Add audit and apply methods for ipv6 firewall rules.
This commit is contained in:
parent
3a572da9aa
commit
5867efd5d6
|
@ -23,15 +23,9 @@ IPS6=$(which ip6tables)
|
|||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
|
||||
crit "Ip4tables is not set rule!"
|
||||
if [ $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
|
||||
crit "Ip6tables is not set rule!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "Ip6tables rules are set!"
|
||||
FNRET=0
|
||||
fi
|
||||
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
|
||||
crit "Iptables/Ip6tables is not set rule!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "Ip4tables rules are set!"
|
||||
FNRET=0
|
||||
|
|
|
@ -23,17 +23,11 @@ IPS6=$(which ip6tables)
|
|||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
|
||||
crit "Ip4tables is not set rules of protect DOS attacks!"
|
||||
if [ $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
|
||||
crit "Ip6tables is not set rule!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "Ip6tables rules are set!"
|
||||
FNRET=0
|
||||
fi
|
||||
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 -o $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
|
||||
crit "Ip4tables/Ip6tables is not set rules of protect DOS attacks!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "Ip4tables has set rules for protect DOS attacks!"
|
||||
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!"
|
||||
FNRET=0
|
||||
fi
|
||||
}
|
||||
|
|
|
@ -5,8 +5,8 @@
|
|||
#
|
||||
|
||||
#
|
||||
# 7.7.4 Ensure default deny firewall policy (Scored)
|
||||
# Include ipv4 and ipv6
|
||||
# 7.7.4.1 Ensure default deny firewall policy (Scored)
|
||||
# for ipv4
|
||||
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
|
||||
#
|
||||
|
||||
|
@ -16,19 +16,12 @@ set -u # One variable unset, it's over
|
|||
HARDENING_LEVEL=2
|
||||
|
||||
IPS4=$(which iptables)
|
||||
IPS6=$(which ip6tables)
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
|
||||
crit "Iptables: Firewall policy is not default deny!"
|
||||
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
|
||||
crit "Ip6tables: Firewall policy is not default deny!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "Ip6tables has set default deny for firewall policy!"
|
||||
FNRET=0
|
||||
fi
|
||||
FNRET=1
|
||||
else
|
||||
ok "Iptables has set default deny for firewall policy!"
|
||||
FNRET=0
|
||||
|
@ -38,9 +31,9 @@ audit () {
|
|||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Iptables/Ip6tables has set default deny for firewall policy!"
|
||||
ok "Iptables has set default deny for firewall policy!"
|
||||
else
|
||||
warn "Iptables/Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables/ip6tables -P INPUT DROP; iptables/ip6tables -P OUTPUT DROP; iptables/ip6tables -P FORWARD DROP."
|
||||
warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP."
|
||||
fi
|
||||
}
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
#
|
||||
|
||||
#
|
||||
# 7.7.5 Ensure loopback traffic is configured (Scored)
|
||||
# 7.7.4.2 Ensure loopback traffic is configured (Scored)
|
||||
# Include ipv4 and ipv6
|
||||
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
|
||||
#
|
||||
|
@ -18,35 +18,41 @@ HARDENING_LEVEL=2
|
|||
INPUT_ACCEPT=1
|
||||
OUTPUT_ACCEPT=1
|
||||
INPUT_DENY=1
|
||||
IP4VERSION="IPS4"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# Check the loopback interface to accept INPUT traffic.
|
||||
ensure_lo_traffic_input_is_accept
|
||||
ensure_lo_traffic_input_is_accept "$IP4VERSION"
|
||||
if [ $FNRET = 0 ]; then
|
||||
INPUT_ACCEPT=0
|
||||
ok "Iptables loopback traffic INPUT has configured!"
|
||||
info "Iptables loopback traffic INPUT has configured!"
|
||||
else
|
||||
INPUT_ACCEPT=1
|
||||
crit "Iptables: loopback traffic INPUT is not configured!"
|
||||
info "Iptables: loopback traffic INPUT is not configured!"
|
||||
fi
|
||||
# Check the loopback interface to accept OUTPUT traffic.
|
||||
ensure_lo_traffic_output_is_accept
|
||||
ensure_lo_traffic_output_is_accept "$IP4VERSION"
|
||||
if [ $FNRET = 0 ]; then
|
||||
OUTPUT_ACCEPT=0
|
||||
ok "Iptables loopback traffic OUTPUT has configured!"
|
||||
info "Iptables loopback traffic OUTPUT has configured!"
|
||||
else
|
||||
OUTPUT_ACCEPT=1
|
||||
crit "Iptables: loopback traffic OUTPUT is not configured!"
|
||||
info "Iptables: loopback traffic OUTPUT is not configured!"
|
||||
fi
|
||||
# all other interfaces to deny traffic to the loopback network.
|
||||
ensure_lo_traffic_other_if_input_is_deny
|
||||
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
|
||||
if [ $FNRET = 0 ]; then
|
||||
INPUT_DENY=0
|
||||
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
|
||||
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
|
||||
else
|
||||
INPUT_DENY=1
|
||||
crit "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
|
||||
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
|
||||
fi
|
||||
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
|
||||
ok "Loopback traffic rules are configured!"
|
||||
else
|
||||
crit "Loopback traffic rules are not configured!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -55,19 +61,19 @@ apply () {
|
|||
if [ $INPUT_ACCEPT = 0 ]; then
|
||||
ok "Iptables loopback traffic INPUT has configured!"
|
||||
else
|
||||
warn "Iptables/Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A INPUT -i lo -j ACCEPT"
|
||||
warn "Iptables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
|
||||
fi
|
||||
|
||||
if [ $OUTPUT_ACCEPT = 0 ]; then
|
||||
ok "Iptables loopback traffic OUTPUT has configured!"
|
||||
else
|
||||
warn "Iptables/Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A OUTPUT -o lo -j ACCEPT"
|
||||
warn "Iptables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
|
||||
fi
|
||||
|
||||
if [ $INPUT_DENY = 0 ]; then
|
||||
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
|
||||
else
|
||||
warn "Iptables/Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables/ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
|
||||
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
|
||||
fi
|
||||
}
|
||||
|
|
@ -0,0 +1,84 @@
|
|||
#!/bin/bash
|
||||
|
||||
#
|
||||
# harbian audit 9 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.7.4.3 Ensure default deny firewall policy (Scored)
|
||||
# For ipv4
|
||||
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
IPS4=$(which iptables)
|
||||
|
||||
NETLISTENLIST="/dev/shm/7.7.4.3"
|
||||
PROTO_PORT="/dev/shm/proto_port_pair"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# For ipv4
|
||||
rm -f $NETLISTENLIST
|
||||
rm -f $PROTO_PORT
|
||||
netstat -ln | egrep -w '^tcp|^udp' > $NETLISTENLIST
|
||||
cat $NETLISTENLIST | while read LISTENING
|
||||
do
|
||||
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
|
||||
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
|
||||
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
|
||||
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
|
||||
else
|
||||
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
|
||||
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
|
||||
fi
|
||||
done
|
||||
rm -f $NETLISTENLIST
|
||||
if [ -f $PROTO_PORT ]; then
|
||||
crit "Iptables is not set firewall rules exist for all open ports!"
|
||||
else
|
||||
ok "Iptables has set firewall rules exist for all open ports!"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ -f $PROTO_PORT ]; then
|
||||
cat $PROTO_PORT | while read NOSETPAIR
|
||||
do
|
||||
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
|
||||
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
|
||||
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
|
||||
done
|
||||
rm -f $PROTO_PORT
|
||||
else
|
||||
ok "Iptables has set firewall rules exist for all open ports!"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
|
@ -5,8 +5,8 @@
|
|||
#
|
||||
|
||||
#
|
||||
# 7.7.7 Ensure outbound and established connections are configured (Not Scored)
|
||||
# Include ipv4 and ipv6
|
||||
# 7.7.4.4 Ensure outbound and established connections are configured (Not Scored)
|
||||
# For ipv4
|
||||
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
|
||||
#
|
||||
|
||||
|
@ -15,27 +15,40 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
RET_VALUE1=1
|
||||
RET_VALUE2=1
|
||||
|
||||
PROTOCOL_LIST="tcp udp icmp"
|
||||
IP4VERSION="IPS4"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for protocol in $PROTOCOL_LIST
|
||||
do
|
||||
# Check INPUT with ESTABLISHED is config
|
||||
check_input_with_established_is_accept "${protocol}"
|
||||
check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Portocol $protocol INPUT is conf"
|
||||
RET_VALUE1=0
|
||||
info "Portocol $protocol INPUT is conf"
|
||||
else
|
||||
crit "Portocol $protocol INPUT is not conf"
|
||||
RET_VALUE1=1
|
||||
info "Portocol $protocol INPUT is not conf"
|
||||
fi
|
||||
# Check outbound is config
|
||||
check_outbound_connect_is_accept "${protocol}"
|
||||
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Portocol $protocol outbound is conf"
|
||||
RET_VALUE2=0
|
||||
info "Portocol $protocol outbound is conf"
|
||||
else
|
||||
crit "Portocol $protocol outbound is not conf"
|
||||
RET_VALUE2=1
|
||||
info "Portocol $protocol outbound is not conf"
|
||||
fi
|
||||
done
|
||||
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
|
||||
ok "Outbound and established connections are configured!"
|
||||
else
|
||||
crit "Outbound and established connections are not configured!"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
|
@ -43,12 +56,12 @@ apply () {
|
|||
for protocol in $PROTOCOL_LIST
|
||||
do
|
||||
# Apply INPUT with ESTABLISHED
|
||||
check_input_with_established_is_accept "${protocol}"
|
||||
check_input_with_established_is_accept "${protocol}" $IP4VERSION
|
||||
if [ $FNRET = 1 ]; then
|
||||
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: iptables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
|
||||
fi
|
||||
# Apply outbound
|
||||
check_outbound_connect_is_accept "${protocol}"
|
||||
check_outbound_connect_is_accept "${protocol}" $IP4VERSION
|
||||
if [ $FNRET = 1 ]; then
|
||||
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: iptables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
|
||||
fi
|
|
@ -0,0 +1,61 @@
|
|||
#!/bin/bash
|
||||
|
||||
#
|
||||
# harbian audit 9 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.7.5.1 Ensure default deny firewall policy for v6 (Scored)
|
||||
# for ipv6
|
||||
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
IPS6=$(which ip6tables)
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
|
||||
crit "Ip6tables: Firewall policy is not default deny!"
|
||||
FNRET=1
|
||||
else
|
||||
ok "Ip6tables has set default deny for firewall policy!"
|
||||
FNRET=0
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "Ip6tables has set default deny for firewall policy!"
|
||||
else
|
||||
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
|
@ -0,0 +1,101 @@
|
|||
#!/bin/bash
|
||||
|
||||
#
|
||||
# harbian audit 9 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.7.5.2 Ensure loopback traffic is configured for v6 (Scored)
|
||||
# Foripv6
|
||||
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
INPUT_ACCEPT=1
|
||||
OUTPUT_ACCEPT=1
|
||||
INPUT_DENY=1
|
||||
IP6VERSION="IPS6"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# Check the loopback interface to accept INPUT traffic.
|
||||
ensure_lo_traffic_input_is_accept $IP6VERSION
|
||||
if [ $FNRET = 0 ]; then
|
||||
INPUT_ACCEPT=0
|
||||
info "Ip6tables loopback traffic INPUT has configured!"
|
||||
else
|
||||
INPUT_ACCEPT=1
|
||||
info "Ip6tables: loopback traffic INPUT is not configured!"
|
||||
fi
|
||||
# Check the loopback interface to accept OUTPUT traffic.
|
||||
ensure_lo_traffic_output_is_accept $IP6VERSION
|
||||
if [ $FNRET = 0 ]; then
|
||||
OUTPUT_ACCEPT=0
|
||||
info "Ip6tables loopback traffic OUTPUT has configured!"
|
||||
else
|
||||
OUTPUT_ACCEPT=1
|
||||
info "Ip6tables: loopback traffic OUTPUT is not configured!"
|
||||
fi
|
||||
# all other interfaces to deny traffic to the loopback network.
|
||||
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
|
||||
if [ $FNRET = 0 ]; then
|
||||
INPUT_DENY=0
|
||||
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
|
||||
else
|
||||
INPUT_DENY=1
|
||||
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
|
||||
fi
|
||||
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then
|
||||
ok "Loopback traffic rules were configured for v6!"
|
||||
else
|
||||
crit "Loopback traffic rules are not configured for v6!"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $INPUT_ACCEPT = 0 ]; then
|
||||
ok "Ip6tables loopback traffic INPUT has configured!"
|
||||
else
|
||||
warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT"
|
||||
fi
|
||||
|
||||
if [ $OUTPUT_ACCEPT = 0 ]; then
|
||||
ok "Ip6tables loopback traffic OUTPUT has configured!"
|
||||
else
|
||||
warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT"
|
||||
fi
|
||||
|
||||
if [ $INPUT_DENY = 0 ]; then
|
||||
ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
|
||||
else
|
||||
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
|
@ -5,8 +5,8 @@
|
|||
#
|
||||
|
||||
#
|
||||
# 7.7.6 Ensure default deny firewall policy (Scored)
|
||||
# Include ipv4 and ipv6
|
||||
# 7.7.5.3 Ensure default deny firewall policy for v6 (Scored)
|
||||
# For ipv6
|
||||
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
|
||||
#
|
||||
|
||||
|
@ -15,29 +15,16 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
IPS4=$(which iptables)
|
||||
IPS6=$(which ip6tables)
|
||||
|
||||
NETLISTENLIST="/dev/shm/7.7.6"
|
||||
PROTO_PORT="/dev/shm/proto_port_pair"
|
||||
NETLISTENLIST="/dev/shm/7.7.5.3"
|
||||
PROTO_PORT="/dev/shm/proto_port_pair_v6"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# For ipv4
|
||||
rm -f $NETLISTENLIST
|
||||
rm -f $PROTO_PORT
|
||||
netstat -ln | egrep -w '^tcp|^udp' > $NETLISTENLIST
|
||||
cat $NETLISTENLIST | while read LISTENING
|
||||
do
|
||||
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
|
||||
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
|
||||
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
|
||||
ok "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
|
||||
else
|
||||
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
|
||||
crit "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
|
||||
fi
|
||||
done
|
||||
# For ipv6
|
||||
netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST
|
||||
cat $NETLISTENLIST | while read LISTENING
|
||||
|
@ -51,15 +38,17 @@ audit () {
|
|||
fi
|
||||
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}')
|
||||
if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
|
||||
ok "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
|
||||
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
|
||||
else
|
||||
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
|
||||
crit "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
|
||||
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
|
||||
fi
|
||||
done
|
||||
rm -f $NETLISTENLIST
|
||||
if [ -f $PROTO_PORT ]; then
|
||||
crit "Iptables/Ip6tables is not set firewall rules exist for all open ports!"
|
||||
crit "Ip6tables is not set firewall rules exist for all open ports!"
|
||||
else
|
||||
ok "Ip6tables has set firewall rules exist for all open ports!"
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -70,11 +59,11 @@ apply () {
|
|||
do
|
||||
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
|
||||
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
|
||||
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
|
||||
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
|
||||
done
|
||||
rm -f $PROTO_PORT
|
||||
else
|
||||
ok "Iptables/Ip6tables has set firewall rules exist for all open ports!"
|
||||
ok "Ip6tables has set firewall rules exist for all open ports!"
|
||||
fi
|
||||
}
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
#!/bin/bash
|
||||
|
||||
#
|
||||
# harbian audit 9 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 7.7.5.4 Ensure outbound and established connections are configured for v6 (Not Scored)
|
||||
# For ipv6
|
||||
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
PROTOCOL_LIST="tcp udp icmp"
|
||||
IP6VERSION="IPS6"
|
||||
|
||||
RET_VALUE1=1
|
||||
RET_VALUE2=1
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for protocol in $PROTOCOL_LIST
|
||||
do
|
||||
# Check INPUT with ESTABLISHED is config
|
||||
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
|
||||
if [ $FNRET = 0 ]; then
|
||||
RET_VALUE1=0
|
||||
info "Portocol $protocol INPUT is conf"
|
||||
else
|
||||
RET_VALUE1=1
|
||||
info "Portocol $protocol INPUT is not conf"
|
||||
fi
|
||||
# Check outbound is config
|
||||
check_outbound_connect_is_accept "${protocol}" $IP6VERSION
|
||||
if [ $FNRET = 0 ]; then
|
||||
RET_VALUE2=0
|
||||
info "Portocol $protocol outbound is conf"
|
||||
else
|
||||
RET_VALUE2=1
|
||||
info "Portocol $protocol outbound is not conf"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
|
||||
ok "Outbound and established connections are configured for v6."
|
||||
else
|
||||
crit "Outbound and established connections are not configured for v6."
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for protocol in $PROTOCOL_LIST
|
||||
do
|
||||
# Apply INPUT with ESTABLISHED
|
||||
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
|
||||
if [ $FNRET = 1 ]; then
|
||||
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
|
||||
fi
|
||||
# Apply outbound
|
||||
check_outbound_connect_is_accept "${protocol}" "$IP6VERSION"
|
||||
if [ $FNRET = 1 ]; then
|
||||
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
73
lib/utils.sh
73
lib/utils.sh
|
@ -719,11 +719,16 @@ ensure_lo_traffic_input_is_accept()
|
|||
IPS4=$(which iptables)
|
||||
IPS6=$(which ip6tables)
|
||||
# Check the loopback interface to accept INPUT traffic.
|
||||
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A INPUT \-i 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
|
||||
debug "Ip4tables loopback traffic INPUT has configured!"
|
||||
FNRET=0
|
||||
version=$1
|
||||
if [ $version == 'IPS4' ]; then
|
||||
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A INPUT \-i 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
|
||||
debug "Ip4tables loopback traffic INPUT has configured!"
|
||||
FNRET=0
|
||||
else
|
||||
debug "Ip4tables: loopback traffic INPUT is not configured!"
|
||||
FNRET=1
|
||||
fi
|
||||
else
|
||||
debug "Ip4tables: loopback traffic INPUT is not configured!"
|
||||
if [ $(${IPS6} -S | grep -c "^\-A INPUT \-i lo \-j ACCEPT") -ge 1 -o $(${IPS6} -S | grep -c "^\-A INPUT \-i ::/0 \-j ACCEPT") -ge 1 ]; then
|
||||
debug "Ip6tables loopback traffic INPUT has configured!"
|
||||
FNRET=0
|
||||
|
@ -740,11 +745,16 @@ ensure_lo_traffic_output_is_accept()
|
|||
IPS4=$(which iptables)
|
||||
IPS6=$(which ip6tables)
|
||||
# Check the loopback interface to accept OUTPUT traffic.
|
||||
if [ $(${IPS4} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A OUTPUT \-o 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
|
||||
debug "Ip4tables loopback traffic OUTPUT has configured!"
|
||||
FNRET=0
|
||||
version=$1
|
||||
if [ $version == 'IPS4' ]; then
|
||||
if [ $(${IPS4} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS4} -S | grep -c "^\-A OUTPUT \-o 127.0.0.1 \-j ACCEPT") -ge 1 ]; then
|
||||
debug "Ip4tables loopback traffic OUTPUT has configured!"
|
||||
FNRET=0
|
||||
else
|
||||
debug "Ip4tables: loopback traffic OUTPUT is not configured!"
|
||||
FNRET=1
|
||||
fi
|
||||
else
|
||||
debug "Ip4tables: loopback traffic OUTPUT is not configured!"
|
||||
if [ $(${IPS6} -S | grep -c "^\-A OUTPUT \-o lo \-j ACCEPT") -ge 1 -o $(${IPS6} -S | grep -c "^\-A OUTPUT \-o ::/0 \-j ACCEPT") -ge 1 ]; then
|
||||
debug "Ip6tables loopback traffic OUTPUT has configured!"
|
||||
FNRET=0
|
||||
|
@ -760,9 +770,18 @@ ensure_lo_traffic_other_if_input_is_deny()
|
|||
{
|
||||
IPS4=$(which iptables)
|
||||
IPS6=$(which ip6tables)
|
||||
|
||||
# all other interfaces to deny traffic to the loopback network.
|
||||
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-s 127.0.0.0/8 \-j DROP") -eq 0 ]; then
|
||||
debug "Ip4tables: loopback traffic INPUT deny from 127.0.0.0/8 is not configured!"
|
||||
version=$1
|
||||
if [ $version == 'IPS4' ]; then
|
||||
if [ $(${IPS4} -S | grep -c "^\-A INPUT \-s 127.0.0.0/8 \-j DROP") -eq 0 ]; then
|
||||
debug "Ip4tables: loopback traffic INPUT deny from 127.0.0.0/8 is not configured!"
|
||||
FNRET=1
|
||||
else
|
||||
debug "Ip4tables loopback traffic INPUT deny from 127.0.0.0/8 has configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
else
|
||||
if [ $(${IPS6} -S | grep -c "^\-A INPUT \-s ::1 \-j DROP") -ge 0 ]; then
|
||||
debug "Ip6tables: loopback traffic INPUT deny from ::1 is not configured!"
|
||||
FNRET=1
|
||||
|
@ -770,9 +789,6 @@ ensure_lo_traffic_other_if_input_is_deny()
|
|||
debug "Ip6tables loopback traffic INPUT deny from ::1 has configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
else
|
||||
debug "Ip4tables loopback traffic INPUT deny from 127.0.0.0/8 has configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -784,8 +800,16 @@ check_outbound_connect_is_accept()
|
|||
IPS6=$(which ip6tables)
|
||||
# $1 maybe is: tcp udp icmp
|
||||
proto=$1
|
||||
if [ $(${IPS4} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
|
||||
debug "Iptables: Protocol $proto outbound is not configured!"
|
||||
version=$2
|
||||
if [ $version == 'IPS4' ]; then
|
||||
if [ $(${IPS4} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
|
||||
debug "Iptables: Protocol $proto outbound is not configured!"
|
||||
FNRET=1
|
||||
else
|
||||
debug "Iptables: Protocol $proto outbound is configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
else
|
||||
if [ $(${IPS6} -S | grep "^\-A OUTPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
|
||||
debug "Ip6tables: Protocol $proto outbound is not configured!"
|
||||
FNRET=1
|
||||
|
@ -793,9 +817,6 @@ check_outbound_connect_is_accept()
|
|||
debug "Ip6tables: Protocol $proto outbound is configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
else
|
||||
debug "Iptables: Protocol $proto outbound is configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -807,8 +828,16 @@ check_input_with_established_is_accept()
|
|||
IPS6=$(which ip6tables)
|
||||
# $1 maybe is: tcp udp icmp
|
||||
proto=$1
|
||||
if [ $(${IPS4} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
|
||||
debug "Iptables: Protocol $proto INPUT is not configured!"
|
||||
version=$2
|
||||
if [ $version == 'IPS4' ]; then
|
||||
if [ $(${IPS4} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
|
||||
debug "Iptables: Protocol $proto INPUT is not configured!"
|
||||
FNRET=1
|
||||
else
|
||||
debug "Iptables: Protocol $proto INPUT is configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
else
|
||||
if [ $(${IPS6} -S | grep "^\-A INPUT" | grep "\-p ${proto}" | grep -c "$PATTERN") -eq 0 ]; then
|
||||
debug "Ip6tables: Protocol $proto INPUT is not configured!"
|
||||
FNRET=1
|
||||
|
@ -816,12 +845,10 @@ check_input_with_established_is_accept()
|
|||
debug "Ip6tables: Protocol $proto INPUT is configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
else
|
||||
debug "Iptables: Protocol $proto INPUT is configured!"
|
||||
FNRET=0
|
||||
fi
|
||||
}
|
||||
|
||||
# for: Create file if parent dir is not exist
|
||||
extend_touch_file()
|
||||
{
|
||||
NEWFILEALLPATH=$1
|
||||
|
|
Loading…
Reference in New Issue