tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.

Browse Source
This commit is contained in:
Samson-W 2023-06-16 02:43:44 +08:00
parent f0d0f65467
commit 1b4337464a
6 changed files with 253 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
bin/hardening/7.7.2_ensure_set_firewall_rules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
@ -17,12 +17,15 @@ HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
# Quick note here : CIS recommends your iptables rules to be persistent. # Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Iptables/Ip6tables is not set rule!" crit "Iptables/Ip6tables is not set rule!"
FNRET=1 FNRET=1
@ -30,14 +33,27 @@ audit () {
ok "Iptables/Ip6tables rules are set!" ok "Iptables/Ip6tables rules are set!"
FNRET=0 FNRET=0
fi fi
else
if [ $(nft list ruleset 2>/dev/null | grep -v '^table' | grep -v 'chain.*{' | grep -v '}' | grep -v 'policy' | grep -v '^$' | wc -l) -gt 0 ]; then
ok "nftables rules are set!"
FNRET=10
else
crit "Nftables is not set rule!"
FNRET=2
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Iptables/Ip6tables rules are set!" ok "Iptables/Ip6tables rules are set!"
else elif [ $FNRET = 10 ]; then
ok "Nftables rules are set!"
elif [ $FNRET = 1 ]; then
warn "Iptables/Ip6tables rules are not set, need the administrator to manually add it." warn "Iptables/Ip6tables rules are not set, need the administrator to manually add it."
elif [ $FNRET = 2 ]; then
warn "Nftables rules are not set, need the administrator to manually add it."
fi fi
} }

20
bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
@ -17,6 +17,7 @@ HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
IPV4_RET=1 IPV4_RET=1
IPV6_RET=1 IPV6_RET=1
@ -27,6 +28,8 @@ IPV6_ISENABLE=1
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# ipv4 # ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!" info "Iptables is not set rules of protect DOS attacks!"
@ -64,11 +67,24 @@ audit () {
FNRET=0 FNRET=0
fi fi
fi fi
else
if [ $(nft list ruleset 2>/dev/null | grep -v '^$' | grep -c 'limit.*burst') -gt 0 ]; then
FNRET=10
ok "nftables has set rules for protect DOS attacks!"
else
FNRET=11
crit "nftables is not set rules for protect DOS attacks!"
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 10 ]; then
ok "nftables has set rules for protect DOS attacks!"
elif [ $FNRET = 11 ]; then
crit "nftables is not set rules for protect DOS attacks!"
elif [ $FNRET = 0 ]; then
if [ $IPV6_ISENABLE -eq 0 ]; then if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!" ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else else

20
bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
@ -16,9 +16,12 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Iptables: Firewall policy is not default deny!" crit "Iptables: Firewall policy is not default deny!"
FNRET=1 FNRET=1
@ -26,11 +29,24 @@ audit () {
ok "Iptables has set default deny for firewall policy!" ok "Iptables has set default deny for firewall policy!"
FNRET=0 FNRET=0
fi fi
else
if [ $(nft list ruleset | grep -c 'input.*policy drop') -eq 0 -o $(nft list ruleset | grep -c 'output.*policy drop') -eq 0 -o $(nft list ruleset | grep -c 'forward.*policy drop') -eq 0 ]; then
crit "nftables: Firewall policy is not default deny!"
FNRET=11
else
ok "nftables has set default deny for firewall policy!"
FNRET=10
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 10 ]; then
ok "nftables has set default deny for firewall policy!"
elif [ $FNRET = 11 ]; then
warn "nftables is not set default deny for firewall policy! need the administrator to manually add it."
elif [ $FNRET = 0 ]; then
ok "Iptables has set default deny for firewall policy!" ok "Iptables has set default deny for firewall policy!"
else else
warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP." warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP."

26
bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
@ -19,9 +19,12 @@ INPUT_ACCEPT=1
OUTPUT_ACCEPT=1 OUTPUT_ACCEPT=1
INPUT_DENY=1 INPUT_DENY=1
IP4VERSION="IPS4" IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
# Check the loopback interface to accept INPUT traffic. # Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept "$IP4VERSION" ensure_lo_traffic_input_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -54,26 +57,41 @@ audit () {
else else
crit "Loopback traffic rules are not configured!" crit "Loopback traffic rules are not configured!"
fi fi
else
if [ $(nft list chain ip filter INPUT | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter OUTPUT | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter INPUT | grep -c 'saddr.*127.0.0.0/8.*drop') -gt 0 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
FNRET=10
else
crit "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
FNRET=11
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 10 ]; then
ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
elif [ $FNRET = 11 ]; then
warn "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured! Need the administrator to manually add it. "
else
if [ $INPUT_ACCEPT = 0 ]; then if [ $INPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic INPUT has configured!" ok "Iptables loopback traffic INPUT has configured!"
else else
warn "Iptables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT" warn "Iptables loopback traffic INPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi fi
if [ $OUTPUT_ACCEPT = 0 ]; then if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!" ok "Iptables loopback traffic OUTPUT has configured!"
else else
warn "Iptables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT" warn "Iptables loopback traffic OUTPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi fi
if [ $INPUT_DENY = 0 ]; then if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!" ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else else
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP" warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
fi fi
} }

38
bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh
View File

@ -1,12 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
# 7.7.4.3 Ensure default deny firewall policy (Scored) # 7.7.4.3 Ensure firewall rules exist for all open ports (Scored)
# For ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com> # Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
# #
@ -16,12 +15,19 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
PACKAGE_NFT='nftables'
NETLISTENLIST="/dev/shm/7.7.4.3" NETLISTENLIST="/dev/shm/7.7.4.3"
PROTO_PORT="/dev/shm/proto_port_pair" PROTO_PORT="/dev/shm/proto_port_pair"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ISNFTABLES=1
else
ISNFTABLES=0
fi
# For ipv4 # For ipv4
rm -f $NETLISTENLIST rm -f $NETLISTENLIST
rm -f $PROTO_PORT rm -f $PROTO_PORT
@ -30,19 +36,37 @@ audit () {
do do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}') PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}') LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
if [ $ISNFTABLES = 1 ]; then
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules." info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
else else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules." info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
fi fi
else
if [ $(nft list chain ip filter INPUT | grep -c "dport.*$LISTEN_PORT.*new.*accept") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall(nft) rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall(nft) rules."
fi
fi
done done
rm -f $NETLISTENLIST rm -f $NETLISTENLIST
if [ $ISNFTABLES = 1 ]; then
if [ -f $PROTO_PORT ]; then if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!" crit "Iptables is not set firewall rules exist for all open ports!"
else else
ok "Iptables has set firewall rules exist for all open ports!" ok "Iptables has set firewall rules exist for all open ports!"
fi fi
else
if [ -f $PROTO_PORT ]; then
crit "Nftables is not set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -52,11 +76,19 @@ apply () {
do do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}') PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}') LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
if [ $ISNFTABLES = 1 ]; then
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT" warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
else
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. "
fi
done done
rm -f $PROTO_PORT rm -f $PROTO_PORT
else else
if [ $ISNFTABLES = 1 ]; then
ok "Iptables has set firewall rules exist for all open ports!" ok "Iptables has set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi fi
} }

47
bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh
View File

@ -1,12 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
# 7.7.4.4 Ensure outbound and established connections are configured (Not Scored) # 7.7.4.4 Ensure outbound and established connections are configured (Not Scored)
# For ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com> # Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
# #
@ -20,11 +19,19 @@ RET_VALUE2=1
PROTOCOL_LIST="tcp udp icmp" PROTOCOL_LIST="tcp udp icmp"
IP4VERSION="IPS4" IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
IS_NFT=1
else
IS_NFT=0
fi
for protocol in $PROTOCOL_LIST for protocol in $PROTOCOL_LIST
do do
if [ $IS_NFT = 1 ]; then
# Check INPUT with ESTABLISHED is config # Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP4VERSION" check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -33,6 +40,7 @@ audit () {
else else
RET_VALUE1=1 RET_VALUE1=1
info "Portocol $protocol INPUT is not conf" info "Portocol $protocol INPUT is not conf"
break
fi fi
# Check outbound is config # Check outbound is config
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION" check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
@ -42,30 +50,41 @@ audit () {
else else
RET_VALUE2=1 RET_VALUE2=1
info "Portocol $protocol outbound is not conf" info "Portocol $protocol outbound is not conf"
break
fi
else
if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 -a $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 ]; then
ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
FNRET=10
else
crit "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
FNRET=11
fi
return
fi fi
done done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured!" ok "Outbound and established connections are configured!"
FNRET=0
else else
crit "Outbound and established connections are not configured!" crit "Outbound and established connections are not configured!"
FNRET=1
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for protocol in $PROTOCOL_LIST if [ $FNRET = 0 ]; then
do ok "Portocol $protocol INPUT was conf. Outbound and established connections are configured!"
# Apply INPUT with ESTABLISHED elif [ $FNRET = 11 ]; then
check_input_with_established_is_accept "${protocol}" $IP4VERSION warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
if [ $FNRET = 1 ]; then elif [ $FNRET = 10 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: iptables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT" ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
elif [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
else
:
fi fi
# Apply outbound
check_outbound_connect_is_accept "${protocol}" $IP4VERSION
if [ $FNRET = 1 ]; then
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: iptables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi
done
} }
# This function will check config parameters required # This function will check config parameters required