From 1504370e416240d486e7aa1f88fbd7277c97e77d Mon Sep 17 00:00:00 2001
From: Michael Boelen <michael.boelen@cisofy.com>
Date: Thu, 11 Jan 2018 10:19:16 +0100
Subject: Added solution, extended timestamps key values, allow multiple values

---
 default.prf                    |  2 +-
 include/tests_kernel_hardening | 44 ++++++++++++++++++++++++++----------------
 2 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/default.prf b/default.prf
index 5ebe68cb..93b54928 100644
--- a/default.prf
+++ b/default.prf
@@ -253,7 +253,7 @@ config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets
 config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
 #config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
 config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
-config-data=sysctl;net.ipv4.tcp_timestamps;0;1;Do not use TCP time stamps;-;category:security;
+config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security;
 config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening
index 54479895..7ed07e3d 100644
--- a/include/tests_kernel_hardening
+++ b/include/tests_kernel_hardening
@@ -71,32 +71,42 @@
 
         for I in ${DATA_TO_SCAN}; do
             tFINDkey=$(echo ${I} | ${AWKBINARY} -F\; '{ print $2 }')
-            tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }')
-            tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
-            tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
-            tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
-            if [ ! "${tFINDcurvalue}" = "" ]; then
-                if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
-                    LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
-                    Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
-                    AddHP ${tFINDhp} ${tFINDhp}
+            if ! SkipAtomicTest "${TEST_NO}:${tFINDkey}"; then
+                tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }' | ${TRBINARY} '|' ' ')
+                tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
+                tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
+                tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
+                if [ ! -z "${tFINDcurvalue}" ]; then
+                    positive_match=0
+                    for value in ${tFINDexpvalue}; do
+                        if [ "${value}" = "${tFINDcurvalue}" ]; then
+                            positive_match=1
+                        fi
+                    done
+                    if [ ${positive_match} -eq 1 ]; then
+                        LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
+                        Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
+                        AddHP ${tFINDhp} ${tFINDhp}
+                    else
+                        LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
+                        Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
+                        AddHP 0 ${tFINDhp}
+                        FOUND=1
+                        N=$((N + 1))
+                        ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
+                    fi
                 else
-                    LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
-                    Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
-                    AddHP 0 ${tFINDhp}
-                    FOUND=1
-                    N=$((N + 1))
-                    ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
+                    LogText "Result: key ${tFINDkey} does not exist on this machine"
                 fi
             else
-                LogText "Result: key ${tFINDkey} does not exist on this machine"
+                LogText "Skipped test for ${tFINDkey} via profile"
             fi
         done
 
         # Add suggestion if one or more sysctls have a different value than scan profile
         if [ ${FOUND} -eq 1 ]; then
             LogText "Result: found ${N} keys that can use tuning, according scan profile"
-            ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked"
+            ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
         fi
     fi
 #
-- 
cgit v1.2.3