Merge pull request #4713 from matejak/minor_fixes

Minor fixes
ComplianceAsCode · Aug 14, 2019 · 88ed487 · 88ed487
2 parents ecf9684 + 33b9bdc
commit 88ed487
Show file tree

Hide file tree

Showing 12 changed files with 22 additions and 25 deletions.
diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/bash/shared.sh
@@ -3,7 +3,7 @@
 {{%- if product == "rhel6" -%}}
 sed -i --follow-symlinks '/pam_limits.so/a session\t    required\t  pam_lastlog.so showfailed' /etc/pam.d/system-auth
 {{% else %}}
-if $(grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin) ; then
+if grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin; then
 	sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
 fi
 

diff --git a/.../accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh b/.../accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh
@@ -4,10 +4,8 @@
 # complexity = low
 # disruption = low
 
-. /usr/share/scap-security-guide/remediation_functions
-
 PKCSSW=$(/usr/bin/pkcs11-switch)
 
-if ! [[ ${PKCSSW} -eq "opensc" ]] ; then
+if [ ${PKCSSW} != "opensc" ] ; then
     ${PKCSSW} opensc
 fi
diff --git a/...onfigure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh b/...onfigure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh
@@ -5,7 +5,7 @@
 
 # Perform the remediation for the syscall rule
 # Retrieve hardware architecture of the underlying system
-[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 for ARCH in "${RULE_ARCHS[@]}"
 do

diff --git a/...e_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh b/...e_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh
@@ -5,7 +5,7 @@
 
 # Perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
-[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 for ARCH in "${RULE_ARCHS[@]}"
 do

diff --git a/...x_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/bash/shared.sh b/...x_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/bash/shared.sh
@@ -5,7 +5,7 @@
 
 # Perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
-[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 for ARCH in "${RULE_ARCHS[@]}"
 do

diff --git a/...tem/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/...tem/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
@@ -5,7 +5,7 @@
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
-[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 for ARCH in "${RULE_ARCHS[@]}"
 do

diff --git a/...missions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/bash/shared.sh b/...missions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/bash/shared.sh
@@ -2,7 +2,7 @@
 . /usr/share/scap-security-guide/remediation_functions
 
 # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_rhv
-if [ $(getconf LONG_BIT) = "32" ] ; then
+if [ "$(getconf LONG_BIT)" = "32" ] ; then
   #
   # Set runtime for kernel.exec-shield
   #
@@ -15,11 +15,11 @@ if [ $(getconf LONG_BIT) = "32" ] ; then
   replace_or_append '/etc/sysctl.conf' '^kernel.exec-shield' '1' '@CCENUM@'
 fi
 
-if [ $(getconf LONG_BIT) = "64" ] ; then
+if [ "$(getconf LONG_BIT)" = "64" ] ; then
   if grep --silent noexec /boot/grub2/grub*.cfg ; then 
         sed -i "s/noexec.*//g" /etc/default/grub
         sed -i "s/noexec.*//g" /etc/grub.d/*
         GRUBCFG=`ls | grep '.cfg$'`
-        grub2-mkconfig -o /boot/grub2/$GRUBCFG
+        grub2-mkconfig -o "/boot/grub2/$GRUBCFG"
   fi
 fi
diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh
@@ -74,7 +74,7 @@ then
 # file to the list of files to be inspected
 elif [ "$tool" == 'auditctl' ]
 then
-	files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' )
+	files_to_inspect+=('/etc/audit/audit.rules' )
 # If audit tool is 'augenrules', then check if the audit rule is defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
 # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
@@ -89,16 +89,17 @@ then
 	fi
 	for match in "${matches[@]}"
 	do
-		files_to_inspect=("${files_to_inspect[@]}" "${match}")
+		files_to_inspect+=("${match}")
 	done
 	# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
 	if [ ${#files_to_inspect[@]} -eq "0" ]
 	then
-		files_to_inspect="/etc/audit/rules.d/$key.rules"
-		if [ ! -e "$files_to_inspect" ]
+		file_to_inspect="/etc/audit/rules.d/$key.rules"
+		files_to_inspect=("$files_to_inspect")
+		if [ ! -e "$file_to_inspect" ]
 		then
-			touch "$files_to_inspect"
-			chmod 0640 "$files_to_inspect"
+			touch "$file_to_inspect"
+			chmod 0640 "$file_to_inspect"
 		fi
 	fi
 fi

diff --git a/shared/bash_remediation_functions/include_dconf_settings.sh b/shared/bash_remediation_functions/include_dconf_settings.sh
@@ -30,7 +30,7 @@ function dconf_settings {
 
 	if [ ${#SETTINGSFILES[@]} -eq 0 ]
 	then
-		[ ! -z ${DCONFFILE} ] || $(echo "" >> ${DCONFFILE})
+		[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
 		printf '%s\n' "[${_path}]" >> ${DCONFFILE}
 		printf '%s=%s\n' "${_key}" "${_value}" >> ${DCONFFILE}
 	else

diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh
@@ -8,7 +8,7 @@ function include_mount_options_functions {
 # $4: mount type of new mount point (used when adding new entry in fstab)
 function ensure_mount_option_for_vfstype {
         local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
-        _vfstype_points=($(grep -E "[[:space:]]$_vfstype[[:space:]]" /etc/fstab | awk '{print $2}'))
+        readarray -t _vfstype_points < <(grep -E "[[:space:]]$_vfstype[[:space:]]" /etc/fstab | awk '{print $2}')
 
         for _vfstype_point in "${_vfstype_points[@]}"
         do
@@ -25,13 +25,13 @@ function ensure_mount_option_in_fstab {
 	local _mount_point_match_regexp="" _previous_mount_opts=""
 	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"
 
-	if [ $(grep -c "$_mount_point_match_regexp" /etc/fstab ) -eq 0 ]; then
+	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
 		# runtime opts without some automatic kernel/userspace-added defaults
 		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | awk '{print $4}' \
 					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
 		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
 		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
-	elif [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt" ) -eq 0 ]; then
+	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
 		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
 		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
 	fi
@@ -54,7 +54,7 @@ function assert_mount_point_in_fstab {
 function remove_defaults_from_fstab_if_overriden {
 	local _mount_point_match_regexp
 	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
-	if $(grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,")
+	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
 	then
 		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
 	fi

diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -122,8 +122,7 @@ do
 			# Select all other SUID/SGID binaries possibly also present in the found rule
 
 			readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
-
-			handled_sbinaries=(${handled_sbinaries[@]//-F path=/})
+			handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
 
 			# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
 			readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)

diff --git a/ssg/yaml.py b/ssg/yaml.py
@@ -183,7 +183,6 @@ def _str_representer(dumper, data):
         return stream.write(formatted_yaml)
     else:
         return formatted_yaml
-    return yaml.dump(data, stream, OrderedDumper, **kwds)
 
 
 def _strings_to_list(one_or_more_strings):