a

ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.3.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+{
+    l_output="" l_output2=""
+    l_parlist="net.ipv4.conf.default.secure_redirects=0 net.ipv4.conf.all.secure_redirects=0"
+    l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
+    KPC() {
+        l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
+        l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
+        l_fafile="$(
+            grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}'
+        )"
+        if [ "$l_krp" = "$l_kpvalue" ]; then
+            l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
+        else
+            l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
+        fi
+        if [ -n "$l_pafile" ]; then
+            l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
+        else
+            l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
+        fi
+        [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
+    }
+    for l_kpe in $l_parlist; do
+        l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
+        l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
+        KPC
+    done
+    if [ -z "$l_output2" ]; then
+        echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+    else
+        echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+        [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+    fi
+}