From d4bbc786a60694847d75d2d2e55363005b5e4146 Mon Sep 17 00:00:00 2001
From: Charles Herlin <charles.herlin@corp.ovh.com>
Date: Wed, 30 Oct 2019 15:20:30 +0100
Subject: [PATCH] IMP(3.2.1-2): set sysctl params in config file

---
 bin/hardening/3.2.1_disable_source_routed_packets.sh | 12 ++++++++++--
 bin/hardening/3.2.2_disable_icmp_redirect.sh         | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/bin/hardening/3.2.1_disable_source_routed_packets.sh b/bin/hardening/3.2.1_disable_source_routed_packets.sh
index 472b5b3..2bdb1b9 100755
--- a/bin/hardening/3.2.1_disable_source_routed_packets.sh
+++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh
@@ -13,8 +13,8 @@ set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
 DESCRIPTION="Disable source routed packet acceptance."
-
-SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0'
+# set in config file
+SYSCTL_PARAMS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -52,6 +52,14 @@ apply () {
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify system parameters to audit, space separated
+SYSCTL_PARAMS="net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0"
+EOF
+}
 # This function will check config parameters required
 check_config() {
     :
diff --git a/bin/hardening/3.2.2_disable_icmp_redirect.sh b/bin/hardening/3.2.2_disable_icmp_redirect.sh
index ebe9364..c6c889f 100755
--- a/bin/hardening/3.2.2_disable_icmp_redirect.sh
+++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh
@@ -13,8 +13,8 @@ set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
 DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption."
-
-SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0'
+# set in config file
+SYSCTL_PARAMS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -52,6 +52,14 @@ apply () {
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify system parameters to audit, space separated
+SYSCTL_PARAMS="net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0"
+EOF
+}
 # This function will check config parameters required
 check_config() {
     :