mirror of
https://github.com/ovh/debian-cis.git
synced 2025-08-31 11:54:07 +02:00
94f110d9b3
* fix: ipv6 may be enabled on a single interface * feat: add new checks for debian12 systemd_timesyncd_is_enabled_and_running.sh -> 2.3.2.2 rpcbind_is_disabled.sh -> 2.1.12 ftp_client_not_installed.sh -> 2.2.6 chrony_with_chrony_user.sh -> 2.3.3.2 ipv6_is_enabled.sh -> 3.1.1 --------- Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
66 lines
2.0 KiB
Bash
66 lines
2.0 KiB
Bash
# shellcheck shell=bash
|
|
# run-shellcheck
|
|
is_ipv6_enabled() {
|
|
|
|
CURRENT_IPV6_ENABLED=1
|
|
if sysctl net.ipv6 >/dev/null 2>&1; then
|
|
for iface in /proc/sys/net/ipv6/conf/*; do
|
|
ifname=$(basename "$iface")
|
|
if [ "$ifname" != "default" ] && [ "$ifname" != "all" ]; then
|
|
value=$(cat "$iface"/disable_ipv6)
|
|
# if only one interface has ipv6, this is enough to consider it enabled
|
|
if [ "$value" -eq 0 ]; then
|
|
CURRENT_IPV6_ENABLED=0
|
|
break
|
|
fi
|
|
fi
|
|
done
|
|
fi
|
|
}
|
|
|
|
test_audit() {
|
|
# shellcheck disable=2154
|
|
"${CIS_CHECKS_DIR}/${script}.sh" --create-config-files-only
|
|
|
|
is_ipv6_enabled
|
|
if [ "$CURRENT_IPV6_ENABLED" -eq 0 ]; then
|
|
describe prepare failing test
|
|
# shellcheck disable=2154
|
|
sed -i '/^IPV6_ENABLED/s/=.*$/=1/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
describe Running failed test
|
|
register_test retvalshouldbe 1
|
|
# shellcheck disable=2154
|
|
run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe fix situation
|
|
# shellcheck disable=2154
|
|
sed -i '/^IPV6_ENABLED/s/=.*$/=0/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
describe Running successful test
|
|
register_test retvalshouldbe 0
|
|
# shellcheck disable=2154
|
|
run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
else
|
|
describe prepare failing test
|
|
# shellcheck disable=2154
|
|
sed -i '/^IPV6_ENABLED/s/=.*$/=0/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
describe Running failed test
|
|
register_test retvalshouldbe 1
|
|
# shellcheck disable=2154
|
|
run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
describe fix situation
|
|
sed -i '/^IPV6_ENABLED/s/=.*$/=1/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
describe Running successful test
|
|
register_test retvalshouldbe 0
|
|
# shellcheck disable=2154
|
|
run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
fi
|
|
|
|
}
|