sbin/sysctl -n security.jail.jailed 2>/dev/null || echo 0)" -eq 1 ]; then # Skip NTP tests if we're in a FreeBSD jail PREQS_MET="NO" else @@ -271,7 +271,7 @@ else Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED LogText "Result: Found one or more high stratum (16) peers)" - ReportSuggestion ${TEST_NO} "Check ntpq peers output for startum 16 peers" + ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers" fi fi fi @@ -281,12 +281,12 @@ # Test : TIME-3120 # Description : Check unreliable peers from peer list # Notes : Items with # are too far away (network distance) - # Items with - are not chosing due clustering algoritm + # Items with - are not chosen due clustering algorithm if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking unreliable ntp peers" - FIND=`${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g'` + FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g') if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN LogText "Result: No unreliable peers found" @@ -313,7 +313,7 @@ FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }') if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN - FIND2=`echo ${FIND2} | ${SEDBINARY} 's/*//g'` + FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g') LogText "Result: Found selected time source (value: ${FIND2})" else Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED @@ -431,7 +431,7 @@ Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN sFIND=$(${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0') for I in ${sFIND}; do - FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l` + FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l) if [ ${FIND} -gt 0 ]; then LogText "Result: $I exist in ${FILE}" else diff --git a/include/tests_tooling b/include/tests_tooling index e432062e..c4ed6123 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -221,8 +221,8 @@ # # Check email alert configuration # LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}" # - # FIND=`${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}` - # FIND2=`${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}` + # FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}) + # FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}) # # if [ ! "${FIND}" = "" ]; then # FAIL2BAN_EMAIL=1 @@ -271,7 +271,7 @@ # LogText "Checking for fail2ban iptables chains" # # if [ ! "${IPTABLESBINARY}" = "" ]; then - # CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban` + # CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban) # if [ ! "${CHECK_CHAINS}" = "" ]; then # LogText "Result: found at least one iptables chain for fail2ban" # Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN diff --git a/include/tests_webservers b/include/tests_webservers index f711700e..8d1ed571 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -61,7 +61,7 @@ Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Test: Scanning for Apache binary" - IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache'` + IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache') if [ "${IS_APACHE}" = "" ]; then LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE @@ -69,7 +69,7 @@ Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon" APACHE_INSTALLED=1 - APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }'` + APACHE_VERSION=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }') LogText "Apache version: ${APACHE_VERSION}" Report "apache_version=${APACHE_VERSION}" fi @@ -93,7 +93,7 @@ Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then APACHE_CONFIGFILE="" - APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]'` + APACHE_TEST=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]') if [ "${APACHE_TEST}" = "" ]; then LogText "Result: Can't find the configuration file, so skipping some Apache related tests" @@ -104,7 +104,7 @@ Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" else # Probably the prefix is missing, so we are going to search that - APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' '` + APACHE_HTTPDROOT=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ') #echo "Apache root prefix: ${APACHE_HTTPDROOT}" #echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}" APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}" @@ -143,13 +143,13 @@ cVHOSTS=0; tVHOSTS="" # Check every configuration file - for I in `cat ${TMPFILE}`; do + for I in $(cat ${TMPFILE}); do LogText "Apache config file: ${I}" FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then # Search Virtual Hosts - for J in `${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do + for J in $(${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'); do if [ ! -z ${J} ]; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=$((cVHOSTS + 1)) @@ -205,12 +205,12 @@ # for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do # if [ -f ${APACHE_CONFIGFILE} ]; then # # Check if option ServerTokens is configured -# SERVERTOKENSTEST=`${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#'` +# SERVERTOKENSTEST=$(${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#') # if [ ! "${SERVERTOKENSTEST}" = "" ]; then # Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE -# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | ${SEDBINARY} 's/ServerTokens//' | ${TRBINARY} -d ' '` +# SERVERTOKENSTEST=$(echo ${SERVERTOKENSTEST} | ${SEDBINARY} 's/ServerTokens//' | ${TRBINARY} -d ' ') # LogText "Option ServerTokens found: ${SERVERTOKENSTEST}" -# SERVERTOKENSEXPECTED=`${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | ${CUTBINARY} -d ':' -f3` +# SERVERTOKENSEXPECTED=$(${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | ${CUTBINARY} -d ':' -f3) # if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then # LogText "Result: Value from configuration file yielded the same output as in template" # SERVERTOKENSFOUND=1 @@ -254,7 +254,7 @@ #for I in ${APACHE_MODULES_ENABLED_LOCS}; do #LogText "Test: checking ${I}" #if [ -d ${I} ]; then - #FIND=`${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }'` + #FIND=$(${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }') #else #LogText "Result: ${I} does not exist" #fi @@ -380,7 +380,7 @@ Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching running nginx process" - FIND=`${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep"` + FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep") if [ ! "${FIND}" = "" ]; then LogText "Result: found running nginx process(es)" Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN @@ -430,9 +430,9 @@ N=0 ${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) - FIND=`${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g'` + FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g') for I in ${FIND}; do - FIND2=`${LSBINARY} ${I} 2>/dev/null` + FIND2=$(${LSBINARY} ${I} 2>/dev/null) for J in ${FIND2}; do # Ensure that we are parsing normal files if [ -f ${J} ]; then @@ -442,7 +442,7 @@ FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}" - FIND3=`sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}` + FIND3=$(sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}) else ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" fi @@ -451,9 +451,9 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=`${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})"` + SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})") for I in ${SORTFILE}; do - I=`echo ${I} | ${SEDBINARY} 's/:space:/ /g'` + I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g') Report "nginx_config_option[]=${I}"; done @@ -470,7 +470,7 @@ ################################################################################# # # Test : HTTP-6708 - # Description : Check discovered nginx configuration settings for further hardering + # Description : Check discovered nginx configuration settings for further hardening # Notes : Daemon of nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_FILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings" @@ -651,7 +651,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}" -# FIND=`${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/proxy_pass//g' | ${TRBINARY} -d ';'` +# FIND=$(${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/proxy_pass//g' | ${TRBINARY} -d ';') # for I in ${FIND}; do # LogText "Found reverse proxy configuration for: ${I}" # N=$((N + 1)) @@ -675,7 +675,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: searching nginx virtual hosts" -# FIND=`${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/server_name//g' | ${TRBINARY} -d ';'` +# FIND=$(${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/server_name//g' | ${TRBINARY} -d ';') # for I in ${FIND}; do # if [ "${I}" = "_" ]; then I="Default virtual host"; fi # LogText "Found virtual host: ${I}" diff --git a/include/tool_tips b/include/tool_tips index 2d75ea19..347e5872 100644 --- a/include/tool_tips +++ b/include/tool_tips @@ -31,7 +31,7 @@ for I in ${ETC_PATHS}; do if [ -d ${I}/bash-completion.d ]; then if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then - Display "This system has a bash_completition directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" + Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" fi fi done @@ -61,7 +61,7 @@ ################################################################################# # # Work directory - WORKDIR=`pwd` + WORKDIR=$(pwd) # Test from which directories we can use all functions and tests @@ -248,7 +248,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta ################################################################################# # # CV - Current Version - PROGRAM_AC=`echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g'` + PROGRAM_AC=$(echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g') PROGRAM_LV=0 # ################################################################################# @@ -299,7 +299,7 @@ ${NORMAL} ################################################################################# # # Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their - # home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist. + # home directory isn't set. For root it will be /var/run, or the current working directory if /var/run doesn't exist. MYHOMEDIR=$(echo ~ 2> /dev/null) if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi @@ -815,14 +815,14 @@ ${NORMAL} LogText "Found plugin file: ${PLUGIN_FILE}" # Double check if output is a valid file name if [ -f ${PLUGIN_FILE} ]; then - FIND2=`grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }'` + FIND2=$(grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }') if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((${N_PLUGIN} + 1)); fi # Check if the plugin is enabled in any of the profiles PLUGIN_ENABLED_STATE=0 for PROFILE in ${PROFILES}; do LogText "Action: checking plugin status in profile: ${PROFILE}" - FIND3=`grep "^plugin=${FIND2}" ${PROFILE}` + FIND3=$(grep "^plugin=${FIND2}" ${PROFILE}) if [ ! "${FIND3}" = "" ]; then LogText "Result: plugin enabled in profile (${PROFILE})" PLUGIN_ENABLED_STATE=1 @@ -832,8 +832,8 @@ ${NORMAL} LogText "Result: plugin ${FIND2} is enabled" PLUGINFILE="${PLUGINDIR}/plugin_${FIND2}_phase${PLUGIN_PHASE}" if [ -f ${PLUGINFILE} ]; then - PLUGIN_VERSION=`grep "^# PLUGIN_VERSION=" ${PLUGIN_FILE} | awk -F= '{ print $2 }'` - PLUGIN_VERSION_NODOTS=`echo ${PLUGIN_VERSION} | sed 's/.//g'` + PLUGIN_VERSION=$(grep "^# PLUGIN_VERSION=" ${PLUGIN_FILE} | awk -F= '{ print $2 }') + PLUGIN_VERSION_NODOTS=$(echo ${PLUGIN_VERSION} | sed 's/.//g') if SafePerms ${PLUGINFILE}; then LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})" Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|" diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1 index e558031e..55583f0d 100644 --- a/plugins/plugin_pam_phase1 +++ b/plugins/plugin_pam_phase1 @@ -68,25 +68,25 @@ # Check if the PAM directory structure exists if [ -d ${PAM_DIRECTORY} ]; then LogText "Result: /etc/pam.d exists" - FIND_FILES=`find ${PAM_DIRECTORY} -type f -print` + FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print) # First check /etc/pam.conf if it exists. #if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi for PAM_FILE in ${FIND_FILES}; do LogText "Now checking PAM file ${PAM_FILE}" while read line; do # Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces - LINE=`echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//'` + LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//') if [ ! "${LINE}" = "" ]; then - PAM_SERVICE=`echo ${PAM_FILE} | awk -F/ '{ print $NF }'` + PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }') PAM_CONTROL_FLAG="-" PAM_CONTROL_OPTIONS="-" PAM_MODULE="-" PAM_MODULE_OPTIONS="-" - PAM_TYPE=`echo ${LINE} | awk '{ print $1 }'` + PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }') PARSELINE=0 case ${PAM_TYPE} in "@include") - FILE=`echo ${LINE} | awk '{ print $2 }'` + FILE=$(echo ${LINE} | awk '{ print $2 }') Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)" ;; "account") @@ -106,16 +106,16 @@ ;; esac if [ ${PARSELINE} -eq 1 ]; then - MULTIPLE_OPTIONS=`echo ${LINE} | awk '$2 ~ /^\[/'` + MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/') if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then # Needs more parsing, depending on the options found - PAM_CONTROL_OPTIONS=`echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//"` + PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//") LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}" - LINE=`echo ${LINE} | sed "s/ \[.*\] / other /"` + LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /") fi - PAM_MODULE=`echo ${LINE} | awk '{ print $3 }'` - PAM_MODULE_OPTIONS=`echo ${LINE} | cut -d ' ' -f 4-` - PAM_CONTROL_FLAG=`echo ${LINE} | awk '{ print $2 }'` + PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }') + PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-) + PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }') case ${PAM_CONTROL_FLAG} in "optional"|"required"|"requisite"|"sufficient") #Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}" @@ -135,7 +135,7 @@ LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured" fi - PAM_MODULE_NAME=`echo ${PAM_MODULE} | sed 's/.so$//'` + PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//') # # Specific PAMs are commonly seen on these platforms: # @@ -202,8 +202,8 @@ if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then for I in ${PAM_MODULE_OPTIONS}; do - OPTION=`echo ${I} | awk -F= '{ print $1 }'` - VALUE=`echo ${I} | awk -F= '{ print $2 }'` + OPTION=$(echo ${I} | awk -F= '{ print $1 }') + VALUE=$(echo ${I} | awk -F= '{ print $2 }') CREDITS_CONFIGURED=0 case ${OPTION} in remember) @@ -231,8 +231,8 @@ LogText "Result: found ${PAM_MODULE} module (generic)" if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then for I in ${PAM_MODULE_OPTIONS}; do - OPTION=`echo ${I} | awk -F= '{ print $1 }'` - VALUE=`echo ${I} | awk -F= '{ print $2 }'` + OPTION=$(echo ${I} | awk -F= '{ print $1 }') + VALUE=$(echo ${I} | awk -F= '{ print $2 }') CREDITS_CONFIGURED=0 case ${OPTION} in remember) @@ -268,9 +268,9 @@ if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then Debug "Module options configured" for I in ${PAM_MODULE_OPTIONS}; do - OPTION=`echo ${I} | awk -F= '{ print $1 }'` + OPTION=$(echo ${I} | awk -F= '{ print $1 }') Debug ${OPTION} - VALUE=`echo ${I} | awk -F= '{ print $2 }'` + VALUE=$(echo ${I} | awk -F= '{ print $2 }') CREDITS_CONFIGURED=0 case ${OPTION} in minlen) @@ -286,7 +286,7 @@ MAX_PASSWORD_RETRY=${VALUE} ;; minclass) - # Minimum number of class required out of upper, lower, digit and oters + # Minimum number of class required out of upper, lower, digit and others LogText "Result: Min number of password class is configured" MIN_PASSWORD_CLASS=${VALUE} ;; @@ -318,8 +318,8 @@ fi if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then for I in ${PAM_MODULE_OPTIONS}; do - OPTION=`echo ${I} | awk -F= '{ print $1 }'` - VALUE=`echo ${I} | awk -F= '{ print $2 }'` + OPTION=$(echo ${I} | awk -F= '{ print $1 }') + VALUE=$(echo ${I} | awk -F= '{ print $2 }') case ${OPTION} in deny) AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}" @@ -402,7 +402,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then # Digits if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then - CREDITS_D_PASSWORD=`echo ${CREDITS_D_PASSWORD} | cut -b 2-` + CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-) LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}" Report "password_min_digital_required=${CREDITS_D_PASSWORD}" elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then @@ -412,7 +412,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then # Lowercase if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then - CREDITS_L_PASSWORD=`echo ${CREDITS_L_PASSWORD} | cut -b 2-` + CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-) LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}" Report "password_min_l_required=${CREDITS_L_PASSWORD}" elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then @@ -422,7 +422,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then # Other characters if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then - CREDITS_O_PASSWORD=`echo ${CREDITS_O_PASSWORD} | cut -b 2-` + CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-) LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}" Report "password_min_other_required=${CREDITS_O_PASSWORD}" elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then @@ -432,7 +432,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then # Uppercase if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then - CREDITS_U_PASSWORD=`echo ${CREDITS_U_PASSWORD} | cut -b 2-` + CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-) LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}" Report "password_min_u_required=${CREDITS_U_PASSWORD}" elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then diff --git a/plugins/plugin_systemd_phase1 b/plugins/plugin_systemd_phase1 index 53a72b12..a3544c3d 100644 --- a/plugins/plugin_systemd_phase1 +++ b/plugins/plugin_systemd_phase1 @@ -39,7 +39,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} > /dev/null` + FIND=$(${SYSTEMCTLBINARY} > /dev/null) if [ $? -gt 0 ]; then Report "systemctl_error_message=${FIND}" else @@ -57,13 +57,13 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1` + FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1) if [ ! "${FIND}" = "" ]; then SYSTEMD_VERSION=${FIND} Report "systemd_version=${FIND}" LogText "Result: found systemd version ${FIND}" fi - FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1` + FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1) if [ ! "${FIND}" = "" ]; then Report "systemd_builtin_components=${FIND}" LogText "Result: found builtin components list" @@ -77,7 +77,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'` + FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }') if [ ! "${FIND}" = "" ]; then LogText "Result: found systemd unit files via systemctl list-unit-files" for I in ${FIND}; do @@ -94,7 +94,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'` + FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }') if [ ! "${FIND}" = "" ]; then LogText "Result: found systemd unit files via systemctl list-unit-files" for I in ${FIND}; do @@ -111,7 +111,7 @@ if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`cat /etc/machine-id | head -1` + FIND=$(cat /etc/machine-id | head -1) if [ ! "${FIND}" = "" ]; then SYSTEMD_MACHINEID="${FIND}" LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}" @@ -125,7 +125,7 @@ if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|"` + FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|") if [ ! "${FIND}" = "" ]; then Report "systemd_binaries=${FIND}" LogText "Result: found systemd binaries in /usr/lib/systemd" @@ -141,10 +141,10 @@ if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${JOURNALCTLBINARY} --list-boots | wc -l` + FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l) LogText "Output: number of boots listed in journal is ${FIND}" if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi - FIND=`${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }'` + FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }') LogText "Output: oldest boot date in journal is ${FIND}" if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi fi @@ -156,11 +156,11 @@ if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g'` + FIND=$(${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g') if [ ! "${FIND}" = "" ]; then Report "journal_contains_errors=1" for I in ${FIND}; do - LINE=`echo ${I} | sed 's/:space:/ /g'` + LINE=$(echo ${I} | sed 's/:space:/ /g') LogText "Output (fails): ${LINE}" done else @@ -176,7 +176,7 @@ if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'` + FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}') Report "journal_disk_size=${FIND}" LogText "Result: journals are ${FIND} in size" fi @@ -188,7 +188,7 @@ if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'` + FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g') Report "journal_meta_data=${FIND}" fi # @@ -214,7 +214,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1` + FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1) if [ ! "${FIND}" = "" ]; then Report "systemd_status=${FIND}" LogText "Result: found systemd status = ${FIND}" @@ -228,7 +228,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'` + FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }') if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do Report "systemd_unit_not_found[]=${I}" @@ -243,7 +243,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'` + FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}') if [ ! "${FIND}" = "" ]; then LogText "Result: found one or more services with faulty state" for I in ${FIND}; do @@ -261,7 +261,7 @@ Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress if [ ${SKIPTEST} -eq 0 ]; then SYSTEMD_COREDUMP_USED=1 - FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump` + FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump) if [ ! "${FIND}" = "" ]; then LogText "Result: systemd uses systemd-coredump to handle coredumps" Report "systemd_coredump_used=1" @@ -281,7 +281,7 @@ if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null` + FIND=$(${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null) if [ ! "${FIND}" = "" ]; then Report "journal_coredumps_lastday=1" LogText "Result: found recent coredumps" |