IMP(shellcheck): replace ! -z by -n (SC2236)

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -22,7 +22,7 @@ audit() {
     info "Checking if setuid is set on world writable Directories"
     FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
     RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
@@ -34,7 +34,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
     else
         ok "All world writable directories have a sticky bit, nothing to apply"

bin/hardening/5.4.2_disable_system_accounts.sh

@@ -44,7 +44,7 @@ audit() {
         fi
     done
     IFS=$IFS_BAK
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         crit "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell"
         crit "$RESULT"
     else
@@ -71,7 +71,7 @@ apply() {
         fi
     done
     IFS=$IFS_BAK
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         warn "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell -- Fixing"
         warn "$RESULT"
         for USER in $(echo "$RESULT" | cut -d: -f 1); do

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -22,7 +22,7 @@ audit() {
     info "Checking if there are world writable files"
     FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
     RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         crit "Some world writable files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
@@ -34,7 +34,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         warn "chmoding o-w all files in the system"
         df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
     else

bin/hardening/6.1.11_find_unowned_files.sh

@@ -24,12 +24,12 @@ EXCLUDED=''
 audit() {
     info "Checking if there are unowned files"
     FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
-    if [ ! -z $EXCLUDED ]; then
+    if [ -n "$EXCLUDED" ]; then
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
     else
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
     fi
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         crit "Some unowned files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
@@ -40,12 +40,12 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ ! -z $EXCLUDED ]; then
+    if [ -n "$EXCLUDED" ]; then
         RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
     fi
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         warn "Applying chown on all unowned files in the system"
         df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
     else

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -24,12 +24,12 @@ EXCLUDED=''
 audit() {
     info "Checking if there are ungrouped files"
     FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
-    if [ ! -z $EXCLUDED ]; then
+    if [ -n "$EXCLUDED" ]; then
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
     else
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
     fi
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         crit "Some ungrouped files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
@@ -40,12 +40,12 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ ! -z $EXCLUDED ]; then
+    if [ -n "$EXCLUDED" ]; then
         RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
     fi
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         warn "Applying chgrp on all ungrouped files in the system"
         df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
     else

bin/hardening/6.1.13_find_suid_files.sh

@@ -23,7 +23,7 @@ audit() {
     info "Checking if there are suid files"
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
     # shellcheck disable=2086
-    if [ ! -z $IGNORED_PATH ]; then
+    if [ -n "$IGNORED_PATH" ]; then
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
     else
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
@@ -36,7 +36,7 @@ audit() {
             BAD_BINARIES="$BAD_BINARIES $BINARY"
         fi
     done
-    if [ ! -z "$BAD_BINARIES" ]; then
+    if [ -n "$BAD_BINARIES" ]; then
         crit "Some suid files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"

bin/hardening/6.1.14_find_sgid_files.sh

@@ -23,7 +23,7 @@ audit() {
     info "Checking if there are sgid files"
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
     # shellcheck disable=2086
-    if [ ! -z $IGNORED_PATH ]; then
+    if [ -n "$IGNORED_PATH" ]; then
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
     else
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
@@ -36,7 +36,7 @@ audit() {
             BAD_BINARIES="$BAD_BINARIES $BINARY"
         fi
     done
-    if [ ! -z "$BAD_BINARIES" ]; then
+    if [ -n "$BAD_BINARIES" ]; then
         crit "Some sgid files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"

bin/hardening/6.2.10_check_user_dot_file_perm.sh

@@ -51,7 +51,7 @@ apply() {
                 FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
                 if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
                     warn "Group Write permission set on FILE $FILE"
-                    chmod g-w "$FILE"
+                    chmod g-w "$FILE" 
                 fi
                 if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
                     warn "Other Write permission set on FILE $FILE"

bin/hardening/6.2.1_remove_empty_password_field.sh

@@ -21,9 +21,9 @@ DESCRIPTION="Ensure password fields are not empty in /etc/shadow."
 audit() {
     info "Checking if accounts have an empty password"
     RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         crit "Some accounts have an empty password"
-        crit $RESULT
+        crit "$RESULT"
     else
         ok "All accounts have a password"
     fi
@@ -32,7 +32,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         warn "Some accounts have an empty password"
         for ACCOUNT in $RESULT; do
             info "Locking $ACCOUNT"

bin/hardening/6.2.20_shadow_group_empty.sh

@@ -17,7 +17,6 @@ HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="There is no user in shadow group (that can read /etc/shadow file)."
 
-ERRORS=0
 FILEGROUP='/etc/group'
 PATTERN='^shadow:x:[[:digit:]]+:'
 
@@ -29,15 +28,15 @@ audit() {
         RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
         GROUPID=$(getent group shadow | cut -d: -f3)
         debug "$RESULT $GROUPID"
-        if [ ! -z "$RESULT" ]; then
+        if [ -n "$RESULT" ]; then
             crit "Some users belong to shadow group: $RESULT"
         else
             ok "No user belongs to shadow group"
         fi
 
         info "Checking if a user has $GROUPID as primary group"
         RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
-        if [ ! -z "$RESULT" ]; then
+        if [ -n "$RESULT" ]; then
             crit "Some users have shadow id as their primary group: $RESULT"
         else
             ok "No user has shadow id as their primary group"

bin/hardening/6.2.5_find_0_uid_non_root_account.sh

@@ -40,7 +40,7 @@ audit() {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
         crit "Some accounts have uid 0: $(tr '\n' ' ' <<<"$RESULT")"
     else
         ok "No account with uid 0 appart from root ${FOUND_EXCEPTIONS:+and configured exceptions:}$FOUND_EXCEPTIONS"

bin/hardening/99.5.4_ssh_keys_from.sh

@@ -53,12 +53,12 @@ check_ip() {
         ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}")
         bad_ips=$(sed 's/ $//' <<<"${bad_ips}")
         if [[ -z $bad_ips ]]; then
-            if [[ ! -z $ok_ips ]]; then
+            if [[ -n $ok_ips ]]; then
                 ok "Line $linum of $file allows ssh access only from allowed IPs ($ok_ips)."
             fi
         else
             crit "Line $linum of $file allows ssh access from (${bad_ips}) that are not allowed."
-            if [[ ! -z $ok_ips ]]; then
+            if [[ -n $ok_ips ]]; then
                 ok "Line $linum of $file allows ssh access from at least allowed IPs ($ok_ips)."
             fi
         fi

tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -12,7 +12,7 @@ test_audit() {
         describe Tests purposely failing
         local targetdir="/home/secaudit/world_writable_folder"
         mkdir $targetdir || true
-        chmod 777 $targetdir
+        chmod 777 "$targetdir"
         register_test retvalshouldbe 1
         register_test contain "Some world writable directories are not on sticky bit mode"
         run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

tests/run_all_targets.sh

@@ -70,7 +70,7 @@ for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Sup
     fi
 done
 
-if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then
+if [[ -n "$failedtarget" && "$nowait" -eq 0 ]]; then
     echo -e "\nPress \e[1mENTER\e[0m to display failed test logs"
     echo -e "Use \e[1m:n\e[0m (next) and \e[1m:p\e[0m (previous) to navigate between log files"
     echo -e "and \e[1mq\e[0m to quit"