feat: add debian12 scripts

- iptables_loopback.sh 			-> 4.3.2.2
- iptables_rules_them_all.sh 		-> 4.3.2.4
- iptables_outbound_established.sh 	-> 4.3.2.3
- ip6tables_loopback.sh			-> 4.3.3.2
- ip6tables_outbound_established.sh	-> 4.3.3.3
- ip6tables_rules_them_all.sh		-> 4.3.3.4
- ip6tables_default_deny_policy.sh 	-> 4.3.3.1

tests/hardening/ip6tables_default_deny_policy.sh

@@ -0,0 +1,5 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe "This can't be tested without a privilieged container"
+}

tests/hardening/ip6tables_loopback.sh

@@ -0,0 +1,5 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe "This can't be tested without a privilieged container"
+}

tests/hardening/ip6tables_outbound_established.sh

@@ -0,0 +1,31 @@
+# shellcheck shell=bash
+# run-shellcheck
+
+test_audit() {
+    describe Prepare test
+    apt install -y iptables
+
+    tests_is_ipv6_enabled
+    tests_get_debian_major_version
+    if [ "$CURRENT_IPV6_ENABLED" -eq 0 ] && [ "$DEB_MAJ_VER" -gt 11 ]; then
+
+        # not much to test here, unless working on a privileged container
+        describe Running on blank host
+        register_test retvalshouldbe 1
+        # shellcheck disable=2154
+        run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    else
+
+        # not much to test here, unless working on a privileged container
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        # shellcheck disable=2154
+        run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    fi
+
+    describe clean test
+    apt remove -y iptables
+
+}

tests/hardening/ip6tables_rules_them_all.sh

@@ -0,0 +1,35 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    apt install -y iptables netcat-traditional
+
+    tests_is_ipv6_enabled
+    tests_get_debian_major_version
+    if [ "$CURRENT_IPV6_ENABLED" -eq 0 ] && [ "$DEB_MAJ_VER" -gt 11 ]; then
+
+        describe Prepare test
+        # shellcheck disable=2216
+        timeout 5s nc -lp 404 | true &
+
+        # not much to test here, unless working on a privileged container
+        describe Running failed test
+        register_test retvalshouldbe 1
+        # shellcheck disable=2154
+        run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+        describe correcting situation
+        # just wait for timeout to expire
+        sleep 5
+
+    fi
+
+    describe Running success
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y iptables netcat-traditional
+
+}

tests/hardening/iptables_loopback.sh

@@ -0,0 +1,22 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    tests_get_debian_major_version
+    if [ "$DEB_MAJ_VER" -gt 11 ]; then
+
+        describe Prepare test
+        apt install -y iptables
+
+        # not much to test here, unless working on a privileged container
+        describe Running on blank host
+        register_test retvalshouldbe 1
+        # shellcheck disable=2154
+        run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+        describe clean test
+        apt remove -y iptables
+
+    fi
+
+}

tests/hardening/iptables_outbound_established.sh

@@ -0,0 +1,5 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe "This can't be tested without a privilieged container"
+}

tests/hardening/iptables_rules_them_all.sh

@@ -0,0 +1,5 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe "This can't be tested without a privilieged container"
+}

tests/hardening/ipv6_is_enabled.sh

@@ -1,28 +1,10 @@
 # shellcheck shell=bash
 # run-shellcheck
-is_ipv6_enabled() {
-
-    CURRENT_IPV6_ENABLED=1
-    if sysctl net.ipv6 >/dev/null 2>&1; then
-        for iface in /proc/sys/net/ipv6/conf/*; do
-            ifname=$(basename "$iface")
-            if [ "$ifname" != "default" ] && [ "$ifname" != "all" ]; then
-                value=$(cat "$iface"/disable_ipv6)
-                # if only one interface has ipv6, this is enough to consider it enabled
-                if [ "$value" -eq 0 ]; then
-                    CURRENT_IPV6_ENABLED=0
-                    break
-                fi
-            fi
-        done
-    fi
-}
-
 test_audit() {
     # shellcheck disable=2154
     "${CIS_CHECKS_DIR}/${script}.sh" --create-config-files-only
 
-    is_ipv6_enabled
+    tests_is_ipv6_enabled
     if [ "$CURRENT_IPV6_ENABLED" -eq 0 ]; then
         describe prepare failing test
         # shellcheck disable=2154

tests/launch_tests.sh

@@ -153,6 +153,7 @@ if [ ! -f "$(dirname "$0")"/lib.sh ]; then
 fi
 # shellcheck source=../tests/lib.sh
 . "$(dirname "$0")"/lib.sh
+. "$(dirname "$0")"/utils.sh
 
 ###################
 # Execution start #

tests/utils.sh

@@ -0,0 +1,26 @@
+tests_is_ipv6_enabled() {
+    CURRENT_IPV6_ENABLED=1
+    if sysctl net.ipv6 >/dev/null 2>&1; then
+        for iface in /proc/sys/net/ipv6/conf/*; do
+            ifname=$(basename "$iface")
+            if [ "$ifname" != "default" ] && [ "$ifname" != "all" ]; then
+                value=$(cat "$iface"/disable_ipv6)
+                # if only one interface has ipv6, this is enough to consider it enabled
+                if [ "$value" -eq 0 ]; then
+                    CURRENT_IPV6_ENABLED=0
+                    break
+                fi
+            fi
+        done
+    fi
+}
+
+tests_get_debian_major_version() {
+    DEB_MAJ_VER=""
+    if [ -e /etc/debian_version ]; then
+        DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
+    else
+        # shellcheck disable=2034
+        DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
+    fi
+}