From 5867efd5d60231dabe0eda3566f0115a4ad1190f Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 16 Apr 2019 18:09:05 +0800 Subject: [PATCH] Add audit and apply methods for ipv6 firewall rules. --- .../7.7.2_ensure_set_firewall_rules.sh | 12 +-- ...ensure_firewall_set_protect_dos_attacks.sh | 14 +-- ....1_ensure_default_deny_firewall_policy.sh} | 17 +-- ..._ensure_loopback_traffic_is_configured.sh} | 32 +++--- ...firewall_rules_exist_for_all_open_ports.sh | 84 +++++++++++++++ ...established_connections_are_configured.sh} | 33 ++++-- ...ure_default_deny_firewall_policy_for_v6.sh | 61 +++++++++++ ...e_loopback_traffic_is_configured_for_v6.sh | 101 ++++++++++++++++++ ..._rules_exist_for_all_open_ports_for_v6.sh} | 33 ++---- ...ished_connections_are_configured_for_v6.sh | 93 ++++++++++++++++ lib/utils.sh | 75 ++++++++----- 11 files changed, 455 insertions(+), 100 deletions(-) rename bin/hardening/{7.7.4_ensure_default_deny_firewall_policy.sh => 7.7.4.1_ensure_default_deny_firewall_policy.sh} (67%) rename bin/hardening/{7.7.5_ensure_loopback_traffic_is_configured.sh => 7.7.4.2_ensure_loopback_traffic_is_configured.sh} (59%) create mode 100755 bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh rename bin/hardening/{7.7.7_ensure_outbound_and_established_connections_are_configured.sh => 7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh} (68%) create mode 100755 bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh create mode 100755 bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh rename bin/hardening/{7.7.6_ensure_firewall_rules_exist_for_all_open_ports.sh => 7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh} (64%) create mode 100755 bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh diff --git a/bin/hardening/7.7.2_ensure_set_firewall_rules.sh b/bin/hardening/7.7.2_ensure_set_firewall_rules.sh index edb73eb..f2f9f8f 100755 --- a/bin/hardening/7.7.2_ensure_set_firewall_rules.sh +++ b/bin/hardening/7.7.2_ensure_set_firewall_rules.sh @@ -23,15 +23,9 @@ IPS6=$(which ip6tables) # This function will be called if the script status is on enabled / audit mode audit () { - if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 ]; then - crit "Ip4tables is not set rule!" - if [ $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then - crit "Ip6tables is not set rule!" - FNRET=1 - else - ok "Ip6tables rules are set!" - FNRET=0 - fi + if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then + crit "Iptables/Ip6tables is not set rule!" + FNRET=1 else ok "Ip4tables rules are set!" FNRET=0 diff --git a/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh b/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh index 6e9dcf2..bcb28c7 100755 --- a/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh +++ b/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh @@ -23,17 +23,11 @@ IPS6=$(which ip6tables) # This function will be called if the script status is on enabled / audit mode audit () { - if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then - crit "Ip4tables is not set rules of protect DOS attacks!" - if [ $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then - crit "Ip6tables is not set rule!" - FNRET=1 - else - ok "Ip6tables rules are set!" - FNRET=0 - fi + if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 -o $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then + crit "Ip4tables/Ip6tables is not set rules of protect DOS attacks!" + FNRET=1 else - ok "Ip4tables has set rules for protect DOS attacks!" + ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!" FNRET=0 fi } diff --git a/bin/hardening/7.7.4_ensure_default_deny_firewall_policy.sh b/bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh similarity index 67% rename from bin/hardening/7.7.4_ensure_default_deny_firewall_policy.sh rename to bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh index 1b12f75..dc078f1 100755 --- a/bin/hardening/7.7.4_ensure_default_deny_firewall_policy.sh +++ b/bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh @@ -5,8 +5,8 @@ # # -# 7.7.4 Ensure default deny firewall policy (Scored) -# Include ipv4 and ipv6 +# 7.7.4.1 Ensure default deny firewall policy (Scored) +# for ipv4 # Add this feature:Author : Samson wen, Samson # @@ -16,19 +16,12 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 IPS4=$(which iptables) -IPS6=$(which ip6tables) # This function will be called if the script status is on enabled / audit mode audit () { if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then crit "Iptables: Firewall policy is not default deny!" - if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then - crit "Ip6tables: Firewall policy is not default deny!" - FNRET=1 - else - ok "Ip6tables has set default deny for firewall policy!" - FNRET=0 - fi + FNRET=1 else ok "Iptables has set default deny for firewall policy!" FNRET=0 @@ -38,9 +31,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $FNRET = 0 ]; then - ok "Iptables/Ip6tables has set default deny for firewall policy!" + ok "Iptables has set default deny for firewall policy!" else - warn "Iptables/Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables/ip6tables -P INPUT DROP; iptables/ip6tables -P OUTPUT DROP; iptables/ip6tables -P FORWARD DROP." + warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP." fi } diff --git a/bin/hardening/7.7.5_ensure_loopback_traffic_is_configured.sh b/bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh similarity index 59% rename from bin/hardening/7.7.5_ensure_loopback_traffic_is_configured.sh rename to bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh index 0299a1f..65ce650 100755 --- a/bin/hardening/7.7.5_ensure_loopback_traffic_is_configured.sh +++ b/bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh @@ -5,7 +5,7 @@ # # -# 7.7.5 Ensure loopback traffic is configured (Scored) +# 7.7.4.2 Ensure loopback traffic is configured (Scored) # Include ipv4 and ipv6 # Add this feature:Author : Samson wen, Samson # @@ -18,36 +18,42 @@ HARDENING_LEVEL=2 INPUT_ACCEPT=1 OUTPUT_ACCEPT=1 INPUT_DENY=1 +IP4VERSION="IPS4" # This function will be called if the script status is on enabled / audit mode audit () { # Check the loopback interface to accept INPUT traffic. - ensure_lo_traffic_input_is_accept + ensure_lo_traffic_input_is_accept "$IP4VERSION" if [ $FNRET = 0 ]; then INPUT_ACCEPT=0 - ok "Iptables loopback traffic INPUT has configured!" + info "Iptables loopback traffic INPUT has configured!" else INPUT_ACCEPT=1 - crit "Iptables: loopback traffic INPUT is not configured!" + info "Iptables: loopback traffic INPUT is not configured!" fi # Check the loopback interface to accept OUTPUT traffic. - ensure_lo_traffic_output_is_accept + ensure_lo_traffic_output_is_accept "$IP4VERSION" if [ $FNRET = 0 ]; then OUTPUT_ACCEPT=0 - ok "Iptables loopback traffic OUTPUT has configured!" + info "Iptables loopback traffic OUTPUT has configured!" else OUTPUT_ACCEPT=1 - crit "Iptables: loopback traffic OUTPUT is not configured!" + info "Iptables: loopback traffic OUTPUT is not configured!" fi # all other interfaces to deny traffic to the loopback network. - ensure_lo_traffic_other_if_input_is_deny + ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION" if [ $FNRET = 0 ]; then INPUT_DENY=0 - ok "Iptables loopback traffic INPUT deny from other interfaces has configured!" + info "Iptables loopback traffic INPUT deny from other interfaces has configured!" else INPUT_DENY=1 - crit "Iptables: loopback traffic INPUT deny from other interfaces is not configured!" + info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!" fi + if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then + ok "Loopback traffic rules are configured!" + else + crit "Loopback traffic rules are not configured!" + fi } # This function will be called if the script status is on enabled mode @@ -55,19 +61,19 @@ apply () { if [ $INPUT_ACCEPT = 0 ]; then ok "Iptables loopback traffic INPUT has configured!" else - warn "Iptables/Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A INPUT -i lo -j ACCEPT" + warn "Iptables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT" fi if [ $OUTPUT_ACCEPT = 0 ]; then ok "Iptables loopback traffic OUTPUT has configured!" else - warn "Iptables/Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A OUTPUT -o lo -j ACCEPT" + warn "Iptables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT" fi if [ $INPUT_DENY = 0 ]; then ok "Iptables loopback traffic INPUT deny from other interfaces has configured!" else - warn "Iptables/Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A INPUT -s 127.0.0.0/8 -j DROP" + warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP" fi } diff --git a/bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh b/bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh new file mode 100755 index 0000000..07baf0c --- /dev/null +++ b/bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# harbian audit 9 Hardening +# + +# +# 7.7.4.3 Ensure default deny firewall policy (Scored) +# For ipv4 +# Add this feature:Author : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=2 + +IPS4=$(which iptables) + +NETLISTENLIST="/dev/shm/7.7.4.3" +PROTO_PORT="/dev/shm/proto_port_pair" + +# This function will be called if the script status is on enabled / audit mode +audit () { + # For ipv4 + rm -f $NETLISTENLIST + rm -f $PROTO_PORT + netstat -ln | egrep -w '^tcp|^udp' > $NETLISTENLIST + cat $NETLISTENLIST | while read LISTENING + do + PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}') + LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}') + if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then + info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules." + else + echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT + info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules." + fi + done + rm -f $NETLISTENLIST + if [ -f $PROTO_PORT ]; then + crit "Iptables is not set firewall rules exist for all open ports!" + else + ok "Iptables has set firewall rules exist for all open ports!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ -f $PROTO_PORT ]; then + cat $PROTO_PORT | while read NOSETPAIR + do + PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}') + LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}') + warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT" + done + rm -f $PROTO_PORT + else + ok "Iptables has set firewall rules exist for all open ports!" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/7.7.7_ensure_outbound_and_established_connections_are_configured.sh b/bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh similarity index 68% rename from bin/hardening/7.7.7_ensure_outbound_and_established_connections_are_configured.sh rename to bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh index 04699f4..bc76459 100755 --- a/bin/hardening/7.7.7_ensure_outbound_and_established_connections_are_configured.sh +++ b/bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh @@ -5,8 +5,8 @@ # # -# 7.7.7 Ensure outbound and established connections are configured (Not Scored) -# Include ipv4 and ipv6 +# 7.7.4.4 Ensure outbound and established connections are configured (Not Scored) +# For ipv4 # Add this feature:Author : Samson wen, Samson # @@ -15,27 +15,40 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 +RET_VALUE1=1 +RET_VALUE2=1 + PROTOCOL_LIST="tcp udp icmp" +IP4VERSION="IPS4" # This function will be called if the script status is on enabled / audit mode audit () { for protocol in $PROTOCOL_LIST do # Check INPUT with ESTABLISHED is config - check_input_with_established_is_accept "${protocol}" + check_input_with_established_is_accept "${protocol}" "$IP4VERSION" if [ $FNRET = 0 ]; then - ok "Portocol $protocol INPUT is conf" + RET_VALUE1=0 + info "Portocol $protocol INPUT is conf" else - crit "Portocol $protocol INPUT is not conf" + RET_VALUE1=1 + info "Portocol $protocol INPUT is not conf" fi # Check outbound is config - check_outbound_connect_is_accept "${protocol}" + check_outbound_connect_is_accept "${protocol}" "$IP4VERSION" if [ $FNRET = 0 ]; then - ok "Portocol $protocol outbound is conf" + RET_VALUE2=0 + info "Portocol $protocol outbound is conf" else - crit "Portocol $protocol outbound is not conf" + RET_VALUE2=1 + info "Portocol $protocol outbound is not conf" fi done + if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then + ok "Outbound and established connections are configured!" + else + crit "Outbound and established connections are not configured!" + fi } # This function will be called if the script status is on enabled mode @@ -43,12 +56,12 @@ apply () { for protocol in $PROTOCOL_LIST do # Apply INPUT with ESTABLISHED - check_input_with_established_is_accept "${protocol}" + check_input_with_established_is_accept "${protocol}" $IP4VERSION if [ $FNRET = 1 ]; then warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: iptables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT" fi # Apply outbound - check_outbound_connect_is_accept "${protocol}" + check_outbound_connect_is_accept "${protocol}" $IP4VERSION if [ $FNRET = 1 ]; then warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: iptables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT" fi diff --git a/bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh b/bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh new file mode 100755 index 0000000..d3b2d45 --- /dev/null +++ b/bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# +# harbian audit 9 Hardening +# + +# +# 7.7.5.1 Ensure default deny firewall policy for v6 (Scored) +# for ipv6 +# Add this feature:Author : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=2 + +IPS6=$(which ip6tables) + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then + crit "Ip6tables: Firewall policy is not default deny!" + FNRET=1 + else + ok "Ip6tables has set default deny for firewall policy!" + FNRET=0 + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "Ip6tables has set default deny for firewall policy!" + else + warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP." + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh b/bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh new file mode 100755 index 0000000..4a42ec6 --- /dev/null +++ b/bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh @@ -0,0 +1,101 @@ +#!/bin/bash + +# +# harbian audit 9 Hardening +# + +# +# 7.7.5.2 Ensure loopback traffic is configured for v6 (Scored) +# Foripv6 +# Add this feature:Author : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=2 + +INPUT_ACCEPT=1 +OUTPUT_ACCEPT=1 +INPUT_DENY=1 +IP6VERSION="IPS6" + +# This function will be called if the script status is on enabled / audit mode +audit () { + # Check the loopback interface to accept INPUT traffic. + ensure_lo_traffic_input_is_accept $IP6VERSION + if [ $FNRET = 0 ]; then + INPUT_ACCEPT=0 + info "Ip6tables loopback traffic INPUT has configured!" + else + INPUT_ACCEPT=1 + info "Ip6tables: loopback traffic INPUT is not configured!" + fi + # Check the loopback interface to accept OUTPUT traffic. + ensure_lo_traffic_output_is_accept $IP6VERSION + if [ $FNRET = 0 ]; then + OUTPUT_ACCEPT=0 + info "Ip6tables loopback traffic OUTPUT has configured!" + else + OUTPUT_ACCEPT=1 + info "Ip6tables: loopback traffic OUTPUT is not configured!" + fi + # all other interfaces to deny traffic to the loopback network. + ensure_lo_traffic_other_if_input_is_deny $IP6VERSION + if [ $FNRET = 0 ]; then + INPUT_DENY=0 + info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!" + else + INPUT_DENY=1 + info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!" + fi + if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then + ok "Loopback traffic rules were configured for v6!" + else + crit "Loopback traffic rules are not configured for v6!" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $INPUT_ACCEPT = 0 ]; then + ok "Ip6tables loopback traffic INPUT has configured!" + else + warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT" + fi + + if [ $OUTPUT_ACCEPT = 0 ]; then + ok "Ip6tables loopback traffic OUTPUT has configured!" + else + warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT" + fi + + if [ $INPUT_DENY = 0 ]; then + ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!" + else + warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/7.7.6_ensure_firewall_rules_exist_for_all_open_ports.sh b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh similarity index 64% rename from bin/hardening/7.7.6_ensure_firewall_rules_exist_for_all_open_ports.sh rename to bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh index 5917465..4665557 100755 --- a/bin/hardening/7.7.6_ensure_firewall_rules_exist_for_all_open_ports.sh +++ b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh @@ -5,8 +5,8 @@ # # -# 7.7.6 Ensure default deny firewall policy (Scored) -# Include ipv4 and ipv6 +# 7.7.5.3 Ensure default deny firewall policy for v6 (Scored) +# For ipv6 # Add this feature:Author : Samson wen, Samson # @@ -15,29 +15,16 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 -IPS4=$(which iptables) IPS6=$(which ip6tables) -NETLISTENLIST="/dev/shm/7.7.6" -PROTO_PORT="/dev/shm/proto_port_pair" +NETLISTENLIST="/dev/shm/7.7.5.3" +PROTO_PORT="/dev/shm/proto_port_pair_v6" # This function will be called if the script status is on enabled / audit mode audit () { # For ipv4 rm -f $NETLISTENLIST rm -f $PROTO_PORT - netstat -ln | egrep -w '^tcp|^udp' > $NETLISTENLIST - cat $NETLISTENLIST | while read LISTENING - do - PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}') - LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}') - if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then - ok "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules." - else - echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT - crit "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules." - fi - done # For ipv6 netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST cat $NETLISTENLIST | while read LISTENING @@ -51,15 +38,17 @@ audit () { fi LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}') if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then - ok "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules." + info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules." else echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT - crit "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules." + info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules." fi done rm -f $NETLISTENLIST if [ -f $PROTO_PORT ]; then - crit "Iptables/Ip6tables is not set firewall rules exist for all open ports!" + crit "Ip6tables is not set firewall rules exist for all open ports!" + else + ok "Ip6tables has set firewall rules exist for all open ports!" fi } @@ -70,11 +59,11 @@ apply () { do PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}') LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}') - warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT" + warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p --dport -m state --state NEW -j ACCEPT" done rm -f $PROTO_PORT else - ok "Iptables/Ip6tables has set firewall rules exist for all open ports!" + ok "Ip6tables has set firewall rules exist for all open ports!" fi } diff --git a/bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh b/bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh new file mode 100755 index 0000000..cddf180 --- /dev/null +++ b/bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +# +# harbian audit 9 Hardening +# + +# +# 7.7.5.4 Ensure outbound and established connections are configured for v6 (Not Scored) +# For ipv6 +# Add this feature:Author : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=2 + +PROTOCOL_LIST="tcp udp icmp" +IP6VERSION="IPS6" + +RET_VALUE1=1 +RET_VALUE2=1 + +# This function will be called if the script status is on enabled / audit mode +audit () { + for protocol in $PROTOCOL_LIST + do + # Check INPUT with ESTABLISHED is config + check_input_with_established_is_accept "${protocol}" "$IP6VERSION" + if [ $FNRET = 0 ]; then + RET_VALUE1=0 + info "Portocol $protocol INPUT is conf" + else + RET_VALUE1=1 + info "Portocol $protocol INPUT is not conf" + fi + # Check outbound is config + check_outbound_connect_is_accept "${protocol}" $IP6VERSION + if [ $FNRET = 0 ]; then + RET_VALUE2=0 + info "Portocol $protocol outbound is conf" + else + RET_VALUE2=1 + info "Portocol $protocol outbound is not conf" + fi + done + + if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then + ok "Outbound and established connections are configured for v6." + else + crit "Outbound and established connections are not configured for v6." + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + for protocol in $PROTOCOL_LIST + do + # Apply INPUT with ESTABLISHED + check_input_with_established_is_accept "${protocol}" "$IP6VERSION" + if [ $FNRET = 1 ]; then + warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT" + fi + # Apply outbound + check_outbound_connect_is_accept "${protocol}" "$IP6VERSION" + if [ $FNRET = 1 ]; then + warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/lib/utils.sh b/lib/utils.sh index 59cbd82..e2ba418 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -719,11 +719,16 @@ ensure_lo_traffic_input_is_accept() IPS4=$(which iptables) IPS6=$(which ip6tables) # Check the loopback interface to accept INPUT traffic. - if [ $(${IPS4} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A INPUT \-i 127.0.0.1 \-j ACCEPT") -ge 1 ]; then - debug "Ip4tables loopback traffic INPUT has configured!" - FNRET=0 + version=$1 + if [ $version == 'IPS4' ]; then + if [ $(${IPS4} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A INPUT \-i 127.0.0.1 \-j ACCEPT") -ge 1 ]; then + debug "Ip4tables loopback traffic INPUT has configured!" + FNRET=0 + else + debug "Ip4tables: loopback traffic INPUT is not configured!" + FNRET=1 + fi else - debug "Ip4tables: loopback traffic INPUT is not configured!" if [ $(${IPS6} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS6} -S | grep -c "^\-A INPUT \-i ::/0 \-j ACCEPT") -ge 1 ]; then debug "Ip6tables loopback traffic INPUT has configured!" FNRET=0 @@ -731,7 +736,7 @@ ensure_lo_traffic_input_is_accept() debug "Ip6tables: loopback traffic INPUT is not configured!" FNRET=1 fi - fi + fi } # Ensure is set accept for OUTPUT of loopback traffic @@ -740,11 +745,16 @@ ensure_lo_traffic_output_is_accept() IPS4=$(which iptables) IPS6=$(which ip6tables) # Check the loopback interface to accept OUTPUT traffic. - if [ $(${IPS4} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A OUTPUT \-o 127.0.0.1 \-j ACCEPT") -ge 1 ]; then - debug "Ip4tables loopback traffic OUTPUT has configured!" - FNRET=0 + version=$1 + if [ $version == 'IPS4' ]; then + if [ $(${IPS4} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A OUTPUT \-o 127.0.0.1 \-j ACCEPT") -ge 1 ]; then + debug "Ip4tables loopback traffic OUTPUT has configured!" + FNRET=0 + else + debug "Ip4tables: loopback traffic OUTPUT is not configured!" + FNRET=1 + fi else - debug "Ip4tables: loopback traffic OUTPUT is not configured!" if [ $(${IPS6} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS6} -S | grep -c "^\-A OUTPUT \-o ::/0 \-j ACCEPT") -ge 1 ]; then debug "Ip6tables loopback traffic OUTPUT has configured!" FNRET=0 @@ -760,9 +770,18 @@ ensure_lo_traffic_other_if_input_is_deny() { IPS4=$(which iptables) IPS6=$(which ip6tables) + # all other interfaces to deny traffic to the loopback network. - if [ $(${IPS4} -S | grep -c "^\-A INPUT \-s 127.0.0.0/8 \-j DROP") -eq 0 ]; then - debug "Ip4tables: loopback traffic INPUT deny from 127.0.0.0/8 is not configured!" + version=$1 + if [ $version == 'IPS4' ]; then + if [ $(${IPS4} -S | grep -c "^\-A INPUT \-s 127.0.0.0/8 \-j DROP") -eq 0 ]; then + debug "Ip4tables: loopback traffic INPUT deny from 127.0.0.0/8 is not configured!" + FNRET=1 + else + debug "Ip4tables loopback traffic INPUT deny from 127.0.0.0/8 has configured!" + FNRET=0 + fi + else if [ $(${IPS6} -S | grep -c "^\-A INPUT \-s ::1 \-j DROP") -ge 0 ]; then debug "Ip6tables: loopback traffic INPUT deny from ::1 is not configured!" FNRET=1 @@ -770,9 +789,6 @@ ensure_lo_traffic_other_if_input_is_deny() debug "Ip6tables loopback traffic INPUT deny from ::1 has configured!" FNRET=0 fi - else - debug "Ip4tables loopback traffic INPUT deny from 127.0.0.0/8 has configured!" - FNRET=0 fi } @@ -784,8 +800,16 @@ check_outbound_connect_is_accept() IPS6=$(which ip6tables) # $1 maybe is: tcp udp icmp proto=$1 - if [ $(${IPS4} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then - debug "Iptables: Protocol $proto outbound is not configured!" + version=$2 + if [ $version == 'IPS4' ]; then + if [ $(${IPS4} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then + debug "Iptables: Protocol $proto outbound is not configured!" + FNRET=1 + else + debug "Iptables: Protocol $proto outbound is configured!" + FNRET=0 + fi + else if [ $(${IPS6} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then debug "Ip6tables: Protocol $proto outbound is not configured!" FNRET=1 @@ -793,9 +817,6 @@ check_outbound_connect_is_accept() debug "Ip6tables: Protocol $proto outbound is configured!" FNRET=0 fi - else - debug "Iptables: Protocol $proto outbound is configured!" - FNRET=0 fi } @@ -807,8 +828,16 @@ check_input_with_established_is_accept() IPS6=$(which ip6tables) # $1 maybe is: tcp udp icmp proto=$1 - if [ $(${IPS4} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then - debug "Iptables: Protocol $proto INPUT is not configured!" + version=$2 + if [ $version == 'IPS4' ]; then + if [ $(${IPS4} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then + debug "Iptables: Protocol $proto INPUT is not configured!" + FNRET=1 + else + debug "Iptables: Protocol $proto INPUT is configured!" + FNRET=0 + fi + else if [ $(${IPS6} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then debug "Ip6tables: Protocol $proto INPUT is not configured!" FNRET=1 @@ -816,12 +845,10 @@ check_input_with_established_is_accept() debug "Ip6tables: Protocol $proto INPUT is configured!" FNRET=0 fi - else - debug "Iptables: Protocol $proto INPUT is configured!" - FNRET=0 fi } +# for: Create file if parent dir is not exist extend_touch_file() { NEWFILEALLPATH=$1