mirror of
https://github.com/hardenedlinux/harbian-audit.git
synced 2025-07-31 01:24:58 +02:00
Add 14.1 for defense NAT slipstreaming and add method to utils
This commit is contained in:
Samson-W
parent
c24e12541e
commit
6bf8a58bef
107
bin/hardening/14.1_security_related_NAT_slipstreaming.sh
Executable file
107
bin/hardening/14.1_security_related_NAT_slipstreaming.sh
Executable file
@ -0,0 +1,107 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# harbian-audit for Debian GNU/Linux 9/10 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 14.1 Defense for NAT Slipstreaming (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
|
||||||
|
HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
|
||||||
|
BLACKLIST_CONF_ITEMS='nf_nat_sip nf_conntrack_sip'
|
||||||
|
SYSCTL_PARAM='net.netfilter.nf_conntrack_helper'
|
||||||
|
SYSCTL_EXP_RESULT=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do
|
||||||
|
check_blacklist_module_set $BLACKLIST_CONF
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$BLACKLIST_CONF was set to blacklist"
|
||||||
|
else
|
||||||
|
crit "$BLACKLIST_CONF is not set to blacklist"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
|
||||||
|
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||||
|
elif [ $FNRET = 255 ]; then
|
||||||
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
|
else
|
||||||
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
crit "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, connection tracking may not be enabled, so please determine the risk yourself."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do
|
||||||
|
check_blacklist_module_set $BLACKLIST_CONF
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$BLACKLIST_CONF was set to blacklist"
|
||||||
|
else
|
||||||
|
warn "$BLACKLIST_CONF is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
|
||||||
|
if [ -w $HARBIAN_SEC_CONF_FILE ]; then
|
||||||
|
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
|
||||||
|
else
|
||||||
|
touch $HARBIAN_SEC_CONF_FILE
|
||||||
|
add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
|
||||||
|
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
|
sysctl -w $SYSCTL_PARAM=$SYSCTL_EXP_RESULT > /dev/null
|
||||||
|
elif [ $FNRET = 255 ]; then
|
||||||
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
|
else
|
||||||
|
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will create the config file for this check with default values
|
||||||
|
create_config() {
|
||||||
|
cat <<EOF
|
||||||
|
status=disabled
|
||||||
|
# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
|
||||||
|
ISEXCEPTION=0
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||||
|
. $CIS_ROOT_DIR/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
16
lib/utils.sh
16
lib/utils.sh
@ -1212,3 +1212,19 @@ check_sshd_access_limit ()
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Check blacklist module set of /etc/modprobe.d/*
|
||||||
|
# If set, return 0; else return 1
|
||||||
|
# Example: $1='nf_nat_sip'
|
||||||
|
check_blacklist_module_set ()
|
||||||
|
{
|
||||||
|
MODPROBE_CONF_FILE_PATTERN='/etc/modprobe.d/*'
|
||||||
|
COUNT=$(grep -w $1 -r $MODPROBE_CONF_FILE_PATTERN | grep "^blacklist" | wc -l)
|
||||||
|
if [ $COUNT -ge 1 ]; then
|
||||||
|
debug "$1 has set in $MODPROBE_CONF_FILE_PATTERN"
|
||||||
|
FNRET=0
|
||||||
|
else
|
||||||
|
debug "$1 is not set in $MODPROBE_CONF_FILE_PATTERN"
|
||||||
|
FNRET=1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user