diff options
| -rw-r--r-- | include/functions | 34 | ||||
| -rw-r--r-- | include/tests_homedirs | 4 | ||||
| -rw-r--r-- | include/tests_logging | 2 | ||||
| -rw-r--r-- | include/tests_ssh | 2 | ||||
| -rw-r--r-- | include/tests_tooling | 4 | ||||
| -rw-r--r-- | include/tests_usb | 4 | ||||
| -rwxr-xr-x | lynis | 10 |
7 files changed, 30 insertions, 30 deletions
diff --git a/include/functions b/include/functions index 108d1301..7d003976 100644 --- a/include/functions +++ b/include/functions @@ -345,7 +345,7 @@ CreateTempFile() { TEMP_FILE="" if [ "${OS}" = "AIX" ]; then - RANDOMSTRING1=$(echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')) + RANDOMSTRING1="lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')" TEMP_FILE="/tmp/${RANDOMSTRING1}" touch ${TEMP_FILE} else @@ -950,11 +950,11 @@ fi if [ ! "${FIND}" = "" ]; then # We have a MAC address, now hashing it - if [ ! "${SHA1SUMBINARY}" = "" ]; then + if [ -n "${SHA1SUMBINARY}" ]; then HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') - elif [ ! "${CSUMBINARY}" = "" ]; then + elif [ -n "${CSUMBINARY}" ]; then HOSTID=$(echo ${FIND} | ${CSUMBINARY} -h SHA1 - | awk '{ print $1 }') - elif [ ! "${OPENSSLBINARY}" = "" ]; then + elif [ -n "${OPENSSLBINARY}" ]; then HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }') else ReportException "GetHostID" "No sha1, sha1sum, csum or openssl binary available on AIX" @@ -1138,17 +1138,17 @@ fi fi - if [ "${HOSTID}" = "" ]; then + if [ -z "${HOSTID}" ]; then LogText "Result: no HOSTID available, trying to use SSH key as unique source" # Create host ID when a MAC address was not found SSH_KEY_FILES="ssh_host_ed25519_key.pub ssh_host_ecdsa_key.pub ssh_host_dsa_key.pub ssh_host_rsa_key.pub" if [ -d /etc/ssh ]; then for I in ${SSH_KEY_FILES}; do - if [ "${HOSTID}" = "" ]; then + if [ -z "${HOSTID}" ]; then if [ -f /etc/ssh/${I} ]; then LogText "Result: found ${I} in /etc/ssh" - if [ ! "${SHA1SUMBINARY}" = "" ]; then - HOSTID=$(cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }') + if [ -n "${SHA1SUMBINARY}" ]; then + HOSTID=$(${SHA1SUMBINARY} /etc/ssh/${I} | awk '{ print $1 }') LogText "result: Created HostID with SSH key ($I): ${HOSTID}" else ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing" @@ -1408,7 +1408,7 @@ FOUND=0 # Early on we can't use FileIsReadable yet if [ -e /proc/1/cgroup ]; then - FIND=$(cat ${ROOTDIR}proc/1/cgroup 2> /dev/null | grep -i docker) + FIND=$(grep -i docker ${ROOTDIR}proc/1/cgroup 2> /dev/null) if [ $? -eq 0 ]; then LogText "Result: found Docker in control groups (/proc/1/cgroup), so we are running in Docker container" CONTAINER_TYPE="Docker"; FOUND=1 @@ -1531,7 +1531,7 @@ # When --user is used, perform a search using the -u option # Initialize users for strict mode if [ -n "${users:-}" ]; then - for u in "${users}"; do + for u in ${users}; do user_uid=$(getent passwd ${u} 2> /dev/null | ${AWKBINARY} -F: '{print $3}') # Only perform search if user exists and we had no match yet if [ -n "${user_uid}" ]; then @@ -1553,7 +1553,7 @@ FIND=$(${PSBINARY} ${PSOPTIONS} | ${EGREPBINARY} "( |/)${search}" | ${GREPBINARY} -v "grep") else if [ -n "${users}" ]; then - for u in "${users}"; do + for u in ${users}; do user_uid=$(getent passwd ${u} 2> /dev/null | ${AWKBINARY} -F: '{print $3}') # Only perform search if user exists and we had no match yet if [ -n "${user_uid}" ]; then @@ -2029,7 +2029,7 @@ output=$(${SWUPDBINARY} bundle-list > /dev/null 2>&1 | ${GREPBINARY} "^${package}$") exit_code=$? elif [ -n "${ZYPPERBINARY}" ]; then - output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i") + output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${package} 2> /dev/null | grep "^i") if [ -n "${output}" ]; then exit_code=0; else exit_code=1; fi else ReportException "PackageIsInstalled:01" @@ -2131,11 +2131,11 @@ # Strip out spaces, tabs and line breaks awk '{$1=$1;print $0}' ${CONFIG_FILE} > ${TMP_NGINX_FILE_RAW} # Now clean up the file further (combine lines, remove commented lines and empty lines) - cat ${TMP_NGINX_FILE_RAW} | sed 's#\\$##g' | grep -v "^#" | grep -v "^$" > ${TMP_NGINX_FILE} + sed 's#\\$##g' ${TMP_NGINX_FILE_RAW} | grep -v "^#" | grep -v "^$" > ${TMP_NGINX_FILE} LogText "Action: parsing configuration file ${CONFIG_FILE}" COUNT=$(( COUNT + 1)) - FIND=$(cat ${TMP_NGINX_FILE} | sed 's/ /:space:/g') + FIND=$(sed 's/ /:space:/g' ${TMP_NGINX_FILE}) DEPTH=0 for I in ${FIND}; do I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//') @@ -2520,10 +2520,10 @@ TIME_THRESHOLD=10 # seconds # Calculate timing and determine if we use seconds or nanoseconds (more precise) - TIME_DIFF=$((${CURRENT_TS} - ${PREVIOUS_TS})) + TIME_DIFF=$((CURRENT_TS - PREVIOUS_TS)) if [ ${CURRENT_TS} -gt 1000000000000000000 ]; then TIME_DIFF_FORMAT="nanoseconds" - TIME_THRESHOLD=$((${TIME_THRESHOLD} * 1000000000)) + TIME_THRESHOLD=$((TIME_THRESHOLD * 1000000000)) if [ ${TIME_DIFF} -gt ${TIME_THRESHOLD} ]; then SLOW_TEST=1 # Convert back to seconds for readability @@ -3528,7 +3528,7 @@ WaitForKeyPress() { if [ ${QUICKMODE} -eq 0 ]; then echo ""; echo "[ Press [ENTER] to continue, or [CTRL]+C to stop ]" - read void + read -r void fi } diff --git a/include/tests_homedirs b/include/tests_homedirs index e20b405f..389afd1a 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -57,7 +57,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users' home directories permissions are 750 or more restrictive FOUND=0 - for LINE in "$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')"; do + for LINE in $(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }'); do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) if [ -d "${DIR}" ]; then @@ -89,7 +89,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users own their home directories FOUND=0 - for LINE in "$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') { print }')"; do + for LINE in $(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') { print }'); do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) if [ -d ${DIR} ]; then diff --git a/include/tests_logging b/include/tests_logging index 51e4d246..7e595049 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -279,7 +279,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) - if IsEmpty "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: nothing found" else LogText "Result: found one or more directories (via logrotate configuration)" diff --git a/include/tests_ssh b/include/tests_ssh index 7683b0a7..eb3b9134 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -104,7 +104,7 @@ if [ ${SKIPTEST} -eq 0 ]; then OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d '[:cntrl:],') LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}" - if [ -n ${OPENSSHD_VERSION} ]; then + if [ -n "${OPENSSHD_VERSION}" ]; then OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}') LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}" OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}') diff --git a/include/tests_tooling b/include/tests_tooling index 15fa3540..328a48fa 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -54,7 +54,7 @@ # Ansible FOUND=0 - LIST="~/.ansible ${ROOTDIR}etc/ansible ${ROOTDIR}root/.ansible ${ROOTDIR}tmp/.ansible" + LIST="${HOME}/.ansible ${ROOTDIR}etc/ansible ${ROOTDIR}root/.ansible ${ROOTDIR}tmp/.ansible" for ITEM in ${LIST}; do if DirectoryExists ${ITEM}; then FOUND=1; break; fi; done # Test for files (only if no match was found) if [ ${FOUND} -eq 0 ]; then @@ -359,7 +359,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Continue if tooling is available and snort is running - if [ -n ${SNORT_FOUND} ] || [ -n ${SNORT_RUNNING} ]; then + if [ -n "${SNORT_FOUND}" ] || [ -n "${SNORT_RUNNING}" ]; then if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1) if HasData "${SNORT_CONFIG}"; then diff --git a/include/tests_usb b/include/tests_usb index 3ba19cc9..36058490 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -96,11 +96,11 @@ USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices/usb" for device in "${USBDEVICESPATH}"*; do if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then - if [ $(cat "${device}/authorized_default") -eq 1 ]; then + if [ "$(cat "${device}/authorized_default")" = "1" ]; then FOUND=1 LogText "Test: ${device} is authorized by default" Report "usb_authorized_default_device[]=${device}" - elif [ $(cat "${device}/authorized") -eq 1 ]; then + elif [ "$(cat "${device}/authorized")" = "1" ]; then FOUND=1 LogText "Test: ${device} is authorized currently" Report "usb_authorized_device[]=${device}" @@ -198,7 +198,7 @@ fi printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]" IGNORE_FILE_PERMISSION_ISSUES=1 - read DUMMY + read -r void fi # Now include files if permissions are correct, or user decided to continue @@ -727,7 +727,7 @@ ${NORMAL} LogText "Latest stable version : ${PROGRAM_LV}" if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then # Check if current version is REALLY outdated (10 versions ago) - PROGRAM_MINVERSION=$((${PROGRAM_LV} - 10)) + PROGRAM_MINVERSION=$((PROGRAM_LV - 10)) LogText "Minimum required version : ${PROGRAM_MINVERSION}" if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED @@ -764,7 +764,7 @@ ${NORMAL} OLD_RELEASE=0 TIME_DIFFERENCE_CHECK=10368000 # 4 months - RELEASE_PLUS_TIMEDIFF=$((${PROGRAM_RELEASE_TIMESTAMP} + ${TIME_DIFFERENCE_CHECK})) + RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK)) if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then # Show if release is old, only if we didn't show it with normal update check if [ ${UPDATE_AVAILABLE} -eq 0 ]; then @@ -882,7 +882,7 @@ ${NORMAL} if [ -f ${PLUGIN_FILE} ]; then FIND2=$(grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }') if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then - if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((${N_PLUGIN} + 1)); fi + if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((N_PLUGIN + 1)); fi # Check if the plugin is enabled in any of the profiles PLUGIN_ENABLED_STATE=0 for PROFILE in ${PROFILES}; do @@ -911,7 +911,7 @@ ${NORMAL} if SafePerms ${PLUGINFILE}; then LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})" Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|" - if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=$((${N_PLUGIN_ENABLED} + 1)); fi + if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=$((N_PLUGIN_ENABLED + 1)); fi Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}" if [ ${PLUGIN_PHASE} -eq 1 ]; then Progress " ["; fi . ${PLUGINFILE} |