From d1b371f41098ca92b09c5bf7ff9464c61feb5ef7 Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Wed, 17 Feb 2021 11:45:20 +0100
Subject: [PATCH] Add is_ipv6_disabled (#57)

Modify some checks to make it pass when ipv6 is diabled

fix #50

	modified:   bin/hardening/3.1.1_disable_ipv6.sh
	modified:   bin/hardening/3.3.1_disable_source_routed_packets.sh
	modified:   bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	modified:   lib/utils.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
---
 bin/hardening/3.1.1_disable_ipv6.sh           | 18 +++-----------
 .../3.3.1_disable_source_routed_packets.sh    |  2 +-
 ...3.3.9_disable_ipv6_router_advertisement.sh | 16 ++++++-------
 lib/utils.sh                                  | 24 +++++++++++++++++++
 4 files changed, 36 insertions(+), 24 deletions(-)

diff --git a/bin/hardening/3.1.1_disable_ipv6.sh b/bin/hardening/3.1.1_disable_ipv6.sh
index 7c3b3b3..467588c 100755
--- a/bin/hardening/3.1.1_disable_ipv6.sh
+++ b/bin/hardening/3.1.1_disable_ipv6.sh
@@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
     if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
-        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
-            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ "$FNRET" != 0 ]; then
-                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ "$FNRET" = 255 ]; then
-                warn "$SYSCTL_PARAM does not exist -- Typo?"
-            else
-                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-            fi
-        done
+        crit "ipv6 is enabled"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
     if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
diff --git a/bin/hardening/3.3.1_disable_source_routed_packets.sh b/bin/hardening/3.3.1_disable_source_routed_packets.sh
index 7d4b702..f1538a5 100755
--- a/bin/hardening/3.3.1_disable_source_routed_packets.sh
+++ b/bin/hardening/3.3.1_disable_source_routed_packets.sh
@@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        does_sysctl_param_exists "net.ipv6"
+        is_ipv6_enabled
         if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
diff --git a/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh b/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
index 887c56b..c6b3a85 100755
--- a/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
+++ b/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
@@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
-    if [ "$FNRET" != 0 ]; then
-        ok "ipv6 is disabled"
-    else
+    is_ipv6_enabled
+    if [ "$FNRET" = 0 ]; then
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@@ -38,15 +36,15 @@ audit() {
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
         done
+    else
+        ok "ipv6 disabled"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
-    if [ "$FNRET" != 0 ]; then
-        ok "ipv6 is disabled"
-    else
+    is_ipv6_enabled
+    if [ "$FNRET" = 0 ]; then
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@@ -62,6 +60,8 @@ apply() {
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
         done
+    else
+        ok "ipv6 disabled"
     fi
 }
 
diff --git a/lib/utils.sh b/lib/utils.sh
index 8e66c42..d73fbcf 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -46,6 +46,30 @@ set_sysctl_param() {
     fi
 }
 
+#
+# IPV6
+#
+
+is_ipv6_enabled() {
+    SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
+
+    does_sysctl_param_exists "net.ipv6"
+    local ENABLE=1
+    if [ "$FNRET" = 0 ]; then
+        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
+            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+                ENABLE=0
+            fi
+        done
+    fi
+    FNRET=$ENABLE
+}
+
 #
 # Dmesg
 #