From c5674c3627769df9d217808f631f2ff9a572a269 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Fri, 30 Aug 2019 14:14:29 +0200 Subject: [PATCH] Renumber network params 7.1.x, 7.2.x and 7.3 renamed: bin/hardening/7.1.1_disable_ip_forwarding.sh -> bin/hardening/3.1.1_disable_ip_forwarding.sh renamed: bin/hardening/7.1.2_disable_send_packet_redirects.sh -> bin/hardening/3.1.2_disable_send_packet_redirects.sh renamed: bin/hardening/7.2.1_disable_source_routed_packets.sh -> bin/hardening/3.2.1_disable_source_routed_packets.sh renamed: bin/hardening/7.2.2_disable_icmp_redirect.sh -> bin/hardening/3.2.2_disable_icmp_redirect.sh renamed: bin/hardening/7.2.3_disable_secure_icmp_redirect.sh -> bin/hardening/3.2.3_disable_secure_icmp_redirect.sh renamed: bin/hardening/7.2.4_log_martian_packets.sh -> bin/hardening/3.2.4_log_martian_packets.sh renamed: bin/hardening/7.2.5_ignore_broadcast_requests.sh -> bin/hardening/3.2.5_ignore_broadcast_requests.sh renamed: bin/hardening/7.2.8_enable_tcp_syn_cookies.sh -> bin/hardening/3.2.8_enable_tcp_syn_cookies.sh renamed: bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh -> bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh renamed: bin/hardening/7.3.3_disable_ipv6.sh -> bin/hardening/3.7_disable_ipv6.sh deleted: bin/hardening/7.2.6_enable_bad_error_message_protection.sh deleted: bin/hardening/7.2.7_enable_source_route_validation.sh deleted: bin/hardening/7.3.2_disable_ipv6_redirect.sh renamed: tests/hardening/7.3.3_disable_ipv6.sh -> tests/hardening/3.1.1_disable_ip_forwarding.sh renamed: tests/hardening/7.3.2_disable_ipv6_redirect.sh -> tests/hardening/3.1.2_disable_send_packet_redirects.sh renamed: tests/hardening/7.3.1_disable_ipv6_router_advertisement.sh -> tests/hardening/3.2.1_disable_source_routed_packets.sh renamed: tests/hardening/7.2.8_enable_tcp_syn_cookies.sh -> tests/hardening/3.2.2_disable_icmp_redirect.sh renamed: tests/hardening/7.2.7_enable_source_route_validation.sh -> tests/hardening/3.2.3_disable_secure_icmp_redirect.sh renamed: tests/hardening/7.2.6_enable_bad_error_message_protection.sh -> tests/hardening/3.2.4_log_martian_packets.sh renamed: tests/hardening/7.2.5_ignore_broadcast_requests.sh -> tests/hardening/3.2.5_ignore_broadcast_requests.sh renamed: tests/hardening/7.2.4_log_martian_packets.sh -> tests/hardening/3.2.8_enable_tcp_syn_cookies.sh renamed: tests/hardening/7.2.3_disable_secure_icmp_redirect.sh -> tests/hardening/3.2.9_disable_ipv6_router_advertisement.sh renamed: tests/hardening/7.2.2_disable_icmp_redirect.sh -> tests/hardening/3.7_disable_ipv6.sh deleted: tests/hardening/7.1.1_disable_ip_forwarding.sh deleted: tests/hardening/7.1.2_disable_send_packet_redirects.sh deleted: tests/hardening/7.2.1_disable_source_routed_packets.sh --- ...ding.sh => 3.1.1_disable_ip_forwarding.sh} | 20 +++-- ...=> 3.1.2_disable_send_packet_redirects.sh} | 2 +- ...=> 3.2.1_disable_source_routed_packets.sh} | 4 +- ...rect.sh => 3.2.2_disable_icmp_redirect.sh} | 4 +- ... => 3.2.3_disable_secure_icmp_redirect.sh} | 2 +- ...ackets.sh => 3.2.4_log_martian_packets.sh} | 2 +- ....sh => 3.2.5_ignore_broadcast_requests.sh} | 2 +- ...ies.sh => 3.2.8_enable_tcp_syn_cookies.sh} | 2 +- ....2.9_disable_ipv6_router_advertisement.sh} | 2 +- ....3_disable_ipv6.sh => 3.7_disable_ipv6.sh} | 2 +- ...2.6_enable_bad_error_message_protection.sh | 76 ---------------- .../7.2.7_enable_source_route_validation.sh | 76 ---------------- bin/hardening/7.3.2_disable_ipv6_redirect.sh | 86 ------------------- ...ding.sh => 3.1.1_disable_ip_forwarding.sh} | 0 ...=> 3.1.2_disable_send_packet_redirects.sh} | 0 ...=> 3.2.1_disable_source_routed_packets.sh} | 0 ...rect.sh => 3.2.2_disable_icmp_redirect.sh} | 0 ... => 3.2.3_disable_secure_icmp_redirect.sh} | 0 ...ackets.sh => 3.2.4_log_martian_packets.sh} | 0 ....sh => 3.2.5_ignore_broadcast_requests.sh} | 0 ...ion.sh => 3.2.8_enable_tcp_syn_cookies.sh} | 0 ....2.9_disable_ipv6_router_advertisement.sh} | 0 ...tcp_syn_cookies.sh => 3.7_disable_ipv6.sh} | 0 ...7.3.1_disable_ipv6_router_advertisement.sh | 10 --- .../hardening/7.3.2_disable_ipv6_redirect.sh | 10 --- tests/hardening/7.3.3_disable_ipv6.sh | 10 --- 26 files changed, 22 insertions(+), 288 deletions(-) rename bin/hardening/{7.1.1_disable_ip_forwarding.sh => 3.1.1_disable_ip_forwarding.sh} (78%) rename bin/hardening/{7.1.2_disable_send_packet_redirects.sh => 3.1.2_disable_send_packet_redirects.sh} (97%) rename bin/hardening/{7.2.1_disable_source_routed_packets.sh => 3.2.1_disable_source_routed_packets.sh} (93%) rename bin/hardening/{7.2.2_disable_icmp_redirect.sh => 3.2.2_disable_icmp_redirect.sh} (93%) rename bin/hardening/{7.2.3_disable_secure_icmp_redirect.sh => 3.2.3_disable_secure_icmp_redirect.sh} (97%) rename bin/hardening/{7.2.4_log_martian_packets.sh => 3.2.4_log_martian_packets.sh} (97%) rename bin/hardening/{7.2.5_ignore_broadcast_requests.sh => 3.2.5_ignore_broadcast_requests.sh} (97%) rename bin/hardening/{7.2.8_enable_tcp_syn_cookies.sh => 3.2.8_enable_tcp_syn_cookies.sh} (97%) rename bin/hardening/{7.3.1_disable_ipv6_router_advertisement.sh => 3.2.9_disable_ipv6_router_advertisement.sh} (97%) rename bin/hardening/{7.3.3_disable_ipv6.sh => 3.7_disable_ipv6.sh} (98%) delete mode 100755 bin/hardening/7.2.6_enable_bad_error_message_protection.sh delete mode 100755 bin/hardening/7.2.7_enable_source_route_validation.sh delete mode 100755 bin/hardening/7.3.2_disable_ipv6_redirect.sh rename tests/hardening/{7.1.1_disable_ip_forwarding.sh => 3.1.1_disable_ip_forwarding.sh} (100%) rename tests/hardening/{7.1.2_disable_send_packet_redirects.sh => 3.1.2_disable_send_packet_redirects.sh} (100%) rename tests/hardening/{7.2.1_disable_source_routed_packets.sh => 3.2.1_disable_source_routed_packets.sh} (100%) rename tests/hardening/{7.2.2_disable_icmp_redirect.sh => 3.2.2_disable_icmp_redirect.sh} (100%) rename tests/hardening/{7.2.3_disable_secure_icmp_redirect.sh => 3.2.3_disable_secure_icmp_redirect.sh} (100%) rename tests/hardening/{7.2.4_log_martian_packets.sh => 3.2.4_log_martian_packets.sh} (100%) rename tests/hardening/{7.2.5_ignore_broadcast_requests.sh => 3.2.5_ignore_broadcast_requests.sh} (100%) rename tests/hardening/{7.2.6_enable_bad_error_message_protection.sh => 3.2.8_enable_tcp_syn_cookies.sh} (100%) rename tests/hardening/{7.2.7_enable_source_route_validation.sh => 3.2.9_disable_ipv6_router_advertisement.sh} (100%) rename tests/hardening/{7.2.8_enable_tcp_syn_cookies.sh => 3.7_disable_ipv6.sh} (100%) delete mode 100644 tests/hardening/7.3.1_disable_ipv6_router_advertisement.sh delete mode 100644 tests/hardening/7.3.2_disable_ipv6_redirect.sh delete mode 100644 tests/hardening/7.3.3_disable_ipv6.sh diff --git a/bin/hardening/7.1.1_disable_ip_forwarding.sh b/bin/hardening/3.1.1_disable_ip_forwarding.sh similarity index 78% rename from bin/hardening/7.1.1_disable_ip_forwarding.sh rename to bin/hardening/3.1.1_disable_ip_forwarding.sh index 0b9cae5..711f62c 100755 --- a/bin/hardening/7.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh @@ -5,7 +5,7 @@ # # -# 7.1.1 Disable IP Forwarding (Scored) +# 3.1.1 Ensure IP forwarding is disabled (Scored) # set -e # One error, it's over @@ -15,19 +15,21 @@ HARDENING_LEVEL=3 HARDENING_EXCEPTION=gw DESCRIPTION="Disable IP forwarding." -SYSCTL_PARAM='net.ipv4.ip_forward' +SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding' SYSCTL_EXP_RESULT=0 # This function will be called if the script status is on enabled / audit mode audit () { + for SYSCTL_PARAM in $SYSCTL_PARAMS; do has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- Typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist -- Typo?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done } # This function will be called if the script status is on enabled mode diff --git a/bin/hardening/7.1.2_disable_send_packet_redirects.sh b/bin/hardening/3.1.2_disable_send_packet_redirects.sh similarity index 97% rename from bin/hardening/7.1.2_disable_send_packet_redirects.sh rename to bin/hardening/3.1.2_disable_send_packet_redirects.sh index 0d55f44..460bcec 100755 --- a/bin/hardening/7.1.2_disable_send_packet_redirects.sh +++ b/bin/hardening/3.1.2_disable_send_packet_redirects.sh @@ -5,7 +5,7 @@ # # -# 7.1.2 Disable Send Packet Redirects (Scored) +# 3.1.2 Ensure packet redirect sending is disabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.2.1_disable_source_routed_packets.sh b/bin/hardening/3.2.1_disable_source_routed_packets.sh similarity index 93% rename from bin/hardening/7.2.1_disable_source_routed_packets.sh rename to bin/hardening/3.2.1_disable_source_routed_packets.sh index 884581c..472b5b3 100755 --- a/bin/hardening/7.2.1_disable_source_routed_packets.sh +++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh @@ -5,7 +5,7 @@ # # -# 7.2.1 Disable Source Routed Packet Acceptance (Scored) +# 3.2.1 Ensure source routed packets are not accepted (Scored) # set -e # One error, it's over @@ -14,7 +14,7 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 DESCRIPTION="Disable source routed packet acceptance." -SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0' +SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/7.2.2_disable_icmp_redirect.sh b/bin/hardening/3.2.2_disable_icmp_redirect.sh similarity index 93% rename from bin/hardening/7.2.2_disable_icmp_redirect.sh rename to bin/hardening/3.2.2_disable_icmp_redirect.sh index c2fa0f2..ebe9364 100755 --- a/bin/hardening/7.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh @@ -5,7 +5,7 @@ # # -# 7.2.2 Disable ICMP Redirect Acceptance (Scored) +# 3.2.2 Ensure ICMP redirects are not accepted (Scored) # set -e # One error, it's over @@ -14,7 +14,7 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption." -SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0' +SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh similarity index 97% rename from bin/hardening/7.2.3_disable_secure_icmp_redirect.sh rename to bin/hardening/3.2.3_disable_secure_icmp_redirect.sh index 8139d3d..f8981d5 100755 --- a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh +++ b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh @@ -5,7 +5,7 @@ # # -# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored) +# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.2.4_log_martian_packets.sh b/bin/hardening/3.2.4_log_martian_packets.sh similarity index 97% rename from bin/hardening/7.2.4_log_martian_packets.sh rename to bin/hardening/3.2.4_log_martian_packets.sh index 2ec465b..4a14337 100755 --- a/bin/hardening/7.2.4_log_martian_packets.sh +++ b/bin/hardening/3.2.4_log_martian_packets.sh @@ -5,7 +5,7 @@ # # -# 7.2.4 Log Suspicious Packets (Scored) +# 3.2.4 Ensure suspicious packets are logged (Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.2.5_ignore_broadcast_requests.sh b/bin/hardening/3.2.5_ignore_broadcast_requests.sh similarity index 97% rename from bin/hardening/7.2.5_ignore_broadcast_requests.sh rename to bin/hardening/3.2.5_ignore_broadcast_requests.sh index 67005d7..8f2cae2 100755 --- a/bin/hardening/7.2.5_ignore_broadcast_requests.sh +++ b/bin/hardening/3.2.5_ignore_broadcast_requests.sh @@ -5,7 +5,7 @@ # # -# 7.2.5 Enable Ignore Broadcast Requests (Scored) +# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh similarity index 97% rename from bin/hardening/7.2.8_enable_tcp_syn_cookies.sh rename to bin/hardening/3.2.8_enable_tcp_syn_cookies.sh index 5d0b864..d4a5820 100755 --- a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh @@ -5,7 +5,7 @@ # # -# 7.2.8 Enable TCP SYN Cookies (Scored) +# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh similarity index 97% rename from bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh rename to bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh index 97cbacc..b93d276 100755 --- a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh +++ b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh @@ -5,7 +5,7 @@ # # -# 7.3.1 Disable IPv6 Router Advertisements (Not Scored) +# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.3.3_disable_ipv6.sh b/bin/hardening/3.7_disable_ipv6.sh similarity index 98% rename from bin/hardening/7.3.3_disable_ipv6.sh rename to bin/hardening/3.7_disable_ipv6.sh index cd3c097..ab37350 100755 --- a/bin/hardening/7.3.3_disable_ipv6.sh +++ b/bin/hardening/3.7_disable_ipv6.sh @@ -5,7 +5,7 @@ # # -# 7.3.3 Disable IPv6 (Not Scored) +# 3.7 Disable IPv6 (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh deleted file mode 100755 index 954782f..0000000 --- a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 7.2.6 Enable Bad Error Message Protection (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Enable bad error message protection to prevent logfiles fillup." - -SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) - debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- Typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) - debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- Typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/7.2.7_enable_source_route_validation.sh b/bin/hardening/7.2.7_enable_source_route_validation.sh deleted file mode 100755 index 95eafbe..0000000 --- a/bin/hardening/7.2.7_enable_source_route_validation.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 7.2.7 Enable RFC-recommended Source Route Validation (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Enable RFC-recommended source route validation." - -SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) - debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- Typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) - debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- Typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/7.3.2_disable_ipv6_redirect.sh b/bin/hardening/7.3.2_disable_ipv6_redirect.sh deleted file mode 100755 index f9750f6..0000000 --- a/bin/hardening/7.3.2_disable_ipv6_redirect.sh +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 -DESCRIPTION="Disable IPv6 redirect acceptance." - -SYSCTL_PARAMS='net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0' - -# This function will be called if the script status is on enabled / audit mode -audit () { - does_sysctl_param_exists "net.ipv6" - if [ $FNRET != 0 ]; then - ok "ipv6 is disabled" - else - for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) - debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- Typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - done - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - does_sysctl_param_exists "net.ipv6" - if [ $FNRET != 0 ]; then - ok "ipv6 is disabled" - else - for SYSCTL_VALUES in $SYSCTL_PARAMS; do - SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) - SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) - debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT - if [ $FNRET != 0 ]; then - warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null - elif [ $FNRET = 255 ]; then - warn "$SYSCTL_PARAM does not exist -- typo?" - else - ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - done - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/tests/hardening/7.1.1_disable_ip_forwarding.sh b/tests/hardening/3.1.1_disable_ip_forwarding.sh similarity index 100% rename from tests/hardening/7.1.1_disable_ip_forwarding.sh rename to tests/hardening/3.1.1_disable_ip_forwarding.sh diff --git a/tests/hardening/7.1.2_disable_send_packet_redirects.sh b/tests/hardening/3.1.2_disable_send_packet_redirects.sh similarity index 100% rename from tests/hardening/7.1.2_disable_send_packet_redirects.sh rename to tests/hardening/3.1.2_disable_send_packet_redirects.sh diff --git a/tests/hardening/7.2.1_disable_source_routed_packets.sh b/tests/hardening/3.2.1_disable_source_routed_packets.sh similarity index 100% rename from tests/hardening/7.2.1_disable_source_routed_packets.sh rename to tests/hardening/3.2.1_disable_source_routed_packets.sh diff --git a/tests/hardening/7.2.2_disable_icmp_redirect.sh b/tests/hardening/3.2.2_disable_icmp_redirect.sh similarity index 100% rename from tests/hardening/7.2.2_disable_icmp_redirect.sh rename to tests/hardening/3.2.2_disable_icmp_redirect.sh diff --git a/tests/hardening/7.2.3_disable_secure_icmp_redirect.sh b/tests/hardening/3.2.3_disable_secure_icmp_redirect.sh similarity index 100% rename from tests/hardening/7.2.3_disable_secure_icmp_redirect.sh rename to tests/hardening/3.2.3_disable_secure_icmp_redirect.sh diff --git a/tests/hardening/7.2.4_log_martian_packets.sh b/tests/hardening/3.2.4_log_martian_packets.sh similarity index 100% rename from tests/hardening/7.2.4_log_martian_packets.sh rename to tests/hardening/3.2.4_log_martian_packets.sh diff --git a/tests/hardening/7.2.5_ignore_broadcast_requests.sh b/tests/hardening/3.2.5_ignore_broadcast_requests.sh similarity index 100% rename from tests/hardening/7.2.5_ignore_broadcast_requests.sh rename to tests/hardening/3.2.5_ignore_broadcast_requests.sh diff --git a/tests/hardening/7.2.6_enable_bad_error_message_protection.sh b/tests/hardening/3.2.8_enable_tcp_syn_cookies.sh similarity index 100% rename from tests/hardening/7.2.6_enable_bad_error_message_protection.sh rename to tests/hardening/3.2.8_enable_tcp_syn_cookies.sh diff --git a/tests/hardening/7.2.7_enable_source_route_validation.sh b/tests/hardening/3.2.9_disable_ipv6_router_advertisement.sh similarity index 100% rename from tests/hardening/7.2.7_enable_source_route_validation.sh rename to tests/hardening/3.2.9_disable_ipv6_router_advertisement.sh diff --git a/tests/hardening/7.2.8_enable_tcp_syn_cookies.sh b/tests/hardening/3.7_disable_ipv6.sh similarity index 100% rename from tests/hardening/7.2.8_enable_tcp_syn_cookies.sh rename to tests/hardening/3.7_disable_ipv6.sh diff --git a/tests/hardening/7.3.1_disable_ipv6_router_advertisement.sh b/tests/hardening/7.3.1_disable_ipv6_router_advertisement.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/7.3.1_disable_ipv6_router_advertisement.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/7.3.2_disable_ipv6_redirect.sh b/tests/hardening/7.3.2_disable_ipv6_redirect.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/7.3.2_disable_ipv6_redirect.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/7.3.3_disable_ipv6.sh b/tests/hardening/7.3.3_disable_ipv6.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/7.3.3_disable_ipv6.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -}