harbian-audit/bin/hardening/7.7.3_ensure_firewall_set_p...

124 lines
3.5 KiB
Bash
Raw Normal View History

2018-11-26 18:45:43 +01:00
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
2018-11-26 18:45:43 +01:00
#
#
2018-11-26 19:05:23 +01:00
# 7.7.3 Ensure the Firewall is set rules of protect DOS attacks (Scored)
# Include ipv4 and ipv6
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
2018-11-26 18:45:43 +01:00
#
#set -e # One error, it's over
2018-11-26 18:45:43 +01:00
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
IPV4_RET=1
IPV6_RET=1
IPV6_ISENABLE=1
2018-11-26 18:45:43 +01:00
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
else
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi
else
if [ $(nft list ruleset 2>/dev/null | grep -v '^$' | grep -c 'limit.*burst') -gt 0 ]; then
FNRET=10
ok "nftables has set rules for protect DOS attacks!"
else
FNRET=11
crit "nftables is not set rules for protect DOS attacks!"
fi
fi
2018-11-26 18:45:43 +01:00
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 10 ]; then
ok "nftables has set rules for protect DOS attacks!"
elif [ $FNRET = 11 ]; then
crit "nftables is not set rules for protect DOS attacks!"
elif [ $FNRET = 0 ]; then
if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else
ok "Iptables has set rules for protect DOS attacks!"
fi
2018-11-26 18:45:43 +01:00
else
if [ $IPV6_ISENABLE -eq 0 ]; then
warn "Iptables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
else
warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it."
fi
2018-11-26 18:45:43 +01:00
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi