IMP(3.2.1-2): set sysctl params in config file

2024-11-22 13:37:02 +01:00 · 2019-10-30 15:20:30 +01:00 · 2019-10-30 15:20:30 +01:00 · d4bbc786a6
commit d4bbc786a6
parent 625a6206c7
2 changed files with 20 additions and 4 deletions
--- a/bin/hardening/3.2.1_disable_source_routed_packets.sh
+++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh
@ -13,8 +13,8 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2
 DESCRIPTION="Disable source routed packet acceptance."
-
-SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0'
+# set in config file
+SYSCTL_PARAMS=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -52,6 +52,14 @@ apply () {
    done
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify system parameters to audit, space separated
+SYSCTL_PARAMS="net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0"
+EOF
+}
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/3.2.2_disable_icmp_redirect.sh
+++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh
@ -13,8 +13,8 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2
 DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption."
-
-SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0'
+# set in config file
+SYSCTL_PARAMS=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -52,6 +52,14 @@ apply () {
    done
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify system parameters to audit, space separated
+SYSCTL_PARAMS="net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0"
+EOF
+}
 # This function will check config parameters required
 check_config() {
    :