FIX(3.1.1): fix unbound variable issue

This commit is contained in:
Thibault 2020-11-12 10:15:41 +01:00 committed by Thibault Ayanides
parent 03c8e25ff3
commit 3c7a03445c
2 changed files with 34 additions and 14 deletions

View File

@ -22,7 +22,7 @@ SYSCTL_EXP_RESULT=0
audit () { audit () {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@ -37,6 +37,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
@ -47,6 +48,7 @@ apply () {
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
done
} }
# This function will check config parameters required # This function will check config parameters required

View File

@ -6,5 +6,23 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Tests purposely failing
sysctl -w net.ipv4.ip_forward=1 2>/dev/null
register_test retvalshouldbe 1
register_test contain "net.ipv4.ip_forward was not set to 0"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 0"
register_test contain "net.ipv4.ip_forward correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
} }