PE-5714

cis-harden/harden.sh

@@ -6,8 +6,8 @@
 #
 
 
-root_dir="$( cd "$( dirname $0 )" && pwd )"
-echo Root dir $root_dir
+root_dir="$( cd "$( dirname "$0" )" && pwd )"
+echo Root dir "$root_dir"
 
 
 ##########################################################################
@@ -21,7 +21,7 @@ check_error()
 
 	if [[ ${status} -ne 0 ]]; then
 		echo -e "\033[31m       - ${msg} \033[0m"
-		exit ${exit_status}
+		exit "${exit_status}"
 	fi
 
 	return 0
@@ -40,10 +40,10 @@ update_config_files() {
 		check_error 1 "File ${config_file} not found"
 	fi
 
-	sed -i "s/^\($search_str.*\)$/#\1/"  ${config_file}
+	sed -i "s/^\($search_str.*\)$/#\1/"  "${config_file}"
 	check_error $? "Failed commenting config value $search_str." 1
 
-	echo "$append_str" >> ${config_file}
+	echo "$append_str" >> "${config_file}"
 	check_error $? "Failed appending config value $append_str" 1
 
 	return 0
@@ -109,7 +109,7 @@ upgrade_packages() {
 		apt-get -y upgrade
 		check_error $? "Failed upgrading packages" 1
 		apt-get install -y auditd apparmor-utils libpam-pwquality
-		if [[ $? -ne 0 ]]; then
+		if $? -ne 0 ; then
 			echo 'deb http://archive.ubuntu.com/ubuntu focal main restricted' > /etc/apt/sources.list.d/repotmp.list
 			apt-get update
 			apt-get install -y auditd apparmor-utils libpam-pwquality
@@ -516,8 +516,8 @@ harden_system() {
 
 	echo "Error out if there are users with empty password"
 	cat /etc/shadow |awk -F : '($2 == "" ){ exit 1}'
-	if [[ $? -ne 0 ]]; then
-		echo "Users present with empty password. Remove the user or set password for the users"
+	if  $? -ne 0 ; then
+		echo "Users present with empty password. Remove the user or set pasword for the users"
 		exit 1
 	fi
 
@@ -529,18 +529,18 @@ harden_system() {
 	fi
 
 	echo "Fix permission of all cron files"
-	for each in `echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab`
+	for each in echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab
 	do
 	if [[ -e ${each} ]]; then
-		stat -L -c "%a %u %g" ${each} | egrep ".00 0 0"
-		if [[ $? -ne 0 ]]; then
-			chown root:root ${each}
-			chmod og-rwx ${each}
+		stat -L -c "%a %u %g" "${each}" | grep -E ".00 0 0"
+		if  $? -ne 0 ; then
+			chown root:root "${each}"
+			chmod og-rwx "${each}"
 		fi
 	fi
 	done
 
-	echo "Remove cron and at deny files and have allow files in place"
+	echo "Remove cron and at deny files anf have allow files in place"
 	rm -f /etc/cron.deny
 	rm -f /etc/at.deny
 	touch /etc/cron.allow
@@ -821,12 +821,14 @@ harden_auth() {
 	# Backup the original file
 	cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
 
-	echo "auth required                   pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600" > /etc/pam.d/common-auth
-	echo "auth [success=1 default=ignore] pam_unix.so nullok" >> /etc/pam.d/common-auth
-	echo "auth [default=die]              pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth
-	echo "auth sufficient                 pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth
-	echo "auth requisite                  pam_deny.so" >> /etc/pam.d/common-auth
-	echo "auth required                   pam_permit.so" >> /etc/pam.d/common-auth
+	{
+	  echo "auth required                   pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600"
+	  echo "auth [success=1;default=ignore] pam_unix.so nullok"
+	  echo "auth [default=die]              pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600"
+	  echo "auth sufficient                 pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600"
+	  echo "auth requisite                  pam_deny.so"
+	  echo "auth required                   pam_permit.so"
+	} > /etc/pam.d/common-auth
 
 	# Backup the original file
 	cp /etc/pam.d/common-account /etc/pam.d/common-account.bak
@@ -838,10 +840,12 @@ harden_auth() {
 	# Backup the original file
 	cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
 
-	echo "password	requisite			pam_pwquality.so retry=3" > /etc/pam.d/common-password
-	echo "password  [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass remember=5" >> /etc/pam.d/common-password
-	echo "password	requisite			pam_deny.so" >> /etc/pam.d/common-password
-	echo "password	required			pam_permit.so" >> /etc/pam.d/common-password
+	{
+	  echo "password	requisite			pam_pwquality.so retry=3"
+	  echo "password  [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass remember=5"
+	  echo "password	requisite			pam_deny.so"
+	  echo "password	required			pam_permit.so"
+	} > /etc/pam.d/common-password
 
 	#####################Password expiry policy#################
 

earthly.sh

@@ -18,17 +18,17 @@ function build_with_proxy() {
         --rm -t \
         -e GLOBAL_CONFIG="$global_config" \
         -e BUILDKIT_TCP_TRANSPORT_ENABLED=true \
-        -e http_proxy=$HTTP_PROXY \
-        -e https_proxy=$HTTPS_PROXY \
-        -e HTTPS_PROXY=$HTTPS_PROXY \
-        -e HTTP_PROXY=$HTTP_PROXY \
-        -e NO_PROXY=$NO_PROXY \
-        -e no_proxy=$NO_PROXY \
-        -e EARTHLY_GIT_CONFIG=$gitconfig \
-        -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
+        -e http_proxy="$HTTP_PROXY" \
+        -e https_proxy="$HTTPS_PROXY" \
+        -e HTTPS_PROXY="$HTTPS_PROXY" \
+        -e HTTP_PROXY="$HTTP_PROXY" \
+        -e NO_PROXY="$NO_PROXY" \
+        -e no_proxy="$NO_PROXY" \
+        -e EARTHLY_GIT_CONFIG="$gitconfig" \
+        -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" \
         -v earthly-tmp:/tmp/earthly:rw \
         -p 8372:8372 \
-        $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION
+        "$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION
     # Update the CA certificates in the container
     docker exec -it earthly-buildkitd update-ca-certificates
 
@@ -40,21 +40,21 @@ function build_with_proxy() {
         -e GLOBAL_CONFIG="$global_config" \
         -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 \
         -e BUILDKIT_TLS_ENABLED=false \
-        -e http_proxy=$HTTP_PROXY \
-        -e https_proxy=$HTTPS_PROXY \
-        -e HTTPS_PROXY=$HTTPS_PROXY \
-        -e HTTP_PROXY=$HTTP_PROXY \
-        -e NO_PROXY=$NO_PROXY \
-        -e no_proxy=$NO_PROXY \
+        -e http_proxy="$HTTP_PROXY" \
+        -e https_proxy="$HTTPS_PROXY" \
+        -e HTTPS_PROXY="$HTTPS_PROXY" \
+        -e HTTP_PROXY="$HTTP_PROXY" \
+        -e NO_PROXY="$NO_PROXY" \
+        -e no_proxy="$NO_PROXY" \
         -v "$(pwd)":/workspace \
-        -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
+        -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" \
         --entrypoint /workspace/earthly-entrypoint.sh \
-        $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
+        "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
 }
 
 function build_without_proxy() {
     # Run Earthly in Docker to create artifacts  Variables are passed from the .arg file
-    docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
+    docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
 }
 
 function print_os_pack() {
@@ -94,14 +94,6 @@ PE_VERSION=$(git describe --abbrev=0 --tags)
 SPECTRO_PUB_REPO=us-docker.pkg.dev/palette-images
 EARTHLY_VERSION=v0.8.15
 source .arg
-
-# Workaround to support deprecated field PROXY_CERT_PATH
-if [ -n "$PROXY_CERT_PATH" ]; then
-    echo "PROXY_CERT_PATH is deprecated. Please place your certificates in the certs directory."
-    echo "Copying the certificates from $PROXY_CERT_PATH to certs/"
-    cp $PROXY_CERT_PATH certs/
-fi
-
 ALPINE_IMG=$SPECTRO_PUB_REPO/edge/canvos/alpine:3.20
 ### Verify Dependencies
 # Check if Docker is installed
@@ -111,28 +103,28 @@ else
     echo "Docker not found.  Please use the guide for your platform located https://docs.docker.com/engine/install/ to install Docker."
 fi
 # Check if the current user has permission to run privileged containers
-if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container test"' &>/dev/null; then
+if ! docker run --rm --privileged "$ALPINE_IMG" sh -c 'echo "Privileged container test"' &>/dev/null; then
     echo "Privileged containers are not allowed for the current user."
     exit 1
 fi
-if [ -z "$HTTP_PROXY" ] && [ -z "$HTTPS_PROXY" ] && [ -z "$(find certs -type f ! -name '.*' -print -quit)" ]; then
+if [ -z "$HTTP_PROXY" ] && [ -z "$HTTPS_PROXY"]; then
     build_without_proxy "$@"
 else
     build_with_proxy "$@"
 fi
 
 # Verify the command was successful
-if [ $? -ne 0 ]; then
+if $? -ne 0 ; then
     echo "An error occurred while running the command."
     exit 1
 fi
 # Cleanup builder helper images.
-docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION
+docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION
 if [ "$(docker container inspect -f '{{.State.Running}}' earthly-buildkitd)" = "true" ]; then
     docker stop earthly-buildkitd
 fi
-docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null
-docker rmi $ALPINE_IMG
+docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null
+docker rmi "$ALPINE_IMG"
 
 if [[ "$1" == "+uki-genkey" ]]; then
     ./keys.sh secure-boot/

hack/launch-qemu.sh

@@ -13,8 +13,8 @@ qemu-system-x86_64 \
     -cpu "${CPU:=host}" \
     -nographic \
     -spice port=9000,addr=127.0.0.1,disable-ticketing=yes \
-    -m ${MEMORY:=10096} \
-    -smp ${CORES:=5} \
+    -m "${MEMORY:=10096}" \
+    -smp "${CORES:=5}" \
     -monitor unix:/tmp/qemu-monitor.sock,server=on,wait=off \
     -serial mon:stdio \
     -rtc base=utc,clock=rt \

rhel-fips/build.sh

@@ -6,12 +6,12 @@ PASSWORD=$2
 BASE_IMAGE="${3:-rhel-byoi-fips}"
 
 # Build the container image
-docker build --build-arg USERNAME=$USERNAME --build-arg PASSWORD=$PASSWORD -t $BASE_IMAGE .
+docker build --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" .
 
 docker run -v "$PWD"/build:/tmp/auroraboot \
         -v /var/run/docker.sock:/var/run/docker.sock \
         --rm quay.io/kairos/auroraboot \
-        --set container_image=docker://$BASE_IMAGE \
+        --set container_image=docker://"$BASE_IMAGE" \
         --set "disable_http_server=true" \
         --set "disable_netboot=true" \
         --set "state_dir=/tmp/auroraboot"

ubuntu-fips/build.sh

@@ -1,4 +1,4 @@
 BASE_IMAGE="${1:-ubuntu-focal-fips}"
 
-DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t $BASE_IMAGE
-docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://$BASE_IMAGE --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot"
+DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t "BASE_IMAGE"
+docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://"BASE_IMAGE" --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot"