Add is_ipv6_disabled (#57)

Modify some checks to make it pass when ipv6 is diabled

fix #50

	modified:   bin/hardening/3.1.1_disable_ipv6.sh
	modified:   bin/hardening/3.3.1_disable_source_routed_packets.sh
	modified:   bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	modified:   lib/utils.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>

bin/hardening/3.1.1_disable_ipv6.sh

@@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
     if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
-        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        crit "ipv6 is enabled"
-            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
-            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ "$FNRET" != 0 ]; then
-                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ "$FNRET" = 255 ]; then
-                warn "$SYSCTL_PARAM does not exist -- Typo?"
-            else
-                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-            fi
-        done
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
     if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else

bin/hardening/3.3.1_disable_source_routed_packets.sh

@@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        does_sysctl_param_exists "net.ipv6"
+        is_ipv6_enabled
         if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)

bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh

@@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
-    if [ "$FNRET" != 0 ]; then
+    if [ "$FNRET" = 0 ]; then
-        ok "ipv6 is disabled"
-    else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@@ -38,15 +36,15 @@ audit() {
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
         done
+    else
+        ok "ipv6 disabled"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
-    if [ "$FNRET" != 0 ]; then
+    if [ "$FNRET" = 0 ]; then
-        ok "ipv6 is disabled"
-    else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@@ -62,6 +60,8 @@ apply() {
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
         done
+    else
+        ok "ipv6 disabled"
     fi
 }
 

lib/utils.sh

@@ -46,6 +46,30 @@ set_sysctl_param() {
     fi
 }
 
+#
+# IPV6
+#
+
+is_ipv6_enabled() {
+    SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
+
+    does_sysctl_param_exists "net.ipv6"
+    local ENABLE=1
+    if [ "$FNRET" = 0 ]; then
+        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
+            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+                ENABLE=0
+            fi
+        done
+    fi
+    FNRET=$ENABLE
+}
+
 #
 # Dmesg
 #