Add exception method for --allow-service to skip audit and apply.
This commit is contained in:
Samson-W
parent
fad60e595b
commit
5e8b093cd5
|
|
@ -12,6 +12,7 @@ set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=3
|
HARDENING_LEVEL=3
|
||||||
|
HARDENING_EXCEPTION=sechardened
|
||||||
|
|
||||||
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
|
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
|
||||||
BLACKLIST_CONF_ITEMS='nf_nat_sip nf_conntrack_sip'
|
BLACKLIST_CONF_ITEMS='nf_nat_sip nf_conntrack_sip'
|
||||||
|
|
@ -20,61 +21,69 @@ SYSCTL_EXP_RESULT=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do
|
if [ $ISEXCEPTION -eq 1 ]; then
|
||||||
check_blacklist_module_set $BLACKLIST_CONF
|
warn "Exception is set to 1, so it's pass!"
|
||||||
if [ $FNRET = 0 ]; then
|
else
|
||||||
ok "$BLACKLIST_CONF was set to blacklist"
|
for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do
|
||||||
else
|
check_blacklist_module_set $BLACKLIST_CONF
|
||||||
crit "$BLACKLIST_CONF is not set to blacklist"
|
if [ $FNRET = 0 ]; then
|
||||||
fi
|
ok "$BLACKLIST_CONF was set to blacklist"
|
||||||
done
|
else
|
||||||
if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
|
crit "$BLACKLIST_CONF is not set to blacklist"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
|
||||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||||
elif [ $FNRET = 255 ]; then
|
elif [ $FNRET = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
crit "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, connection tracking may not be enabled, so please determine the risk yourself."
|
crit "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, connection tracking may not be enabled, so please determine the risk yourself."
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply () {
|
||||||
for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do
|
if [ $ISEXCEPTION -eq 1 ]; then
|
||||||
check_blacklist_module_set $BLACKLIST_CONF
|
warn "Exception is set to 1, so it's pass!"
|
||||||
if [ $FNRET = 0 ]; then
|
else
|
||||||
ok "$BLACKLIST_CONF was set to blacklist"
|
for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do
|
||||||
else
|
check_blacklist_module_set $BLACKLIST_CONF
|
||||||
warn "$BLACKLIST_CONF is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
|
if [ $FNRET = 0 ]; then
|
||||||
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
|
ok "$BLACKLIST_CONF was set to blacklist"
|
||||||
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
|
|
||||||
else
|
else
|
||||||
touch $HARBIAN_SEC_CONF_FILE
|
warn "$BLACKLIST_CONF is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
|
||||||
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
|
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
|
||||||
|
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
|
||||||
|
else
|
||||||
|
touch $HARBIAN_SEC_CONF_FILE
|
||||||
|
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
done
|
||||||
done
|
if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
|
||||||
if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
|
|
||||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w $SYSCTL_PARAM=$SYSCTL_EXP_RESULT > /dev/null
|
sysctl -w $SYSCTL_PARAM=$SYSCTL_EXP_RESULT > /dev/null
|
||||||
elif [ $FNRET = 255 ]; then
|
elif [ $FNRET = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
fi
|
fi
|
||||||
else
|
|
||||||
warn "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, just set $SYSCTL_PARAM = $SYSCTL_EXP_RESULT to /etc/sysctl.conf"
|
|
||||||
if [ $(grep "^$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" /etc/sysctl.conf | wc -l) -eq 0 ]; then
|
|
||||||
echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf
|
|
||||||
else
|
else
|
||||||
:
|
warn "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, just set $SYSCTL_PARAM = $SYSCTL_EXP_RESULT to /etc/sysctl.conf"
|
||||||
|
if [ $(grep "^$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" /etc/sysctl.conf | wc -l) -eq 0 ]; then
|
||||||
|
echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf
|
||||||
|
else
|
||||||
|
:
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue