spectrocloud · rajeshfrontline · Jan 9, 2025 · Dec 23, 2024 · Dec 24, 2024
diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh
@@ -6,8 +6,8 @@
 #
 
 
-root_dir="$( cd "$( dirname $0 )" && pwd )"
-echo Root dir $root_dir
+root_dir="$( cd "$( dirname "$0" )" && pwd )"
+echo Root dir "$root_dir"
 
 
 ##########################################################################
@@ -21,7 +21,7 @@ check_error()
 
 	if [[ ${status} -ne 0 ]]; then
 		echo -e "\033[31m       - ${msg} \033[0m"
-		exit ${exit_status}
+		exit "${exit_status}"
 	fi
 
 	return 0
@@ -40,10 +40,10 @@ update_config_files() {
 		check_error 1 "File ${config_file} not found"
 	fi
 
-	sed -i "s/^\($search_str.*\)$/#\1/"  ${config_file}
+	sed -i "s/^\($search_str.*\)$/#\1/"  "${config_file}"
 	check_error $? "Failed commenting config value $search_str." 1
 
-	echo "$append_str" >> ${config_file}
+	echo "$append_str" >> "${config_file}"
 	check_error $? "Failed appending config value $append_str" 1
 
 	return 0
@@ -109,7 +109,7 @@ upgrade_packages() {
 		apt-get -y upgrade
 		check_error $? "Failed upgrading packages" 1
 		apt-get install -y auditd apparmor-utils libpam-pwquality
-		if [[ $? -ne 0 ]]; then
+		if  $? -ne 0 ; then
 			echo 'deb http://archive.ubuntu.com/ubuntu focal main restricted' > /etc/apt/sources.list.d/repotmp.list
 			apt-get update
 			apt-get install -y auditd apparmor-utils libpam-pwquality
@@ -516,7 +516,7 @@ harden_system() {
 
 	echo "Error out if there are users with empty password"
 	cat /etc/shadow |awk -F : '($2 == "" ){ exit 1}'
-	if [[ $? -ne 0 ]]; then
+	if $? -ne 0 ; then
 		echo "Users present with empty password. Remove the user or set password for the users"
 		exit 1
 	fi
@@ -529,15 +529,15 @@ harden_system() {
 	fi
 
 	echo "Fix permission of all cron files"
-	for each in `echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab`
-	do
-	if [[ -e ${each} ]]; then
-		stat -L -c "%a %u %g" ${each} | egrep ".00 0 0"
-		if [[ $? -ne 0 ]]; then
-			chown root:root ${each}
-			chmod og-rwx ${each}
+	cron_files="/etc/etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab"
+	for each in ${cron_files}; do
+		if [[ -e ${each} ]]; then
+			stat -L -c "%a %u %g" "${each}" | grep -E ".00 0 0"
+			if $? -ne 0 ; then
+				chown root:root "${each}"
+				chmod og-rwx "${each}"
+			fi
 		fi
-	fi
 	done
 
 	echo "Remove cron and at deny files and have allow files in place"
@@ -821,12 +821,14 @@ harden_auth() {
 	# Backup the original file
 	cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
 
-	echo "auth required                   pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600" > /etc/pam.d/common-auth
-	echo "auth [success=1 default=ignore] pam_unix.so nullok" >> /etc/pam.d/common-auth
-	echo "auth [default=die]              pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth
-	echo "auth sufficient                 pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth
-	echo "auth requisite                  pam_deny.so" >> /etc/pam.d/common-auth
-	echo "auth required                   pam_permit.so" >> /etc/pam.d/common-auth
+	{
+		echo "auth required                   pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600"
+		echo "auth [success=1 default=ignore] pam_unix.so nullok"
+		echo "auth [default=die]              pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600"
+		echo "auth sufficient                 pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600"
+		echo "auth requisite                  pam_deny.so"
+		echo "auth required                   pam_permit.so"
+	} >> /etc/pam.d/common-auth
 
 	# Backup the original file
 	cp /etc/pam.d/common-account /etc/pam.d/common-account.bak
@@ -838,10 +840,12 @@ harden_auth() {
 	# Backup the original file
 	cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
 
-	echo "password	requisite			pam_pwquality.so retry=3" > /etc/pam.d/common-password
-	echo "password  [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass remember=5" >> /etc/pam.d/common-password
-	echo "password	requisite			pam_deny.so" >> /etc/pam.d/common-password
-	echo "password	required			pam_permit.so" >> /etc/pam.d/common-password
+	{
+		echo "password requisite pam_pwquality.so retry=3"
+		echo "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5"
+		echo "password requisite pam_deny.so"
+		echo "password required pam_permit.so"
+	} >> /etc/pam.d/common-password
 
 	#####################Password expiry policy#################
 

diff --git a/earthly.sh b/earthly.sh
@@ -18,17 +18,17 @@ function build_with_proxy() {
         --rm -t \
         -e GLOBAL_CONFIG="$global_config" \
         -e BUILDKIT_TCP_TRANSPORT_ENABLED=true \
-        -e http_proxy=$HTTP_PROXY \
-        -e https_proxy=$HTTPS_PROXY \
-        -e HTTPS_PROXY=$HTTPS_PROXY \
-        -e HTTP_PROXY=$HTTP_PROXY \
-        -e NO_PROXY=$NO_PROXY \
-        -e no_proxy=$NO_PROXY \
-        -e EARTHLY_GIT_CONFIG=$gitconfig \
+        -e http_proxy="$HTTP_PROXY" \
+        -e https_proxy="$HTTPS_PROXY" \
+        -e HTTPS_PROXY="$HTTPS_PROXY" \
+        -e HTTP_PROXY="$HTTP_PROXY" \
+        -e NO_PROXY="$NO_PROXY" \
+        -e no_proxy="$NO_PROXY" \
+        -e EARTHLY_GIT_CONFIG="$gitconfig" \
         -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
         -v earthly-tmp:/tmp/earthly:rw \
         -p 8372:8372 \
-        $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION
+        "$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:"$EARTHLY_VERSION"
     # Update the CA certificates in the container
     docker exec -it earthly-buildkitd update-ca-certificates
 
@@ -40,21 +40,21 @@ function build_with_proxy() {
         -e GLOBAL_CONFIG="$global_config" \
         -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 \
         -e BUILDKIT_TLS_ENABLED=false \
-        -e http_proxy=$HTTP_PROXY \
-        -e https_proxy=$HTTPS_PROXY \
-        -e HTTPS_PROXY=$HTTPS_PROXY \
-        -e HTTP_PROXY=$HTTP_PROXY \
-        -e NO_PROXY=$NO_PROXY \
-        -e no_proxy=$NO_PROXY \
+        -e http_proxy="$HTTP_PROXY" \
+        -e https_proxy="$HTTPS_PROXY" \
+        -e HTTPS_PROXY="$HTTPS_PROXY" \
+        -e HTTP_PROXY="$HTTP_PROXY" \
+        -e NO_PROXY="$NO_PROXY" \
+        -e no_proxy="$NO_PROXY" \
         -v "$(pwd)":/workspace \
         -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
         --entrypoint /workspace/earthly-entrypoint.sh \
-        $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
+        "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:"$EARTHLY_VERSION" --allow-privileged "$@"
 }
 
 function build_without_proxy() {
     # Run Earthly in Docker to create artifacts  Variables are passed from the .arg file
-    docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
+    docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:"$EARTHLY_VERSION" --allow-privileged "$@"
 }
 
 function print_os_pack() {
@@ -111,7 +111,7 @@ else
     echo "Docker not found.  Please use the guide for your platform located https://docs.docker.com/engine/install/ to install Docker."
 fi
 # Check if the current user has permission to run privileged containers
-if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container test"' &>/dev/null; then
+if ! docker run --rm --privileged "$ALPINE_IMG" sh -c 'echo "Privileged container test"' &>/dev/null; then
     echo "Privileged containers are not allowed for the current user."
     exit 1
 fi
@@ -122,17 +122,17 @@ else
 fi
 
 # Verify the command was successful
-if [ $? -ne 0 ]; then
+if $? -ne 0 ; then
     echo "An error occurred while running the command."
     exit 1
 fi
 # Cleanup builder helper images.
-docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION
+docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:"$EARTHLY_VERSION"
 if [ "$(docker container inspect -f '{{.State.Running}}' earthly-buildkitd)" = "true" ]; then
     docker stop earthly-buildkitd
 fi
-docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null
-docker rmi $ALPINE_IMG
+docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:"$EARTHLY_VERSION" 2>/dev/null
+docker rmi "$ALPINE_IMG"
 
 if [[ "$1" == "+uki-genkey" ]]; then
     ./keys.sh secure-boot/

diff --git a/hack/launch-qemu.sh b/hack/launch-qemu.sh
@@ -13,8 +13,8 @@ qemu-system-x86_64 \
     -cpu "${CPU:=host}" \
     -nographic \
     -spice port=9000,addr=127.0.0.1,disable-ticketing=yes \
-    -m ${MEMORY:=10096} \
-    -smp ${CORES:=5} \
+    -m "${MEMORY:=10096}" \
+    -smp "${CORES:=5}" \
     -monitor unix:/tmp/qemu-monitor.sock,server=on,wait=off \
     -serial mon:stdio \
     -rtc base=utc,clock=rt \

diff --git a/overlay/files/opt/spectrocloud/bin/check-disk-size.sh b/overlay/files/opt/spectrocloud/bin/check-disk-size.sh
@@ -6,7 +6,7 @@ REQUIRED_FREE_DISK=$1
 
 FREE=$(df -h --output=pcent /var/ | tail -n 1 | tr -d '\% ')
 
-if (( $FREE < $REQUIRED_FREE_DISK )); then
+if (( "${FREE}" < "${REQUIRED_FREE_DISK}" )); then
    echo "Not enough free disk, required: $1. Free: $FREE"
    exit 1
 fi

diff --git a/rhel-fips/build.sh b/rhel-fips/build.sh
@@ -6,12 +6,12 @@ PASSWORD=$2
 BASE_IMAGE="${3:-rhel-byoi-fips}"
 
 # Build the container image
-docker build --build-arg USERNAME=$USERNAME --build-arg PASSWORD=$PASSWORD -t $BASE_IMAGE .
+docker build --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" .
 
 docker run -v "$PWD"/build:/tmp/auroraboot \
         -v /var/run/docker.sock:/var/run/docker.sock \
         --rm quay.io/kairos/auroraboot \
-        --set container_image=docker://$BASE_IMAGE \
+        --set container_image=docker://"$BASE_IMAGE" \
         --set "disable_http_server=true" \
         --set "disable_netboot=true" \
         --set "state_dir=/tmp/auroraboot"
diff --git a/test/test-two-node.sh b/test/test-two-node.sh
@@ -48,7 +48,7 @@ function init_globals() {
 
     if [ -n "$REPLACEMENT_HOST" ]; then
         export HOST_3="tn3-$HOST_SUFFIX"
-        vm_array+=($HOST_3)
+        vm_array+=("$HOST_3")
         echo "Added replacement VM: $HOST_3"
     fi
 }

diff --git a/ubuntu-fips/build.sh b/ubuntu-fips/build.sh
@@ -1,4 +1,4 @@
 BASE_IMAGE="${1:-ubuntu-focal-fips}"
 
-DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t $BASE_IMAGE
-docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://$BASE_IMAGE --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot"
+DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t "$BASE_IMAGE"
+docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://"$BASE_IMAGE" --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot"