From 97d921c2c6d03603aaf2016be24072ef95dfe01b Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 17 Apr 2019 03:48:49 +0800 Subject: [PATCH] 1. Add method for if ipv6 is disabled. 2. Modify ipv6 iptables rules check with check_ipv6_is_enable. --- ...ensure_firewall_set_protect_dos_attacks.sh | 56 +++++++++-- ...ure_default_deny_firewall_policy_for_v6.sh | 30 ++++-- ...e_loopback_traffic_is_configured_for_v6.sh | 98 +++++++++++-------- ...l_rules_exist_for_all_open_ports_for_v6.sh | 78 ++++++++------- ...ished_connections_are_configured_for_v6.sh | 85 +++++++++------- lib/utils.sh | 12 +++ 6 files changed, 229 insertions(+), 130 deletions(-) diff --git a/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh b/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh index bcb28c7..add2d95 100755 --- a/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh +++ b/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh @@ -18,26 +18,68 @@ HARDENING_LEVEL=2 IPS4=$(which iptables) IPS6=$(which ip6tables) +IPV4_RET=1 +IPV6_RET=1 +IPV6_ISENABLE=1 + # Quick note here : CIS recommends your iptables rules to be persistent. # Do as you want, but this script does not handle this # This function will be called if the script status is on enabled / audit mode audit () { - if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 -o $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then - crit "Ip4tables/Ip6tables is not set rules of protect DOS attacks!" - FNRET=1 + # ipv4 + if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then + info "Iptables is not set rules of protect DOS attacks!" + IPV4_RET=1 else - ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!" - FNRET=0 + info "Iptables has set rules for protect DOS attacks!" + IPV4_RET=0 + fi + # ipv6 + check_ipv6_is_enable + IPV6_ISENABLE=$FNRET + if [ $IPV6_ISENABLE = 0 ]; then + if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then + info "Ip6tables is not set rules of protect DOS attacks!" + IPV6_RET=1 + else + info "Ip6tables has set rules for protect DOS attacks!" + IPV6_RET=0 + fi + fi + if [ $IPV6_ISENABLE -eq 0 ]; then + if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then + crit "Iptables/ip6tables is not set rules of protect DOS attacks!" + FNRET=1 + else + ok "Iptables/ip6tables has set rules for protect DOS attacks!" + FNRET=0 + fi + else + if [ $IPV4_RET -eq 1 ]; then + crit "Iptables is not set rules of protect DOS attacks!" + FNRET=1 + else + ok "Iptables has set rules for protect DOS attacks!" + FNRET=0 + fi fi } # This function will be called if the script status is on enabled mode apply () { if [ $FNRET = 0 ]; then - ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!" + if [ $IPV6_ISENABLE -eq 0 ]; then + ok "Iptables/Ip6tables has set rules for protect DOS attacks!" + else + ok "Iptables has set rules for protect DOS attacks!" + fi else - warn "Ip4tables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it." + if [ $IPV6_ISENABLE -eq 0 ]; then + warn "Iptables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it." + else + warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it." + fi fi } diff --git a/bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh b/bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh index d3b2d45..95ac7e4 100755 --- a/bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh +++ b/bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh @@ -16,25 +16,37 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 IPS6=$(which ip6tables) +IPV6_ENABLE=1 # This function will be called if the script status is on enabled / audit mode audit () { - if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then - crit "Ip6tables: Firewall policy is not default deny!" - FNRET=1 + check_ipv6_is_enable + IPV6_ENABLE=$FNRET + if [ $IPV6_ENABLE -eq 0 ]; then + if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then + crit "Ip6tables: Firewall policy is not default deny!" + FNRET=1 + else + ok "Ip6tables has set default deny for firewall policy!" + FNRET=0 + fi else - ok "Ip6tables has set default deny for firewall policy!" + ok "Ipv6 has set disabled, so pass." FNRET=0 fi } # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then - ok "Ip6tables has set default deny for firewall policy!" - else - warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP." - fi + if [ $IPV6_ENABLE -eq 0 ]; then + if [ $FNRET = 0 ]; then + ok "Ip6tables has set default deny for firewall policy!" + else + warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP." + fi + else + ok "Ipv6 has set disabled, so pass." + fi } # This function will check config parameters required diff --git a/bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh b/bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh index 4a42ec6..5a1c3cf 100755 --- a/bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh +++ b/bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh @@ -19,61 +19,73 @@ INPUT_ACCEPT=1 OUTPUT_ACCEPT=1 INPUT_DENY=1 IP6VERSION="IPS6" +IPV6_ENABLE=1 # This function will be called if the script status is on enabled / audit mode audit () { - # Check the loopback interface to accept INPUT traffic. - ensure_lo_traffic_input_is_accept $IP6VERSION - if [ $FNRET = 0 ]; then - INPUT_ACCEPT=0 - info "Ip6tables loopback traffic INPUT has configured!" + check_ipv6_is_enable + IPV6_ENABLE=$FNRET + if [ $IPV6_ENABLE -eq 0 ]; then + # Check the loopback interface to accept INPUT traffic. + ensure_lo_traffic_input_is_accept $IP6VERSION + if [ $FNRET = 0 ]; then + INPUT_ACCEPT=0 + info "Ip6tables loopback traffic INPUT has configured!" + else + INPUT_ACCEPT=1 + info "Ip6tables: loopback traffic INPUT is not configured!" + fi + # Check the loopback interface to accept OUTPUT traffic. + ensure_lo_traffic_output_is_accept $IP6VERSION + if [ $FNRET = 0 ]; then + OUTPUT_ACCEPT=0 + info "Ip6tables loopback traffic OUTPUT has configured!" + else + OUTPUT_ACCEPT=1 + info "Ip6tables: loopback traffic OUTPUT is not configured!" + fi + # all other interfaces to deny traffic to the loopback network. + ensure_lo_traffic_other_if_input_is_deny $IP6VERSION + if [ $FNRET = 0 ]; then + INPUT_DENY=0 + info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!" + else + INPUT_DENY=1 + info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!" + fi + + if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then + ok "Loopback traffic rules were configured for v6!" + else + crit "Loopback traffic rules are not configured for v6!" + fi else - INPUT_ACCEPT=1 - info "Ip6tables: loopback traffic INPUT is not configured!" - fi - # Check the loopback interface to accept OUTPUT traffic. - ensure_lo_traffic_output_is_accept $IP6VERSION - if [ $FNRET = 0 ]; then - OUTPUT_ACCEPT=0 - info "Ip6tables loopback traffic OUTPUT has configured!" - else - OUTPUT_ACCEPT=1 - info "Ip6tables: loopback traffic OUTPUT is not configured!" - fi - # all other interfaces to deny traffic to the loopback network. - ensure_lo_traffic_other_if_input_is_deny $IP6VERSION - if [ $FNRET = 0 ]; then - INPUT_DENY=0 - info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!" - else - INPUT_DENY=1 - info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!" - fi - if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then - ok "Loopback traffic rules were configured for v6!" - else - crit "Loopback traffic rules are not configured for v6!" + ok "Ipv6 has set disabled, so pass." fi } # This function will be called if the script status is on enabled mode apply () { - if [ $INPUT_ACCEPT = 0 ]; then - ok "Ip6tables loopback traffic INPUT has configured!" - else - warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT" - fi + if [ $IPV6_ENABLE -eq 0 ]; then + if [ $INPUT_ACCEPT = 0 ]; then + ok "Ip6tables loopback traffic INPUT has configured!" + else + warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT" + fi - if [ $OUTPUT_ACCEPT = 0 ]; then - ok "Ip6tables loopback traffic OUTPUT has configured!" - else - warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT" - fi + if [ $OUTPUT_ACCEPT = 0 ]; then + ok "Ip6tables loopback traffic OUTPUT has configured!" + else + warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT" + fi - if [ $INPUT_DENY = 0 ]; then - ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!" + if [ $INPUT_DENY = 0 ]; then + ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!" + else + warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP" + fi else - warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP" + ok "Ipv6 has set disabled, so pass." fi } diff --git a/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh index 4665557..2a498da 100755 --- a/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh +++ b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh @@ -16,55 +16,65 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 IPS6=$(which ip6tables) +IPV6_ENABLE=1 NETLISTENLIST="/dev/shm/7.7.5.3" PROTO_PORT="/dev/shm/proto_port_pair_v6" # This function will be called if the script status is on enabled / audit mode audit () { - # For ipv4 rm -f $NETLISTENLIST rm -f $PROTO_PORT + check_ipv6_is_enable + IPV6_ENABLE=$FNRET # For ipv6 - netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST - cat $NETLISTENLIST | while read LISTENING - do - PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}') - if [ "$PROTO_TYPE" == 'tcp6' ]; then - PROTO_TYPE="tcp" + if [ $IPV6_ENABLE -eq 0 ]; then + netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST + cat $NETLISTENLIST | while read LISTENING + do + PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}') + if [ "$PROTO_TYPE" == 'tcp6' ]; then + PROTO_TYPE="tcp" + fi + if [ "$PROTO_TYPE" == 'udp6' ]; then + PROTO_TYPE="udp" + fi + LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}') + if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then + info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules." + else + echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT + info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules." + fi + done + rm -f $NETLISTENLIST + if [ -f $PROTO_PORT ]; then + crit "Ip6tables is not set firewall rules exist for all open ports!" + else + ok "Ip6tables has set firewall rules exist for all open ports!" fi - if [ "$PROTO_TYPE" == 'udp6' ]; then - PROTO_TYPE="udp" - fi - LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}') - if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then - info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules." - else - echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT - info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules." - fi - done - rm -f $NETLISTENLIST - if [ -f $PROTO_PORT ]; then - crit "Ip6tables is not set firewall rules exist for all open ports!" - else - ok "Ip6tables has set firewall rules exist for all open ports!" + else + ok "Ipv6 has set disabled, so pass." fi } # This function will be called if the script status is on enabled mode apply () { - if [ -f $PROTO_PORT ]; then - cat $PROTO_PORT | while read NOSETPAIR - do - PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}') - LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}') - warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p --dport -m state --state NEW -j ACCEPT" - done - rm -f $PROTO_PORT - else - ok "Ip6tables has set firewall rules exist for all open ports!" - fi + if [ $IPV6_ENABLE -eq 0 ]; then + if [ -f $PROTO_PORT ]; then + cat $PROTO_PORT | while read NOSETPAIR + do + PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}') + LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}') + warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p --dport -m state --state NEW -j ACCEPT" + done + rm -f $PROTO_PORT + else + ok "Ip6tables has set firewall rules exist for all open ports!" + fi + else + ok "Ipv6 has set disabled, so pass." + fi } # This function will check config parameters required diff --git a/bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh b/bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh index cddf180..0ecf4c8 100755 --- a/bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh +++ b/bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh @@ -17,56 +17,67 @@ HARDENING_LEVEL=2 PROTOCOL_LIST="tcp udp icmp" IP6VERSION="IPS6" +IPV6_ENABLE=1 RET_VALUE1=1 RET_VALUE2=1 # This function will be called if the script status is on enabled / audit mode audit () { - for protocol in $PROTOCOL_LIST - do - # Check INPUT with ESTABLISHED is config - check_input_with_established_is_accept "${protocol}" "$IP6VERSION" - if [ $FNRET = 0 ]; then - RET_VALUE1=0 - info "Portocol $protocol INPUT is conf" - else - RET_VALUE1=1 - info "Portocol $protocol INPUT is not conf" - fi - # Check outbound is config - check_outbound_connect_is_accept "${protocol}" $IP6VERSION - if [ $FNRET = 0 ]; then - RET_VALUE2=0 - info "Portocol $protocol outbound is conf" - else - RET_VALUE2=1 - info "Portocol $protocol outbound is not conf" - fi - done + check_ipv6_is_enable + IPV6_ENABLE=$FNRET + if [ $IPV6_ENABLE -eq 0 ]; then + for protocol in $PROTOCOL_LIST + do + # Check INPUT with ESTABLISHED is config + check_input_with_established_is_accept "${protocol}" "$IP6VERSION" + if [ $FNRET = 0 ]; then + RET_VALUE1=0 + info "Portocol $protocol INPUT is conf" + else + RET_VALUE1=1 + info "Portocol $protocol INPUT is not conf" + fi + # Check outbound is config + check_outbound_connect_is_accept "${protocol}" $IP6VERSION + if [ $FNRET = 0 ]; then + RET_VALUE2=0 + info "Portocol $protocol outbound is conf" + else + RET_VALUE2=1 + info "Portocol $protocol outbound is not conf" + fi + done - if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then - ok "Outbound and established connections are configured for v6." + if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then + ok "Outbound and established connections are configured for v6." + else + crit "Outbound and established connections are not configured for v6." + fi else - crit "Outbound and established connections are not configured for v6." + ok "Ipv6 has set disabled, so pass." fi } # This function will be called if the script status is on enabled mode apply () { - for protocol in $PROTOCOL_LIST - do - # Apply INPUT with ESTABLISHED - check_input_with_established_is_accept "${protocol}" "$IP6VERSION" - if [ $FNRET = 1 ]; then - warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT" - fi - # Apply outbound - check_outbound_connect_is_accept "${protocol}" "$IP6VERSION" - if [ $FNRET = 1 ]; then - warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT" - fi - done + if [ $IPV6_ENABLE -eq 0 ]; then + for protocol in $PROTOCOL_LIST + do + # Apply INPUT with ESTABLISHED + check_input_with_established_is_accept "${protocol}" "$IP6VERSION" + if [ $FNRET = 1 ]; then + warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT" + fi + # Apply outbound + check_outbound_connect_is_accept "${protocol}" "$IP6VERSION" + if [ $FNRET = 1 ]; then + warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT" + fi + done + else + ok "Ipv6 has set disabled, so pass." + fi } # This function will check config parameters required diff --git a/lib/utils.sh b/lib/utils.sh index e2ba418..512af2f 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -860,3 +860,15 @@ extend_touch_file() fi } +# Check ipv6 is enable +check_ipv6_is_enable() +{ + if [ $(ip -6 addr | wc -l) -gt 0 ]; then + debug "Ipv6 is enabled." + FNRET=0 + else + debug "Ipv6 is disabled." + FNRET=1 + fi +} +