mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 05:27:01 +01:00
Renumber network params 7.1.x, 7.2.x and 7.3
renamed: bin/hardening/7.1.1_disable_ip_forwarding.sh -> bin/hardening/3.1.1_disable_ip_forwarding.sh renamed: bin/hardening/7.1.2_disable_send_packet_redirects.sh -> bin/hardening/3.1.2_disable_send_packet_redirects.sh renamed: bin/hardening/7.2.1_disable_source_routed_packets.sh -> bin/hardening/3.2.1_disable_source_routed_packets.sh renamed: bin/hardening/7.2.2_disable_icmp_redirect.sh -> bin/hardening/3.2.2_disable_icmp_redirect.sh renamed: bin/hardening/7.2.3_disable_secure_icmp_redirect.sh -> bin/hardening/3.2.3_disable_secure_icmp_redirect.sh renamed: bin/hardening/7.2.4_log_martian_packets.sh -> bin/hardening/3.2.4_log_martian_packets.sh renamed: bin/hardening/7.2.5_ignore_broadcast_requests.sh -> bin/hardening/3.2.5_ignore_broadcast_requests.sh renamed: bin/hardening/7.2.8_enable_tcp_syn_cookies.sh -> bin/hardening/3.2.8_enable_tcp_syn_cookies.sh renamed: bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh -> bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh renamed: bin/hardening/7.3.3_disable_ipv6.sh -> bin/hardening/3.7_disable_ipv6.sh deleted: bin/hardening/7.2.6_enable_bad_error_message_protection.sh deleted: bin/hardening/7.2.7_enable_source_route_validation.sh deleted: bin/hardening/7.3.2_disable_ipv6_redirect.sh renamed: tests/hardening/7.3.3_disable_ipv6.sh -> tests/hardening/3.1.1_disable_ip_forwarding.sh renamed: tests/hardening/7.3.2_disable_ipv6_redirect.sh -> tests/hardening/3.1.2_disable_send_packet_redirects.sh renamed: tests/hardening/7.3.1_disable_ipv6_router_advertisement.sh -> tests/hardening/3.2.1_disable_source_routed_packets.sh renamed: tests/hardening/7.2.8_enable_tcp_syn_cookies.sh -> tests/hardening/3.2.2_disable_icmp_redirect.sh renamed: tests/hardening/7.2.7_enable_source_route_validation.sh -> tests/hardening/3.2.3_disable_secure_icmp_redirect.sh renamed: tests/hardening/7.2.6_enable_bad_error_message_protection.sh -> tests/hardening/3.2.4_log_martian_packets.sh renamed: tests/hardening/7.2.5_ignore_broadcast_requests.sh -> tests/hardening/3.2.5_ignore_broadcast_requests.sh renamed: tests/hardening/7.2.4_log_martian_packets.sh -> tests/hardening/3.2.8_enable_tcp_syn_cookies.sh renamed: tests/hardening/7.2.3_disable_secure_icmp_redirect.sh -> tests/hardening/3.2.9_disable_ipv6_router_advertisement.sh renamed: tests/hardening/7.2.2_disable_icmp_redirect.sh -> tests/hardening/3.7_disable_ipv6.sh deleted: tests/hardening/7.1.1_disable_ip_forwarding.sh deleted: tests/hardening/7.1.2_disable_send_packet_redirects.sh deleted: tests/hardening/7.2.1_disable_source_routed_packets.sh
This commit is contained in:
Charles Herlin
Thibault Ayanides
parent
e205dc7481
commit
c5674c3627
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.1.1 Disable IP Forwarding (Scored)
|
||||
# 3.1.1 Ensure IP forwarding is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -15,19 +15,21 @@ HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=gw
|
||||
DESCRIPTION="Disable IP forwarding."
|
||||
|
||||
SYSCTL_PARAM='net.ipv4.ip_forward'
|
||||
SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
|
||||
SYSCTL_EXP_RESULT=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.1.2 Disable Send Packet Redirects (Scored)
|
||||
# 3.1.2 Ensure packet redirect sending is disabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.2.1 Disable Source Routed Packet Acceptance (Scored)
|
||||
# 3.2.1 Ensure source routed packets are not accepted (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Disable source routed packet acceptance."
|
||||
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0'
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.2.2 Disable ICMP Redirect Acceptance (Scored)
|
||||
# 3.2.2 Ensure ICMP redirects are not accepted (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption."
|
||||
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0'
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
|
||||
# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.2.4 Log Suspicious Packets (Scored)
|
||||
# 3.2.4 Ensure suspicious packets are logged (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.2.5 Enable Ignore Broadcast Requests (Scored)
|
||||
# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.2.8 Enable TCP SYN Cookies (Scored)
|
||||
# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
|
||||
# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 7.3.3 Disable IPv6 (Not Scored)
|
||||
# 3.7 Disable IPv6 (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -1,76 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.2.6 Enable Bad Error Message Protection (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
|
||||
|
||||
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,76 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Enable RFC-recommended source route validation."
|
||||
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,86 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Disable IPv6 redirect acceptance."
|
||||
|
||||
SYSCTL_PARAMS='net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
else
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ $FNRET != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
else
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
@ -1,10 +0,0 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
}
|
||||
@ -1,10 +0,0 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
}
|
||||
@ -1,10 +0,0 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user