Skip to content

Commit

Permalink
PE-5714 : Fixed shellcheck related issues.
Browse files Browse the repository at this point in the history
* PE5714 

* PE5714
  • Loading branch information
rajeshfrontline authored Jan 9, 2025
1 parent 19f038e commit 28137d8
Show file tree
Hide file tree
Showing 7 changed files with 58 additions and 54 deletions.
54 changes: 29 additions & 25 deletions cis-harden/harden.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
#


root_dir="$( cd "$( dirname $0 )" && pwd )"
echo Root dir $root_dir
root_dir="$( cd "$( dirname "$0" )" && pwd )"
echo Root dir "$root_dir"


##########################################################################
Expand All @@ -21,7 +21,7 @@ check_error()

if [[ ${status} -ne 0 ]]; then
echo -e "\033[31m - ${msg} \033[0m"
exit ${exit_status}
exit "${exit_status}"
fi

return 0
Expand All @@ -40,10 +40,10 @@ update_config_files() {
check_error 1 "File ${config_file} not found"
fi

sed -i "s/^\($search_str.*\)$/#\1/" ${config_file}
sed -i "s/^\($search_str.*\)$/#\1/" "${config_file}"
check_error $? "Failed commenting config value $search_str." 1

echo "$append_str" >> ${config_file}
echo "$append_str" >> "${config_file}"
check_error $? "Failed appending config value $append_str" 1

return 0
Expand Down Expand Up @@ -109,7 +109,7 @@ upgrade_packages() {
apt-get -y upgrade
check_error $? "Failed upgrading packages" 1
apt-get install -y auditd apparmor-utils libpam-pwquality
if [[ $? -ne 0 ]]; then
if $? -ne 0 ; then
echo 'deb http://archive.ubuntu.com/ubuntu focal main restricted' > /etc/apt/sources.list.d/repotmp.list
apt-get update
apt-get install -y auditd apparmor-utils libpam-pwquality
Expand Down Expand Up @@ -516,7 +516,7 @@ harden_system() {

echo "Error out if there are users with empty password"
cat /etc/shadow |awk -F : '($2 == "" ){ exit 1}'
if [[ $? -ne 0 ]]; then
if $? -ne 0 ; then
echo "Users present with empty password. Remove the user or set password for the users"
exit 1
fi
Expand All @@ -529,15 +529,15 @@ harden_system() {
fi

echo "Fix permission of all cron files"
for each in `echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab`
do
if [[ -e ${each} ]]; then
stat -L -c "%a %u %g" ${each} | egrep ".00 0 0"
if [[ $? -ne 0 ]]; then
chown root:root ${each}
chmod og-rwx ${each}
cron_files="/etc/etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab"
for each in ${cron_files}; do
if [[ -e ${each} ]]; then
stat -L -c "%a %u %g" "${each}" | grep -E ".00 0 0"
if $? -ne 0 ; then
chown root:root "${each}"
chmod og-rwx "${each}"
fi
fi
fi
done

echo "Remove cron and at deny files and have allow files in place"
Expand Down Expand Up @@ -821,12 +821,14 @@ harden_auth() {
# Backup the original file
cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak

echo "auth required pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600" > /etc/pam.d/common-auth
echo "auth [success=1 default=ignore] pam_unix.so nullok" >> /etc/pam.d/common-auth
echo "auth [default=die] pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth
echo "auth sufficient pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth
echo "auth requisite pam_deny.so" >> /etc/pam.d/common-auth
echo "auth required pam_permit.so" >> /etc/pam.d/common-auth
{
echo "auth required pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600"
echo "auth [success=1 default=ignore] pam_unix.so nullok"
echo "auth [default=die] pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600"
echo "auth sufficient pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600"
echo "auth requisite pam_deny.so"
echo "auth required pam_permit.so"
} >> /etc/pam.d/common-auth

# Backup the original file
cp /etc/pam.d/common-account /etc/pam.d/common-account.bak
Expand All @@ -838,10 +840,12 @@ harden_auth() {
# Backup the original file
cp /etc/pam.d/common-password /etc/pam.d/common-password.bak

echo "password requisite pam_pwquality.so retry=3" > /etc/pam.d/common-password
echo "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5" >> /etc/pam.d/common-password
echo "password requisite pam_deny.so" >> /etc/pam.d/common-password
echo "password required pam_permit.so" >> /etc/pam.d/common-password
{
echo "password requisite pam_pwquality.so retry=3"
echo "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5"
echo "password requisite pam_deny.so"
echo "password required pam_permit.so"
} >> /etc/pam.d/common-password

#####################Password expiry policy#################

Expand Down
42 changes: 21 additions & 21 deletions earthly.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,17 @@ function build_with_proxy() {
--rm -t \
-e GLOBAL_CONFIG="$global_config" \
-e BUILDKIT_TCP_TRANSPORT_ENABLED=true \
-e http_proxy=$HTTP_PROXY \
-e https_proxy=$HTTPS_PROXY \
-e HTTPS_PROXY=$HTTPS_PROXY \
-e HTTP_PROXY=$HTTP_PROXY \
-e NO_PROXY=$NO_PROXY \
-e no_proxy=$NO_PROXY \
-e EARTHLY_GIT_CONFIG=$gitconfig \
-e http_proxy="$HTTP_PROXY" \
-e https_proxy="$HTTPS_PROXY" \
-e HTTPS_PROXY="$HTTPS_PROXY" \
-e HTTP_PROXY="$HTTP_PROXY" \
-e NO_PROXY="$NO_PROXY" \
-e no_proxy="$NO_PROXY" \
-e EARTHLY_GIT_CONFIG="$gitconfig" \
-v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
-v earthly-tmp:/tmp/earthly:rw \
-p 8372:8372 \
$SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION
"$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:"$EARTHLY_VERSION"
# Update the CA certificates in the container
docker exec -it earthly-buildkitd update-ca-certificates

Expand All @@ -40,21 +40,21 @@ function build_with_proxy() {
-e GLOBAL_CONFIG="$global_config" \
-e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 \
-e BUILDKIT_TLS_ENABLED=false \
-e http_proxy=$HTTP_PROXY \
-e https_proxy=$HTTPS_PROXY \
-e HTTPS_PROXY=$HTTPS_PROXY \
-e HTTP_PROXY=$HTTP_PROXY \
-e NO_PROXY=$NO_PROXY \
-e no_proxy=$NO_PROXY \
-e http_proxy="$HTTP_PROXY" \
-e https_proxy="$HTTPS_PROXY" \
-e HTTPS_PROXY="$HTTPS_PROXY" \
-e HTTP_PROXY="$HTTP_PROXY" \
-e NO_PROXY="$NO_PROXY" \
-e no_proxy="$NO_PROXY" \
-v "$(pwd)":/workspace \
-v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
--entrypoint /workspace/earthly-entrypoint.sh \
$SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
"$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:"$EARTHLY_VERSION" --allow-privileged "$@"
}

function build_without_proxy() {
# Run Earthly in Docker to create artifacts Variables are passed from the .arg file
docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:"$EARTHLY_VERSION" --allow-privileged "$@"
}

function print_os_pack() {
Expand Down Expand Up @@ -111,7 +111,7 @@ else
echo "Docker not found. Please use the guide for your platform located https://docs.docker.com/engine/install/ to install Docker."
fi
# Check if the current user has permission to run privileged containers
if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container test"' &>/dev/null; then
if ! docker run --rm --privileged "$ALPINE_IMG" sh -c 'echo "Privileged container test"' &>/dev/null; then
echo "Privileged containers are not allowed for the current user."
exit 1
fi
Expand All @@ -122,17 +122,17 @@ else
fi

# Verify the command was successful
if [ $? -ne 0 ]; then
if $? -ne 0 ; then
echo "An error occurred while running the command."
exit 1
fi
# Cleanup builder helper images.
docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION
docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:"$EARTHLY_VERSION"
if [ "$(docker container inspect -f '{{.State.Running}}' earthly-buildkitd)" = "true" ]; then
docker stop earthly-buildkitd
fi
docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null
docker rmi $ALPINE_IMG
docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:"$EARTHLY_VERSION" 2>/dev/null
docker rmi "$ALPINE_IMG"

if [[ "$1" == "+uki-genkey" ]]; then
./keys.sh secure-boot/
Expand Down
4 changes: 2 additions & 2 deletions hack/launch-qemu.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ qemu-system-x86_64 \
-cpu "${CPU:=host}" \
-nographic \
-spice port=9000,addr=127.0.0.1,disable-ticketing=yes \
-m ${MEMORY:=10096} \
-smp ${CORES:=5} \
-m "${MEMORY:=10096}" \
-smp "${CORES:=5}" \
-monitor unix:/tmp/qemu-monitor.sock,server=on,wait=off \
-serial mon:stdio \
-rtc base=utc,clock=rt \
Expand Down
2 changes: 1 addition & 1 deletion overlay/files/opt/spectrocloud/bin/check-disk-size.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ REQUIRED_FREE_DISK=$1

FREE=$(df -h --output=pcent /var/ | tail -n 1 | tr -d '\% ')

if (( $FREE < $REQUIRED_FREE_DISK )); then
if (( "${FREE}" < "${REQUIRED_FREE_DISK}" )); then
echo "Not enough free disk, required: $1. Free: $FREE"
exit 1
fi
Expand Down
4 changes: 2 additions & 2 deletions rhel-fips/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ PASSWORD=$2
BASE_IMAGE="${3:-rhel-byoi-fips}"

# Build the container image
docker build --build-arg USERNAME=$USERNAME --build-arg PASSWORD=$PASSWORD -t $BASE_IMAGE .
docker build --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" .

docker run -v "$PWD"/build:/tmp/auroraboot \
-v /var/run/docker.sock:/var/run/docker.sock \
--rm quay.io/kairos/auroraboot \
--set container_image=docker://$BASE_IMAGE \
--set container_image=docker://"$BASE_IMAGE" \
--set "disable_http_server=true" \
--set "disable_netboot=true" \
--set "state_dir=/tmp/auroraboot"
2 changes: 1 addition & 1 deletion test/test-two-node.sh
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ function init_globals() {

if [ -n "$REPLACEMENT_HOST" ]; then
export HOST_3="tn3-$HOST_SUFFIX"
vm_array+=($HOST_3)
vm_array+=("$HOST_3")
echo "Added replacement VM: $HOST_3"
fi
}
Expand Down
4 changes: 2 additions & 2 deletions ubuntu-fips/build.sh
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
BASE_IMAGE="${1:-ubuntu-focal-fips}"

DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t $BASE_IMAGE
docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://$BASE_IMAGE --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot"
DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t "$BASE_IMAGE"
docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://"$BASE_IMAGE" --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot"

0 comments on commit 28137d8

Please sign in to comment.