Skip to content

Convert linux shell scripts to use function call for SED rhel8-script-stig.sh #96

New issue
New issue
Open
Open
Convert linux shell scripts to use function call for SED rhel8-script-stig.sh#96
@wagner-robert

Description

@wagner-robert
wagner-robert
opened on Feb 26, 2026

All,
This is probably not an issue, but a different way of editing/updating configuration files that I think is a little cleaner.
At the beginning of the shell script - rhel8-script-stig.sh
create a function:

check_and_update() {
   local CONFIG_FILE="$1"
   local SETTING_NAME="$2"
   local SETTING_VALUE="$3"

   # Check if the config file exists
   if [ ! -f "$CONFIG_FILE" ]; then
     echo "Config file '$CONFIG_FILE' not found." >&2
     echo "Creating file '$CONFIG_FILE'"  >&2
     touch $CONFIG_FILE
   fi

   # Check if the setting already exists
   if grep -q "^$SETTING_NAME" "$CONFIG_FILE";  then
      # Replace the setting if it exists
      sed -i "\#${SETTING_NAME}#d" "$CONFIG_FILE" # Delete the line. Uses hash as parsing character. May cause issues if setting_name variable contains hash
      echo "$SETTING_NAME$SETTING_VALUE" >> "$CONFIG_FILE"  # Append the new line (will not work if trying to insert into a block like [main]
      echo "'$SETTING_NAME' found and updated to '$SETTING_NAME$SETTING_VALUE' in $CONFIG_FILE"
   else
      # Append the setting if it doesn't exist
      echo "$SETTING_NAME$SETTING_VALUE" >> "$CONFIG_FILE"  # Append the new line (will not work if trying to insert into a block like [main]
      echo "'$SETTING_NAME$SETTING_VALUE' added to $CONFIG_FILE"
   fi
}

Call this like:

check_and_update "/etc/modprobe.d/cramfs.conf" "install cramfs" " /bin/false"

Note - spacing at the end/beginning of the second and third variables is important. Some key pairs do not contain spaces like this:

check_and_update "/etc/dnf/dnf.conf" "gpgcheck" "=1"

I am not a developer, there may be a shorter, improved way of doing this. This reduced the number of SED commands to debug for me. I went from dozens of SED commands to just a few - the overall script is much smaller. I am still searching for a better SED parsing character since I would like to have comments in configuration files to identify the STIG check(s)

check_and_update "/etc/sysctl.d/99-sysctl.conf" "# V-257958 RHEL9 must ignore ICMP " "redirect messages"
check_and_update "/etc/sysctl.d/99-sysctl.conf" "net.ipv4.conf.all.accept_redirects" "=0"
check_and_update "/etc/sysctl.d/99-sysctl.conf" "net.ipv4.conf.default.accept_redirects" "=0"
check_and_update "/etc/sysctl.d/99-sysctl.conf" "net.ipv6.conf.all.accept_redirects" "=0"
check_and_update "/etc/sysctl.d/99-sysctl.conf" "net.ipv6.conf.default.accept_redirects" "=0"

I have also ruled out slashes and vertical bars since these are used in some settings.

Thank you for your consideration! Please let me know if you have ideas for improving this function.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions