debian-cis/bin/hardening/3.4.3_disable_rds.sh

#!/bin/bash

# run-shellcheck
#
# CIS Debian Hardening
#

#
# 3.4.3 Ensure SCTP is disabled (Not Scored)
#

set -e # One error, it's over
set -u # One variable unset, it's over

# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."

# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels

KERNEL_OPTION="CONFIG_RDS"
MODULE_NAME="rds"

# This function will be called if the script status is on enabled / audit mode
audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
}

# This function will be called if the script status is on enabled mode
apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
}

# This function will check config parameters required
check_config() {
    :
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
fi
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`#!/bin/bash`

IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00			`# run-shellcheck`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`#`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`#`

			`#`
Renumber 7.5.x and 7.6 renamed: bin/hardening/7.5.1_disable_dccp.sh -> bin/hardening/3.4.1_disable_dccp.sh renamed: bin/hardening/7.5.2_disable_sctp.sh -> bin/hardening/3.4.2_disable_sctp.sh renamed: bin/hardening/7.5.3_disable_rds.sh -> bin/hardening/3.4.3_disable_rds.sh renamed: bin/hardening/7.5.4_disable_tipc.sh -> bin/hardening/3.4.4_disable_tipc.sh renamed: bin/hardening/7.6_disable_wireless.sh -> bin/hardening/3.6_disable_wireless.sh renamed: tests/hardening/7.6_disable_wireless.sh -> tests/hardening/3.4.1_disable_dccp.sh renamed: tests/hardening/7.5.4_disable_tipc.sh -> tests/hardening/3.4.2_disable_sctp.sh renamed: tests/hardening/7.5.3_disable_rds.sh -> tests/hardening/3.4.3_disable_rds.sh renamed: tests/hardening/7.5.2_disable_sctp.sh -> tests/hardening/3.4.4_disable_tipc.sh renamed: tests/hardening/7.5.1_disable_dccp.sh -> tests/hardening/3.6_disable_wireless.sh 2019-08-30 17:18:26 +02:00			`# 3.4.3 Ensure SCTP is disabled (Not Scored)`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`HARDENING_LEVEL=2`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
ADD(3.4.x): add checks and tests 2021-01-21 11:09:25 +01:00			`# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels`

			`KERNEL_OPTION="CONFIG_RDS"`
			`MODULE_NAME="rds"`

7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`# This function will be called if the script status is on enabled / audit mode`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`audit() {`
IMP: add multiple Improvements * add new kernel module detection (enable & listing) with detection of monolithic kernel * change way to detect if file system type is disabled * add global IS_CONTAINER variable * disable test for 3.4.x to be consistent with others * add cli options to override configuration loglevel 2021-02-04 16:21:49 +01:00			`if [ "$IS_CONTAINER" -eq 1 ]; then`
			`# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it`
			`ok "Container detected, consider host enforcing or disable this check!"`
ADD(3.4.x): add checks and tests 2021-01-21 11:09:25 +01:00			`else`
IMP: add multiple Improvements * add new kernel module detection (enable & listing) with detection of monolithic kernel * change way to detect if file system type is disabled * add global IS_CONTAINER variable * disable test for 3.4.x to be consistent with others * add cli options to override configuration loglevel 2021-02-04 16:21:49 +01:00			`is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"`
			`if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated`
			`crit "$MODULE_NAME is enabled!"`
			`else`
			`ok "$MODULE_NAME is disabled"`
			`fi`
ADD(3.4.x): add checks and tests 2021-01-21 11:09:25 +01:00			`fi`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`}`

			`# This function will be called if the script status is on enabled mode`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`apply() {`
IMP: add multiple Improvements * add new kernel module detection (enable & listing) with detection of monolithic kernel * change way to detect if file system type is disabled * add global IS_CONTAINER variable * disable test for 3.4.x to be consistent with others * add cli options to override configuration loglevel 2021-02-04 16:21:49 +01:00			`if [ "$IS_CONTAINER" -eq 1 ]; then`
			`# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it`
			`ok "Container detected, consider host enforcing!"`
ADD(3.4.x): add checks and tests 2021-01-21 11:09:25 +01:00			`else`
IMP: add multiple Improvements * add new kernel module detection (enable & listing) with detection of monolithic kernel * change way to detect if file system type is disabled * add global IS_CONTAINER variable * disable test for 3.4.x to be consistent with others * add cli options to override configuration loglevel 2021-02-04 16:21:49 +01:00			`is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"`
			`if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated`
			`warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"`
			`else`
			`ok "$MODULE_NAME is disabled"`
			`fi`
ADD(3.4.x): add checks and tests 2021-01-21 11:09:25 +01:00			`fi`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`}`

			`# This function will check config parameters required`
			`check_config() {`
			`:`
			`}`

			`# Source Root Dir Parameter`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`if [ -r /etc/default/cis-hardening ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`# shellcheck source=../../debian/default`
Corrected default file path 2016-04-18 17:39:14 +02:00			`. /etc/default/cis-hardening`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`fi`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`if [ -z "$CIS_LIB_DIR" ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`echo "Cannot source CIS_LIB_DIR variable, aborting."`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`exit 128`
			`fi`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00
			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`if [ -r "${CIS_LIB_DIR}"/main.sh ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`# shellcheck source=../../lib/main.sh`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`. "${CIS_LIB_DIR}"/main.sh`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`else`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`exit 128`
			`fi`