From 3c7a03445c005ebe989b2e8695734ade3257a43a Mon Sep 17 00:00:00 2001
From: Thibault <thibault.ayanides@ovhcloud.com>
Date: Thu, 12 Nov 2020 10:15:41 +0100
Subject: [PATCH] FIX(3.1.1): fix unbound variable issue

---
 bin/hardening/3.1.1_disable_ip_forwarding.sh  | 28 ++++++++++---------
 .../hardening/3.1.1_disable_ip_forwarding.sh  | 20 ++++++++++++-
 2 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/bin/hardening/3.1.1_disable_ip_forwarding.sh b/bin/hardening/3.1.1_disable_ip_forwarding.sh
index 38e7180..2b884a5 100755
--- a/bin/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh
@@ -21,9 +21,9 @@ SYSCTL_EXP_RESULT=0
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for SYSCTL_PARAM in $SYSCTL_PARAMS; do
-    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        does_sysctl_param_exists "net.ipv6"
+        if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             if [ $FNRET != 0 ]; then
                 crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
             elif [ $FNRET = 255 ]; then
@@ -37,16 +37,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
-        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        sysctl -w net.ipv4.route.flush=1 > /dev/null
-    elif [ $FNRET = 255 ]; then
-        warn "$SYSCTL_PARAM does not exist -- Typo?"
-    else
-        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        if [ $FNRET != 0 ]; then
+            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            sysctl -w net.ipv4.route.flush=1 > /dev/null
+        elif [ $FNRET = 255 ]; then
+            warn "$SYSCTL_PARAM does not exist -- Typo?"
+        else
+            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+        fi
+    done
 }
 
 # This function will check config parameters required
diff --git a/tests/hardening/3.1.1_disable_ip_forwarding.sh b/tests/hardening/3.1.1_disable_ip_forwarding.sh
index b333419..1e7211e 100644
--- a/tests/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/tests/hardening/3.1.1_disable_ip_forwarding.sh
@@ -6,5 +6,23 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Tests purposely failing
+        sysctl -w net.ipv4.ip_forward=1 2>/dev/null
+        register_test retvalshouldbe 1
+        register_test contain "net.ipv4.ip_forward was not set to 0"
+        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "correctly set to 0"
+        register_test contain "net.ipv4.ip_forward correctly set to 0"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }