tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add audit and apply methods for ipv6 firewall rules.

This commit is contained in:
Samson-W 2019-04-16 18:09:05 +08:00
parent 3a572da9aa
commit 5867efd5d6
11 changed files with 455 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bin/hardening/7.7.2_ensure_set_firewall_rules.sh
View File

@ -23,15 +23,9 @@ IPS6=$(which ip6tables)
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Ip4tables is not set rule!"
if [ $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Ip6tables is not set rule!"
FNRET=1
else
ok "Ip6tables rules are set!"
FNRET=0
fi
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Iptables/Ip6tables is not set rule!"
FNRET=1
else
ok "Ip4tables rules are set!"
FNRET=0

14
bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
View File

@ -23,17 +23,11 @@ IPS6=$(which ip6tables)
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
crit "Ip4tables is not set rules of protect DOS attacks!"
if [ $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
crit "Ip6tables is not set rule!"
FNRET=1
else
ok "Ip6tables rules are set!"
FNRET=0
fi
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 -o $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
crit "Ip4tables/Ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Ip4tables has set rules for protect DOS attacks!"
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
}

17
bin/hardening/7.7.4_ensure_default_deny_firewall_policy.sh → bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh
View File

@ -5,8 +5,8 @@
#
#
# 7.7.4 Ensure default deny firewall policy (Scored)
# Include ipv4 and ipv6
# 7.7.4.1 Ensure default deny firewall policy (Scored)
# for ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -16,19 +16,12 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Iptables: Firewall policy is not default deny!"
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
else
ok "Ip6tables has set default deny for firewall policy!"
FNRET=0
fi
FNRET=1
else
ok "Iptables has set default deny for firewall policy!"
FNRET=0
@ -38,9 +31,9 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Iptables/Ip6tables has set default deny for firewall policy!"
ok "Iptables has set default deny for firewall policy!"
else
warn "Iptables/Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables/ip6tables -P INPUT DROP; iptables/ip6tables -P OUTPUT DROP; iptables/ip6tables -P FORWARD DROP."
warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP."
fi
}

32
bin/hardening/7.7.5_ensure_loopback_traffic_is_configured.sh → bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh
View File

@ -5,7 +5,7 @@
#
#
# 7.7.5 Ensure loopback traffic is configured (Scored)
# 7.7.4.2 Ensure loopback traffic is configured (Scored)
# Include ipv4 and ipv6
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -18,36 +18,42 @@ HARDENING_LEVEL=2
INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
IP4VERSION="IPS4"
# This function will be called if the script status is on enabled / audit mode
audit () {
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept
ensure_lo_traffic_input_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
ok "Iptables loopback traffic INPUT has configured!"
info "Iptables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
crit "Iptables: loopback traffic INPUT is not configured!"
info "Iptables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept
ensure_lo_traffic_output_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
ok "Iptables loopback traffic OUTPUT has configured!"
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
crit "Iptables: loopback traffic OUTPUT is not configured!"
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
crit "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
fi
}
# This function will be called if the script status is on enabled mode
@ -55,19 +61,19 @@ apply () {
if [ $INPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic INPUT has configured!"
else
warn "Iptables/Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A INPUT -i lo -j ACCEPT"
warn "Iptables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!"
else
warn "Iptables/Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A OUTPUT -o lo -j ACCEPT"
warn "Iptables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Iptables/Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
}

84
bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh Executable file
View File

@ -0,0 +1,84 @@
#!/bin/bash
#
# harbian audit 9 Hardening
#
#
# 7.7.4.3 Ensure default deny firewall policy (Scored)
# For ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
NETLISTENLIST="/dev/shm/7.7.4.3"
PROTO_PORT="/dev/shm/proto_port_pair"
# This function will be called if the script status is on enabled / audit mode
audit () {
# For ipv4
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
netstat -ln | egrep -w '^tcp|^udp' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING
do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!"
else
ok "Iptables has set firewall rules exist for all open ports!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ -f $PROTO_PORT ]; then
cat $PROTO_PORT | while read NOSETPAIR
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
done
rm -f $PROTO_PORT
else
ok "Iptables has set firewall rules exist for all open ports!"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

33
bin/hardening/7.7.7_ensure_outbound_and_established_connections_are_configured.sh → bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh
View File

@ -5,8 +5,8 @@
#
#
# 7.7.7 Ensure outbound and established connections are configured (Not Scored)
# Include ipv4 and ipv6
# 7.7.4.4 Ensure outbound and established connections are configured (Not Scored)
# For ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -15,27 +15,40 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
RET_VALUE1=1
RET_VALUE2=1
PROTOCOL_LIST="tcp udp icmp"
IP4VERSION="IPS4"
# This function will be called if the script status is on enabled / audit mode
audit () {
for protocol in $PROTOCOL_LIST
do
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}"
check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
ok "Portocol $protocol INPUT is conf"
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
crit "Portocol $protocol INPUT is not conf"
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}"
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
ok "Portocol $protocol outbound is conf"
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
crit "Portocol $protocol outbound is not conf"
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured!"
else
crit "Outbound and established connections are not configured!"
fi
}
# This function will be called if the script status is on enabled mode
@ -43,12 +56,12 @@ apply () {
for protocol in $PROTOCOL_LIST
do
# Apply INPUT with ESTABLISHED
check_input_with_established_is_accept "${protocol}"
check_input_with_established_is_accept "${protocol}" $IP4VERSION
if [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: iptables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
fi
# Apply outbound
check_outbound_connect_is_accept "${protocol}"
check_outbound_connect_is_accept "${protocol}" $IP4VERSION
if [ $FNRET = 1 ]; then
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: iptables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi

61
bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
#
# harbian audit 9 Hardening
#
#
# 7.7.5.1 Ensure default deny firewall policy for v6 (Scored)
# for ipv6
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
else
ok "Ip6tables has set default deny for firewall policy!"
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Ip6tables has set default deny for firewall policy!"
else
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

101
bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh Executable file
View File

@ -0,0 +1,101 @@
#!/bin/bash
#
# harbian audit 9 Hardening
#
#
# 7.7.5.2 Ensure loopback traffic is configured for v6 (Scored)
# Foripv6
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
IP6VERSION="IPS6"
# This function will be called if the script status is on enabled / audit mode
audit () {
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Ip6tables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Ip6tables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Ip6tables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Ip6tables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $INPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!"
else
warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic OUTPUT has configured!"
else
warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $INPUT_DENY = 0 ]; then
ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

33
bin/hardening/7.7.6_ensure_firewall_rules_exist_for_all_open_ports.sh → bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
View File

@ -5,8 +5,8 @@
#
#
# 7.7.6 Ensure default deny firewall policy (Scored)
# Include ipv4 and ipv6
# 7.7.5.3 Ensure default deny firewall policy for v6 (Scored)
# For ipv6
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -15,29 +15,16 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
NETLISTENLIST="/dev/shm/7.7.6"
PROTO_PORT="/dev/shm/proto_port_pair"
NETLISTENLIST="/dev/shm/7.7.5.3"
PROTO_PORT="/dev/shm/proto_port_pair_v6"
# This function will be called if the script status is on enabled / audit mode
audit () {
# For ipv4
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
netstat -ln | egrep -w '^tcp|^udp' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING
do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
ok "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
crit "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
fi
done
# For ipv6
netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING
@ -51,15 +38,17 @@ audit () {
fi
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}')
if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
ok "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
crit "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Iptables/Ip6tables is not set firewall rules exist for all open ports!"
crit "Ip6tables is not set firewall rules exist for all open ports!"
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
}
@ -70,11 +59,11 @@ apply () {
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
done
rm -f $PROTO_PORT
else
ok "Iptables/Ip6tables has set firewall rules exist for all open ports!"
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
}

93
bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh Executable file
View File

@ -0,0 +1,93 @@
#!/bin/bash
#
# harbian audit 9 Hardening
#
#
# 7.7.5.4 Ensure outbound and established connections are configured for v6 (Not Scored)
# For ipv6
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PROTOCOL_LIST="tcp udp icmp"
IP6VERSION="IPS6"
RET_VALUE1=1
RET_VALUE2=1
# This function will be called if the script status is on enabled / audit mode
audit () {
for protocol in $PROTOCOL_LIST
do
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" $IP6VERSION
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured for v6."
else
crit "Outbound and established connections are not configured for v6."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for protocol in $PROTOCOL_LIST
do
# Apply INPUT with ESTABLISHED
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
fi
# Apply outbound
check_outbound_connect_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 1 ]; then
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

75
lib/utils.sh
View File

@ -719,11 +719,16 @@ ensure_lo_traffic_input_is_accept()
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# Check the loopback interface to accept INPUT traffic.
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A INPUT \-i 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
debug "Ip4tables loopback traffic INPUT has configured!"
FNRET=0
version=$1
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A INPUT \-i 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
debug "Ip4tables loopback traffic INPUT has configured!"
FNRET=0
else
debug "Ip4tables: loopback traffic INPUT is not configured!"
FNRET=1
fi
else
debug "Ip4tables: loopback traffic INPUT is not configured!"
if [ $(${IPS6} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS6} -S | grep -c "^\-A INPUT \-i ::/0 \-j ACCEPT") -ge 1 ]; then
debug "Ip6tables loopback traffic INPUT has configured!"
FNRET=0
@ -731,7 +736,7 @@ ensure_lo_traffic_input_is_accept()
debug "Ip6tables: loopback traffic INPUT is not configured!"
FNRET=1
fi
fi
fi
}
# Ensure is set accept for OUTPUT of loopback traffic
@ -740,11 +745,16 @@ ensure_lo_traffic_output_is_accept()
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# Check the loopback interface to accept OUTPUT traffic.
if [ $(${IPS4} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A OUTPUT \-o 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
debug "Ip4tables loopback traffic OUTPUT has configured!"
FNRET=0
version=$1
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A OUTPUT \-o 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
debug "Ip4tables loopback traffic OUTPUT has configured!"
FNRET=0
else
debug "Ip4tables: loopback traffic OUTPUT is not configured!"
FNRET=1
fi
else
debug "Ip4tables: loopback traffic OUTPUT is not configured!"
if [ $(${IPS6} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS6} -S | grep -c "^\-A OUTPUT \-o ::/0 \-j ACCEPT") -ge 1 ]; then
debug "Ip6tables loopback traffic OUTPUT has configured!"
FNRET=0
@ -760,9 +770,18 @@ ensure_lo_traffic_other_if_input_is_deny()
{
IPS4=$(which iptables)
IPS6=$(which ip6tables)
# all other interfaces to deny traffic to the loopback network.
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-s 127.0.0.0/8 \-j DROP") -eq 0 ]; then
debug "Ip4tables: loopback traffic INPUT deny from 127.0.0.0/8 is not configured!"
version=$1
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-s 127.0.0.0/8 \-j DROP") -eq 0 ]; then
debug "Ip4tables: loopback traffic INPUT deny from 127.0.0.0/8 is not configured!"
FNRET=1
else
debug "Ip4tables loopback traffic INPUT deny from 127.0.0.0/8 has configured!"
FNRET=0
fi
else
if [ $(${IPS6} -S | grep -c "^\-A INPUT \-s ::1 \-j DROP") -ge 0 ]; then
debug "Ip6tables: loopback traffic INPUT deny from ::1 is not configured!"
FNRET=1
@ -770,9 +789,6 @@ ensure_lo_traffic_other_if_input_is_deny()
debug "Ip6tables loopback traffic INPUT deny from ::1 has configured!"
FNRET=0
fi
else
debug "Ip4tables loopback traffic INPUT deny from 127.0.0.0/8 has configured!"
FNRET=0
fi
}
@ -784,8 +800,16 @@ check_outbound_connect_is_accept()
IPS6=$(which ip6tables)
# $1 maybe is: tcp udp icmp
proto=$1
if [ $(${IPS4} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Iptables: Protocol $proto outbound is not configured!"
version=$2
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Iptables: Protocol $proto outbound is not configured!"
FNRET=1
else
debug "Iptables: Protocol $proto outbound is configured!"
FNRET=0
fi
else
if [ $(${IPS6} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Ip6tables: Protocol $proto outbound is not configured!"
FNRET=1
@ -793,9 +817,6 @@ check_outbound_connect_is_accept()
debug "Ip6tables: Protocol $proto outbound is configured!"
FNRET=0
fi
else
debug "Iptables: Protocol $proto outbound is configured!"
FNRET=0
fi
}
@ -807,8 +828,16 @@ check_input_with_established_is_accept()
IPS6=$(which ip6tables)
# $1 maybe is: tcp udp icmp
proto=$1
if [ $(${IPS4} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Iptables: Protocol $proto INPUT is not configured!"
version=$2
if [ $version == 'IPS4' ]; then
if [ $(${IPS4} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Iptables: Protocol $proto INPUT is not configured!"
FNRET=1
else
debug "Iptables: Protocol $proto INPUT is configured!"
FNRET=0
fi
else
if [ $(${IPS6} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
debug "Ip6tables: Protocol $proto INPUT is not configured!"
FNRET=1
@ -816,12 +845,10 @@ check_input_with_established_is_accept()
debug "Ip6tables: Protocol $proto INPUT is configured!"
FNRET=0
fi
else
debug "Iptables: Protocol $proto INPUT is configured!"
FNRET=0
fi
}
# for: Create file if parent dir is not exist
extend_touch_file()
{
NEWFILEALLPATH=$1