Shellcheck #26
Open
Shellcheck #26
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We have snippets, not scripts, shebangs should be added by scanners
Certain checks can be performed at expansion time rather than at execution time
Before, the dollar got double-escaped, because as it is initially escaped for the shell, the regex escape process escaped the escape and the dollar as well.
- Correct examination of array length - Removal of unused variable - Proper array quoting - Proper array concatenation
pam pwhistory remember remediations were almost the same, so they got a macro.
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs:
--- old datastream
+++ new datastream
@@ -5,16 +5,15 @@
var_password_pam_remember_control_flag=''
+
pamFile="/etc/pam.d/password-auth"
# control required is for rhel8, while requisite is for other distros
CONTROL=${var_password_pam_remember_control_flag}
if [ ! -f $pamFile ]; then
- continue
-fi
-
+ true # indeed don't do anything
# is 'password required|requisite pam_pwhistory.so' here?
-if grep -q "^password.*pam_pwhistory.so.*" $pamFile; then
+elif grep -q "^password.*pam_pwhistory.so.*" $pamFile; then
# is the remember option set?
option=$(sed -rn 's/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\2/p' $pamFile)
if [[ -z $option ]]; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs:
--- old datastream
+++ new datastream
@@ -5,16 +5,15 @@
var_password_pam_remember_control_flag=''
+
pamFile="/etc/pam.d/system-auth"
# control required is for rhel8, while requisite is for other distros
CONTROL=${var_password_pam_remember_control_flag}
if [ ! -f $pamFile ]; then
- continue
-fi
-
+ true # indeed don't do anything
# is 'password required|requisite pam_pwhistory.so' here?
-if grep -q "^password.*pam_pwhistory.so.*" $pamFile; then
+elif grep -q "^password.*pam_pwhistory.so.*" $pamFile; then
# is the remember option set?
option=$(sed -rn 's/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\2/p' $pamFile)
if [[ -z $option ]]; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs:
--- old datastream
+++ new datastream
@@ -8,8 +8,8 @@
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs:
--- old datastream
+++ new datastream
@@ -5,8 +5,8 @@
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs:
--- old datastream
+++ new datastream
@@ -5,16 +5,16 @@
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
+else
+ if [ ! $(grep -q '^\s*local_users_only' $FAILLOCK_CONF) ]; then
+ echo "local_users_only" >> $FAILLOCK_CONF
+ fi
+ authselect enable-feature with-faillock
fi
-
-if [ ! $(grep -q '^\s*local_users_only' $FAILLOCK_CONF) ]; then
- echo "local_users_only" >> $FAILLOCK_CONF
-fi
-authselect enable-feature with-faillock
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs:
--- old datastream
+++ new datastream
@@ -4,17 +4,18 @@
var_accounts_passwords_pam_faillock_fail_interval=''
+
+
+
SYSTEM_AUTH="/etc/pam.d/system-auth"
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
-fi
-
-if [ -f $FAILLOCK_CONF ]; then
+elif [ -f $FAILLOCK_CONF ]; then
if $(grep -q '^\s*fail_interval\s*=' $FAILLOCK_CONF); then
sed -i --follow-symlinks "s/^\s*\(fail_interval\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_fail_interval/g" $FAILLOCK_CONF
else
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs:
--- old datastream
+++ new datastream
@@ -8,8 +8,8 @@
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,3 @@
-#!/bin/bash
-
var_accounts_maximum_age_login_defs=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,3 @@
-#!/bin/bash
-
var_accounts_minimum_age_login_defs=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,3 @@
-#!/bin/bash
# uncomment the option if commented
sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -220,9 +217,6 @@
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -403,9 +397,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -468,7 +459,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -488,7 +479,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -561,9 +552,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -626,7 +614,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -646,7 +634,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_access_var_log_audit' differs:
--- old datastream
+++ new datastream
@@ -57,9 +57,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -122,7 +119,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -142,7 +139,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -215,9 +212,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -280,7 +274,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -300,7 +294,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -407,9 +401,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -472,7 +463,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -492,7 +483,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -565,9 +556,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -630,7 +618,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -650,7 +638,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -407,9 +401,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -472,7 +463,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -492,7 +483,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -565,9 +556,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -630,7 +618,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -650,7 +638,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -407,9 +401,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -472,7 +463,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -492,7 +483,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -565,9 +556,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule in
... The diff is trimmed here ... |
ggbecker
force-pushed
the
master
branch
5 times, most recently
from
cc3c311
to
b458149
Compare
Open
ggbecker
force-pushed
the
master
branch
6 times, most recently
from
5a5f615
to
eb1448b
Compare
ggbecker
force-pushed
the
master
branch
7 times, most recently
from
8340246
to
0f01c90
Compare
ggbecker
force-pushed
the
master
branch
11 times, most recently
from
e767c23
to
a9a7d66
Compare
This was referenced Jun 28, 2022
Closed
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes # Issue number here (e.g. Shellcheck #26) or remove this line if no issue exists.