tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
harbian-audit/bin/hardening/7.7.4.2_ensure_loopback_tra...

120 lines
4.1 KiB
Bash
Raw Permalink Normal View History

Add 7.7.5
2019-04-08 22:03:38 +02:00
#!/bin/bash
#
Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.
2023-06-15 20:43:44 +02:00
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
Add 7.7.5
2019-04-08 22:03:38 +02:00
#
#
Add audit and apply methods for ipv6 firewall rules.
2019-04-16 12:09:05 +02:00
# 7.7.4.2 Ensure loopback traffic is configured (Scored)
Add 7.7.5
2019-04-08 22:03:38 +02:00
# Include ipv4 and ipv6
Implement audit and apply methods for 7.6 disable_wireless.
2019-04-12 10:07:44 +02:00
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
Add 7.7.5
2019-04-08 22:03:38 +02:00
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
Fix some bug for 7.7.4 and 7.7.5
2019-04-09 10:59:31 +02:00
INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
Add audit and apply methods for ipv6 firewall rules.
2019-04-16 12:09:05 +02:00
IP4VERSION="IPS4"
Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.
2023-06-15 20:43:44 +02:00
PACKAGE_NFT='nftables'
Fix some bug for 7.7.4 and 7.7.5
2019-04-09 10:59:31 +02:00
Add 7.7.5
2019-04-08 22:03:38 +02:00
# This function will be called if the script status is on enabled / audit mode
audit () {
Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.
2023-06-15 20:43:44 +02:00
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Iptables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Iptables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
fi
Fix bug for 7.7.5.
2019-04-09 06:28:45 +02:00
else
Fix #44: Debian 11 uses ntfables, not iptables. Update 7.7.2 7.7.3 7.7.4.1 7.7.4.3 7.7.4.4 7.7.5.1 7.7.5.2 7.7.5.3 7.7.5.4 for nftables.
2023-06-16 18:12:06 +02:00
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter INPUT 2>/dev/null | grep -c 'saddr.*127.0.0.0/8.*drop') -gt 0 ]; then
Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.
2023-06-15 20:43:44 +02:00
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
FNRET=10
else
crit "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
FNRET=11
fi
Add audit and apply methods for ipv6 firewall rules.
2019-04-16 12:09:05 +02:00
fi
Add 7.7.5
2019-04-08 22:03:38 +02:00
}
# This function will be called if the script status is on enabled mode
apply () {
Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.
2023-06-15 20:43:44 +02:00
if [ $FNRET = 10 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
elif [ $FNRET = 11 ]; then
warn "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured! Need the administrator to manually add it. "
Fix some bugs for 7.7.5
2019-04-09 10:31:57 +02:00
else
Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.
2023-06-15 20:43:44 +02:00
if [ $INPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic INPUT has configured!"
else
warn "Iptables loopback traffic INPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi
Fix some bugs for 7.7.5
2019-04-09 10:31:57 +02:00
Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.
2023-06-15 20:43:44 +02:00
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!"
else
warn "Iptables loopback traffic OUTPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi
Fix some bugs for 7.7.5
2019-04-09 10:31:57 +02:00
Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.
2023-06-15 20:43:44 +02:00
if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
Fix some bugs for 7.7.5
2019-04-09 10:31:57 +02:00
fi
Add 7.7.5
2019-04-08 22:03:38 +02:00
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi