From 60be85163bcf4a1749d75337cbec5b5cd5cdde33 Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Mon, 26 Nov 2018 09:52:46 -0500
Subject: [PATCH] Add audit and apply firewall(iptables) rules for 7.7.1 7.7.2

---
 bin/hardening/7.7.1_enable_firewall.sh        | 71 +++++++++++++++++++
 ....sh => 7.7.2_ensure_set_firewall_rules.sh} | 24 +++----
 lib/utils.sh                                  | 22 ++++++
 3 files changed, 104 insertions(+), 13 deletions(-)
 create mode 100755 bin/hardening/7.7.1_enable_firewall.sh
 rename bin/hardening/{7.7_enable_firewall.sh => 7.7.2_ensure_set_firewall_rules.sh} (74%)

diff --git a/bin/hardening/7.7.1_enable_firewall.sh b/bin/hardening/7.7.1_enable_firewall.sh
new file mode 100755
index 0000000..2afb66d
--- /dev/null
+++ b/bin/hardening/7.7.1_enable_firewall.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+#
+# harbian audit 7/8/9  Hardening
+#
+
+#
+# 7.7.1 Ensure Firewall is active (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=2
+
+# Quick note here : CIS recommends your iptables rules to be persistent. 
+# Do as you want, but this script does not handle this
+
+PACKAGES='iptables iptables-persistent'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for PACKAGE in $PACKAGES
+    do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET != 0 ]; then
+            crit "$PACKAGE is not installed!"
+            FNRET=1
+            break 
+        else
+            ok "$PACKAGE is installed"
+            FNRET=0
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+        if [ $FNRET = 0 ]; then
+            ok "$PACKAGES is installed"
+        else
+            for PACKAGE in $PACKAGES
+            do
+                warn "$PACKAGE is absent, installing it"
+                apt_install $PACKAGE
+            done
+        fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/7.7_enable_firewall.sh b/bin/hardening/7.7.2_ensure_set_firewall_rules.sh
similarity index 74%
rename from bin/hardening/7.7_enable_firewall.sh
rename to bin/hardening/7.7.2_ensure_set_firewall_rules.sh
index 7e48533..1bde365 100755
--- a/bin/hardening/7.7_enable_firewall.sh
+++ b/bin/hardening/7.7.2_ensure_set_firewall_rules.sh
@@ -1,11 +1,11 @@
 #!/bin/bash
 
 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 9  Hardening
 #
 
 #
-# 7.7 Ensure Firewall is active (Scored)
+# 7.7.2 Ensure the Firewall is set rules (Scored)
 #
 
 set -e # One error, it's over
@@ -16,27 +16,25 @@ HARDENING_LEVEL=2
 # Quick note here : CIS recommends your iptables rules to be persistent. 
 # Do as you want, but this script does not handle this
 
-PACKAGE='iptables'
+PARAM='SETRULE'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    check_iptables_set ${PARAM}
     if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "Iptables is not set rule!"
     else
-        ok "$PACKAGE is installed"
+        ok "Iptables rules are set!"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
-            ok "$PACKAGE is installed"
-        else
-            crit "$PACKAGE is absent, installing it"
-            apt_install $PACKAGE
-        fi
+    if [ $FNRET = 0 ]; then
+        ok "Iptables rules are set!"
+    else
+        warn "Iptables rules are not set, need the administrator to manually add it."
+    fi
 }
 
 # This function will check config parameters required
diff --git a/lib/utils.sh b/lib/utils.sh
index 9a535f9..5d265fa 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -673,3 +673,25 @@ check_auth_option_nullok_by_pam()
     fi
 }
 
+check_iptables_set()
+{
+    case $1 in
+        SETRULE)
+            COUNT=$(iptables -S | grep -Ec "^-A|^-I")
+            if [ "${COUNT}" -gt 0 ]; then
+                FNRET=1
+            else
+                FNRET=0
+            fi
+        ;;
+        SETDOS)
+            COUNT=$(iptables -S | grep "\-m.*limit" | grep -c "\-\-limit-burst")
+            if [ "${COUNT}" -eq 0 ]; then
+                FNRET=1
+            else
+                FNRET=0
+            fi
+        ;;
+    esac
+}
+