tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.

This commit is contained in:
Samson-W 2023-06-16 02:43:44 +08:00
parent f0d0f65467
commit 1b4337464a
6 changed files with 253 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
bin/hardening/7.7.2_ensure_set_firewall_rules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -17,27 +17,43 @@ HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Iptables/Ip6tables is not set rule!"
FNRET=1
else
ok "Iptables/Ip6tables rules are set!"
FNRET=0
fi
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Iptables/Ip6tables is not set rule!"
FNRET=1
else
ok "Iptables/Ip6tables rules are set!"
FNRET=0
fi
else
if [ $(nft list ruleset 2>/dev/null | grep -v '^table' | grep -v 'chain.*{' | grep -v '}' | grep -v 'policy' | grep -v '^$' | wc -l) -gt 0 ]; then
ok "nftables rules are set!"
FNRET=10
else
crit "Nftables is not set rule!"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Iptables/Ip6tables rules are set!"
else
elif [ $FNRET = 10 ]; then
ok "Nftables rules are set!"
elif [ $FNRET = 1 ]; then
warn "Iptables/Ip6tables rules are not set, need the administrator to manually add it."
elif [ $FNRET = 2 ]; then
warn "Nftables rules are not set, need the administrator to manually add it."
fi
}

78
bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -17,6 +17,7 @@ HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
IPV4_RET=1
IPV6_RET=1
@ -27,48 +28,63 @@ IPV6_ISENABLE=1
# This function will be called if the script status is on enabled / audit mode
audit () {
# ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi
else
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
if [ $(nft list ruleset 2>/dev/null | grep -v '^$' | grep -c 'limit.*burst') -gt 0 ]; then
FNRET=10
ok "nftables has set rules for protect DOS attacks!"
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
FNRET=11
crit "nftables is not set rules for protect DOS attacks!"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
if [ $FNRET = 10 ]; then
ok "nftables has set rules for protect DOS attacks!"
elif [ $FNRET = 11 ]; then
crit "nftables is not set rules for protect DOS attacks!"
elif [ $FNRET = 0 ]; then
if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else

32
bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -16,21 +16,37 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Iptables: Firewall policy is not default deny!"
FNRET=1
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Iptables: Firewall policy is not default deny!"
FNRET=1
else
ok "Iptables has set default deny for firewall policy!"
FNRET=0
fi
else
ok "Iptables has set default deny for firewall policy!"
FNRET=0
fi
if [ $(nft list ruleset | grep -c 'input.*policy drop') -eq 0 -o $(nft list ruleset | grep -c 'output.*policy drop') -eq 0 -o $(nft list ruleset | grep -c 'forward.*policy drop') -eq 0 ]; then
crit "nftables: Firewall policy is not default deny!"
FNRET=11
else
ok "nftables has set default deny for firewall policy!"
FNRET=10
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
if [ $FNRET = 10 ]; then
ok "nftables has set default deny for firewall policy!"
elif [ $FNRET = 11 ]; then
warn "nftables is not set default deny for firewall policy! need the administrator to manually add it."
elif [ $FNRET = 0 ]; then
ok "Iptables has set default deny for firewall policy!"
else
warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP."

106
bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
@ -19,61 +19,79 @@ INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Iptables loopback traffic INPUT has configured!"
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Iptables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Iptables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
fi
else
INPUT_ACCEPT=1
info "Iptables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
if [ $(nft list chain ip filter INPUT | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter OUTPUT | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter INPUT | grep -c 'saddr.*127.0.0.0/8.*drop') -gt 0 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
FNRET=10
else
crit "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
FNRET=11
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $INPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic INPUT has configured!"
if [ $FNRET = 10 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
elif [ $FNRET = 11 ]; then
warn "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured! Need the administrator to manually add it. "
else
warn "Iptables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi
if [ $INPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic INPUT has configured!"
else
warn "Iptables loopback traffic INPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!"
else
warn "Iptables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!"
else
warn "Iptables loopback traffic OUTPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
fi
}

58
bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh
View File

@ -1,12 +1,11 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
# 7.7.4.3 Ensure default deny firewall policy (Scored)
# For ipv4
# 7.7.4.3 Ensure firewall rules exist for all open ports (Scored)
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -16,12 +15,19 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
PACKAGE_NFT='nftables'
NETLISTENLIST="/dev/shm/7.7.4.3"
PROTO_PORT="/dev/shm/proto_port_pair"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ISNFTABLES=1
else
ISNFTABLES=0
fi
# For ipv4
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
@ -30,18 +36,36 @@ audit () {
do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
if [ $ISNFTABLES = 1 ]; then
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
fi
else
if [ $(nft list chain ip filter INPUT | grep -c "dport.*$LISTEN_PORT.*new.*accept") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall(nft) rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall(nft) rules."
fi
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!"
if [ $ISNFTABLES = 1 ]; then
if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!"
else
ok "Iptables has set firewall rules exist for all open ports!"
fi
else
ok "Iptables has set firewall rules exist for all open ports!"
if [ -f $PROTO_PORT ]; then
crit "Nftables is not set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
}
@ -52,11 +76,19 @@ apply () {
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
if [ $ISNFTABLES = 1 ]; then
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
else
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. "
fi
done
rm -f $PROTO_PORT
else
ok "Iptables has set firewall rules exist for all open ports!"
if [ $ISNFTABLES = 1 ]; then
ok "Iptables has set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
}

81
bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh
View File

@ -1,12 +1,11 @@
#!/bin/bash
#
# harbian-audit for Debian GNU/Linux 9 Hardening
# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
#
#
# 7.7.4.4 Ensure outbound and established connections are configured (Not Scored)
# For ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -20,52 +19,72 @@ RET_VALUE2=1
PROTOCOL_LIST="tcp udp icmp"
IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
IS_NFT=1
else
IS_NFT=0
fi
for protocol in $PROTOCOL_LIST
do
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
if [ $IS_NFT = 1 ]; then
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
break
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
break
fi
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 -a $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
FNRET=10
else
crit "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
FNRET=11
fi
return
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured!"
FNRET=0
else
crit "Outbound and established connections are not configured!"
FNRET=1
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for protocol in $PROTOCOL_LIST
do
# Apply INPUT with ESTABLISHED
check_input_with_established_is_accept "${protocol}" $IP4VERSION
if [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: iptables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
fi
# Apply outbound
check_outbound_connect_is_accept "${protocol}" $IP4VERSION
if [ $FNRET = 1 ]; then
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: iptables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi
done
if [ $FNRET = 0 ]; then
ok "Portocol $protocol INPUT was conf. Outbound and established connections are configured!"
elif [ $FNRET = 11 ]; then
warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
elif [ $FNRET = 10 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
elif [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
else
:
fi
}
# This function will check config parameters required