mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-24 22:41:24 +01:00
Add is_ipv6_disabled (#57)
Modify some checks to make it pass when ipv6 is diabled fix #50 modified: bin/hardening/3.1.1_disable_ipv6.sh modified: bin/hardening/3.3.1_disable_source_routed_packets.sh modified: bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh modified: lib/utils.sh Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
This commit is contained in:
parent
6ab1cab3ce
commit
d1b371f410
@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
is_ipv6_enabled
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
else
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
crit "ipv6 is enabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
is_ipv6_enabled
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
else
|
||||
|
@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
is_ipv6_enabled
|
||||
if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
|
@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
else
|
||||
is_ipv6_enabled
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
@ -38,15 +36,15 @@ audit() {
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
else
|
||||
ok "ipv6 disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
else
|
||||
is_ipv6_enabled
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
@ -62,6 +60,8 @@ apply() {
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
done
|
||||
else
|
||||
ok "ipv6 disabled"
|
||||
fi
|
||||
}
|
||||
|
||||
|
24
lib/utils.sh
24
lib/utils.sh
@ -46,6 +46,30 @@ set_sysctl_param() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# IPV6
|
||||
#
|
||||
|
||||
is_ipv6_enabled() {
|
||||
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
|
||||
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
local ENABLE=1
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
ENABLE=0
|
||||
fi
|
||||
done
|
||||
fi
|
||||
FNRET=$ENABLE
|
||||
}
|
||||
|
||||
#
|
||||
# Dmesg
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user