elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX(3.1.1): fix unbound variable issue

Browse Source
This commit is contained in:
Thibault 2020-11-12 10:15:41 +01:00 committed by Thibault Ayanides
parent 03c8e25ff3
commit 3c7a03445c
2 changed files with 34 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -21,9 +21,9 @@ SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ $FNRET = 255 ]; then elif [ $FNRET = 255 ]; then
@ -37,16 +37,18 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT for SYSCTL_PARAM in $SYSCTL_PARAMS; do
if [ $FNRET != 0 ]; then has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" if [ $FNRET != 0 ]; then
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
sysctl -w net.ipv4.route.flush=1 > /dev/null set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then sysctl -w net.ipv4.route.flush=1 > /dev/null
warn "$SYSCTL_PARAM does not exist -- Typo?" elif [ $FNRET = 255 ]; then
else warn "$SYSCTL_PARAM does not exist -- Typo?"
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" else
fi ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
done
} }
# This function will check config parameters required # This function will check config parameters required

20
tests/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -6,5 +6,23 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Tests purposely failing
sysctl -w net.ipv4.ip_forward=1 2>/dev/null
register_test retvalshouldbe 1
register_test contain "net.ipv4.ip_forward was not set to 0"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "correctly set to 0"
register_test contain "net.ipv4.ip_forward correctly set to 0"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
} }