elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX(3.1.1,3.2.1,3.2.2): don't check for IPv6 options if IPv6 is disabled

Browse Source
This commit is contained in:
Thibault Ayanides 2020-11-02 17:16:11 +01:00
parent c2090b74b3
commit 668dc80bb8
3 changed files with 37 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -21,6 +21,8 @@ SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@ -29,6 +31,7 @@ audit () {
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
fi
done done
} }

3
bin/hardening/3.2.1_disable_source_routed_packets.sh
View File

@ -19,6 +19,8 @@ SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
@ -30,6 +32,7 @@ audit () {
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
fi
done done
} }

4
bin/hardening/3.2.2_disable_icmp_redirect.sh
View File

@ -19,9 +19,12 @@ SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@ -30,6 +33,7 @@ audit () {
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
fi
done done
} }