tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

1. Add method for if ipv6 is disabled.

Browse Source 
2. Modify ipv6 iptables rules check with check_ipv6_is_enable.
This commit is contained in:
Samson-W 2019-04-17 03:48:49 +08:00
parent e8459b26e0
commit 97d921c2c6
6 changed files with 229 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
View File

@ -18,26 +18,68 @@ HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
IPV4_RET=1
IPV6_RET=1
IPV6_ISENABLE=1
# Quick note here : CIS recommends your iptables rules to be persistent. # Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 -o $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then # ipv4
crit "Ip4tables/Ip6tables is not set rules of protect DOS attacks!" if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1 FNRET=1
else else
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!" ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0 FNRET=0
fi fi
else
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!" if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else else
warn "Ip4tables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it." ok "Iptables has set rules for protect DOS attacks!"
fi
else
if [ $IPV6_ISENABLE -eq 0 ]; then
warn "Iptables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
else
warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it."
fi
fi fi
} }

12
bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh
View File

@ -16,9 +16,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
IPV6_ENABLE=1
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!" crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1 FNRET=1
@ -26,15 +30,23 @@ audit () {
ok "Ip6tables has set default deny for firewall policy!" ok "Ip6tables has set default deny for firewall policy!"
FNRET=0 FNRET=0
fi fi
else
ok "Ipv6 has set disabled, so pass."
FNRET=0
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Ip6tables has set default deny for firewall policy!" ok "Ip6tables has set default deny for firewall policy!"
else else
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP." warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
fi fi
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will check config parameters required # This function will check config parameters required

12
bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh
View File

@ -19,9 +19,13 @@ INPUT_ACCEPT=1
OUTPUT_ACCEPT=1 OUTPUT_ACCEPT=1
INPUT_DENY=1 INPUT_DENY=1
IP6VERSION="IPS6" IP6VERSION="IPS6"
IPV6_ENABLE=1
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
# Check the loopback interface to accept INPUT traffic. # Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept $IP6VERSION ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -49,15 +53,20 @@ audit () {
INPUT_DENY=1 INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!" info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then
ok "Loopback traffic rules were configured for v6!" ok "Loopback traffic rules were configured for v6!"
else else
crit "Loopback traffic rules are not configured for v6!" crit "Loopback traffic rules are not configured for v6!"
fi fi
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $INPUT_ACCEPT = 0 ]; then if [ $INPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!" ok "Ip6tables loopback traffic INPUT has configured!"
else else
@ -75,6 +84,9 @@ apply () {
else else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP" warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
fi fi
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will check config parameters required # This function will check config parameters required

12
bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
View File

@ -16,16 +16,19 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
IPV6_ENABLE=1
NETLISTENLIST="/dev/shm/7.7.5.3" NETLISTENLIST="/dev/shm/7.7.5.3"
PROTO_PORT="/dev/shm/proto_port_pair_v6" PROTO_PORT="/dev/shm/proto_port_pair_v6"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
# For ipv4
rm -f $NETLISTENLIST rm -f $NETLISTENLIST
rm -f $PROTO_PORT rm -f $PROTO_PORT
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
# For ipv6 # For ipv6
if [ $IPV6_ENABLE -eq 0 ]; then
netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING cat $NETLISTENLIST | while read LISTENING
do do
@ -50,10 +53,14 @@ audit () {
else else
ok "Ip6tables has set firewall rules exist for all open ports!" ok "Ip6tables has set firewall rules exist for all open ports!"
fi fi
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ -f $PROTO_PORT ]; then if [ -f $PROTO_PORT ]; then
cat $PROTO_PORT | while read NOSETPAIR cat $PROTO_PORT | while read NOSETPAIR
do do
@ -65,6 +72,9 @@ apply () {
else else
ok "Ip6tables has set firewall rules exist for all open ports!" ok "Ip6tables has set firewall rules exist for all open ports!"
fi fi
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will check config parameters required # This function will check config parameters required

11
bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh
View File

@ -17,12 +17,16 @@ HARDENING_LEVEL=2
PROTOCOL_LIST="tcp udp icmp" PROTOCOL_LIST="tcp udp icmp"
IP6VERSION="IPS6" IP6VERSION="IPS6"
IPV6_ENABLE=1
RET_VALUE1=1 RET_VALUE1=1
RET_VALUE2=1 RET_VALUE2=1
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST for protocol in $PROTOCOL_LIST
do do
# Check INPUT with ESTABLISHED is config # Check INPUT with ESTABLISHED is config
@ -50,10 +54,14 @@ audit () {
else else
crit "Outbound and established connections are not configured for v6." crit "Outbound and established connections are not configured for v6."
fi fi
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST for protocol in $PROTOCOL_LIST
do do
# Apply INPUT with ESTABLISHED # Apply INPUT with ESTABLISHED
@ -67,6 +75,9 @@ apply () {
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT" warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi fi
done done
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will check config parameters required # This function will check config parameters required

12
lib/utils.sh
View File

@ -860,3 +860,15 @@ extend_touch_file()
fi fi
} }
# Check ipv6 is enable
check_ipv6_is_enable()
{
if [ $(ip -6 addr | wc -l) -gt 0 ]; then
debug "Ipv6 is enabled."
FNRET=0
else
debug "Ipv6 is disabled."
FNRET=1
fi
}