Modify for firewall

2018-11-26 12:45:43 -05:00 · 2018-11-26 12:45:43 -05:00 · 0aa16f3e6d
parent 60be85163b
commit 0aa16f3e6d
4 changed files with 76 additions and 6 deletions
--- a/bin/hardening/7.7.1_enable_firewall.sh
+++ b/bin/hardening/7.7.1_enable_firewall.sh
@ -6,6 +6,7 @@

 #
 # 7.7.1 Ensure Firewall is active (Scored)
+# Modify Authors : Samson wen, Samson <sccxboy@gmail.com>
 #

 set -e # One error, it's over
--- a/bin/hardening/7.7.2_ensure_set_firewall_rules.sh
+++ b/bin/hardening/7.7.2_ensure_set_firewall_rules.sh
@ -6,6 +6,7 @@

 #
 # 7.7.2 Ensure the Firewall is set rules (Scored)
+# Add this feature:Authors : Samson wen, Samson <sccxboy@gmail.com> 
 #

 set -e # One error, it's over
@ -23,8 +24,10 @@ audit () {
    check_iptables_set ${PARAM}
    if [ $FNRET != 0 ]; then
        crit "Iptables is not set rule!"
+        FNRET=1
    else
        ok "Iptables rules are set!"
+        FNRET=0
    fi
 }

--- a/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
+++ b/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
@ -0,0 +1,65 @@
+#!/bin/bash
+
+#
+# harbian audit 9  Hardening
+#
+
+#
+# 7.7.2 Ensure the Firewall is set rules of protect DOS attacks (Scored)
+# Add this feature:Authors : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=2
+
+# Quick note here : CIS recommends your iptables rules to be persistent. 
+# Do as you want, but this script does not handle this
+
+PARAM='SETDOS'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    check_iptables_set ${PARAM}
+    echo "fffffffffffffffffffffffffffffffffffff"
+    if [ $FNRET != 0 ]; then
+        crit "Iptables is not set rules of protect DOS attacks!"
+        FNRET=1
+    else
+        ok "Iptables has set rules for protect DOS attacks!"
+        FNRET=0
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    if [ $FNRET = 0 ]; then
+        ok "Iptables has set rules for protect DOS attacks!"
+    else
+        warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it."
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -677,16 +677,17 @@ check_iptables_set()
 {
    case $1 in
        SETRULE)
-            COUNT=$(iptables -S | grep -Ec "^-A|^-I")
-            if [ "${COUNT}" -gt 0 ]; then
-                FNRET=1
-            else
+            COUNTLINE=$(/sbin/iptables -S | grep -Ec "^-A|^-I")
+            if [ ${COUNTLINE} -gt 0 ]; then
                FNRET=0
+            else
+                FNRET=1
            fi
        ;;
        SETDOS)
-            COUNT=$(iptables -S | grep "\-m.*limit" | grep -c "\-\-limit-burst")
-            if [ "${COUNT}" -eq 0 ]; then
+            COUNTLINE=$(/sbin/iptables -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") 
+            echo "fsfdsfdsfdfffffffffffffffff"
+            if [ ${COUNTLINE} -eq 0 ]; then
                FNRET=1
            else
                FNRET=0