From bd4ddfc398ceb13b35014daf89c22a3f05d994d2 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Thu, 21 Jan 2021 11:09:25 +0100 Subject: [PATCH] ADD(3.4.x): add checks and tests --- bin/hardening/3.4.1_disable_dccp.sh | 19 +++++++++++++++++-- bin/hardening/3.4.2_disable_sctp.sh | 19 +++++++++++++++++-- bin/hardening/3.4.3_disable_rds.sh | 19 +++++++++++++++++-- bin/hardening/3.4.4_disable_tipc.sh | 19 +++++++++++++++++-- tests/hardening/3.4.1_disable_dccp.sh | 7 ++++++- tests/hardening/3.4.2_disable_sctp.sh | 7 ++++++- tests/hardening/3.4.3_disable_rds.sh | 7 ++++++- tests/hardening/3.4.4_disable_tipc.sh | 7 ++++++- 8 files changed, 92 insertions(+), 12 deletions(-) diff --git a/bin/hardening/3.4.1_disable_dccp.sh b/bin/hardening/3.4.1_disable_dccp.sh index 53ac32e..edf1535 100755 --- a/bin/hardening/3.4.1_disable_dccp.sh +++ b/bin/hardening/3.4.1_disable_dccp.sh @@ -17,14 +17,29 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + +KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP" +MODULE_NAME="dccp" + # This function will be called if the script status is on enabled / audit mode audit() { - info "Not implemented yet" + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled!" + else + ok "$KERNEL_OPTION is disabled" + fi } # This function will be called if the script status is on enabled mode apply() { - info "Not implemented yet" + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi } # This function will check config parameters required diff --git a/bin/hardening/3.4.2_disable_sctp.sh b/bin/hardening/3.4.2_disable_sctp.sh index 080d3cc..48b6fc0 100755 --- a/bin/hardening/3.4.2_disable_sctp.sh +++ b/bin/hardening/3.4.2_disable_sctp.sh @@ -17,14 +17,29 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + +KERNEL_OPTION="CONFIG_NF_CT_PROTO_SCTP" +MODULE_NAME="sctp" + # This function will be called if the script status is on enabled / audit mode audit() { - info "Not implemented yet" + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled!" + else + ok "$KERNEL_OPTION is disabled" + fi } # This function will be called if the script status is on enabled mode apply() { - info "Not implemented yet" + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi } # This function will check config parameters required diff --git a/bin/hardening/3.4.3_disable_rds.sh b/bin/hardening/3.4.3_disable_rds.sh index 651d7a9..3e1574e 100755 --- a/bin/hardening/3.4.3_disable_rds.sh +++ b/bin/hardening/3.4.3_disable_rds.sh @@ -17,14 +17,29 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + +KERNEL_OPTION="CONFIG_RDS" +MODULE_NAME="rds" + # This function will be called if the script status is on enabled / audit mode audit() { - info "Not implemented yet" + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled!" + else + ok "$KERNEL_OPTION is disabled" + fi } # This function will be called if the script status is on enabled mode apply() { - info "Not implemented yet" + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi } # This function will check config parameters required diff --git a/bin/hardening/3.4.4_disable_tipc.sh b/bin/hardening/3.4.4_disable_tipc.sh index 06a8445..5e7a402 100755 --- a/bin/hardening/3.4.4_disable_tipc.sh +++ b/bin/hardening/3.4.4_disable_tipc.sh @@ -17,14 +17,29 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + +KERNEL_OPTION="CONFIG_TIPC" +MODULE_NAME="tipc" + # This function will be called if the script status is on enabled / audit mode audit() { - info "Not implemented yet" + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled!" + else + ok "$KERNEL_OPTION is disabled" + fi } # This function will be called if the script status is on enabled mode apply() { - info "Not implemented yet" + is_kernel_option_enabled "$KERNEL_OPTION" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi } # This function will check config parameters required diff --git a/tests/hardening/3.4.1_disable_dccp.sh b/tests/hardening/3.4.1_disable_dccp.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/3.4.1_disable_dccp.sh +++ b/tests/hardening/3.4.1_disable_dccp.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/3.4.2_disable_sctp.sh b/tests/hardening/3.4.2_disable_sctp.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/3.4.2_disable_sctp.sh +++ b/tests/hardening/3.4.2_disable_sctp.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/3.4.3_disable_rds.sh b/tests/hardening/3.4.3_disable_rds.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/3.4.3_disable_rds.sh +++ b/tests/hardening/3.4.3_disable_rds.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## } diff --git a/tests/hardening/3.4.4_disable_tipc.sh b/tests/hardening/3.4.4_disable_tipc.sh index f85b20d..a5243cb 100644 --- a/tests/hardening/3.4.4_disable_tipc.sh +++ b/tests/hardening/3.4.4_disable_tipc.sh @@ -7,5 +7,10 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## }