ADD(3.4.x): add checks and tests

bin/hardening/3.4.1_disable_dccp.sh

@@ -17,14 +17,29 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP"
+MODULE_NAME="dccp"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.2_disable_sctp.sh

@@ -17,14 +17,29 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_NF_CT_PROTO_SCTP"
+MODULE_NAME="sctp"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.3_disable_rds.sh

@@ -17,14 +17,29 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_RDS"
+MODULE_NAME="rds"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.4_disable_tipc.sh

@@ -17,14 +17,29 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_TIPC"
+MODULE_NAME="tipc"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
 }
 
 # This function will check config parameters required

tests/hardening/3.4.1_disable_dccp.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/3.4.2_disable_sctp.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/3.4.3_disable_rds.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/3.4.4_disable_tipc.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }