tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1. Add method for if ipv6 is disabled. 

2. Modify ipv6 iptables rules check with check_ipv6_is_enable.
This commit is contained in:
Samson-W 2019-04-17 03:48:49 +08:00
parent e8459b26e0
commit 97d921c2c6
6 changed files with 229 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
View File

@ -18,26 +18,68 @@ HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
IPV4_RET=1
IPV6_RET=1
IPV6_ISENABLE=1
# Quick note here : CIS recommends your iptables rules to be persistent. # Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 -o $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then # ipv4
crit "Ip4tables/Ip6tables is not set rules of protect DOS attacks!" if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
FNRET=1 info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else else
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!" info "Iptables has set rules for protect DOS attacks!"
FNRET=0 IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
else
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!" if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else
ok "Iptables has set rules for protect DOS attacks!"
fi
else else
warn "Ip4tables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it." if [ $IPV6_ISENABLE -eq 0 ]; then
warn "Iptables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
else
warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it."
fi
fi fi
} }

30
bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh
View File

@ -16,25 +16,37 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
IPV6_ENABLE=1
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then check_ipv6_is_enable
crit "Ip6tables: Firewall policy is not default deny!" IPV6_ENABLE=$FNRET
FNRET=1 if [ $IPV6_ENABLE -eq 0 ]; then
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
else
ok "Ip6tables has set default deny for firewall policy!"
FNRET=0
fi
else else
ok "Ip6tables has set default deny for firewall policy!" ok "Ipv6 has set disabled, so pass."
FNRET=0 FNRET=0
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $IPV6_ENABLE -eq 0 ]; then
ok "Ip6tables has set default deny for firewall policy!" if [ $FNRET = 0 ]; then
else ok "Ip6tables has set default deny for firewall policy!"
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP." else
fi warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
fi
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will check config parameters required # This function will check config parameters required

98
bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh
View File

@ -19,61 +19,73 @@ INPUT_ACCEPT=1
OUTPUT_ACCEPT=1 OUTPUT_ACCEPT=1
INPUT_DENY=1 INPUT_DENY=1
IP6VERSION="IPS6" IP6VERSION="IPS6"
IPV6_ENABLE=1
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
# Check the loopback interface to accept INPUT traffic. check_ipv6_is_enable
ensure_lo_traffic_input_is_accept $IP6VERSION IPV6_ENABLE=$FNRET
if [ $FNRET = 0 ]; then if [ $IPV6_ENABLE -eq 0 ]; then
INPUT_ACCEPT=0 # Check the loopback interface to accept INPUT traffic.
info "Ip6tables loopback traffic INPUT has configured!" ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Ip6tables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Ip6tables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Ip6tables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Ip6tables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
fi
else else
INPUT_ACCEPT=1 ok "Ipv6 has set disabled, so pass."
info "Ip6tables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Ip6tables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Ip6tables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $INPUT_ACCEPT = 0 ]; then if [ $IPV6_ENABLE -eq 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!" if [ $INPUT_ACCEPT = 0 ]; then
else ok "Ip6tables loopback traffic INPUT has configured!"
warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT" else
fi warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic OUTPUT has configured!" ok "Ip6tables loopback traffic OUTPUT has configured!"
else else
warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT" warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT"
fi fi
if [ $INPUT_DENY = 0 ]; then if [ $INPUT_DENY = 0 ]; then
ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!" ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
else else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP" ok "Ipv6 has set disabled, so pass."
fi fi
} }

78
bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
View File

@ -16,55 +16,65 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
IPV6_ENABLE=1
NETLISTENLIST="/dev/shm/7.7.5.3" NETLISTENLIST="/dev/shm/7.7.5.3"
PROTO_PORT="/dev/shm/proto_port_pair_v6" PROTO_PORT="/dev/shm/proto_port_pair_v6"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
# For ipv4
rm -f $NETLISTENLIST rm -f $NETLISTENLIST
rm -f $PROTO_PORT rm -f $PROTO_PORT
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
# For ipv6 # For ipv6
netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST if [ $IPV6_ENABLE -eq 0 ]; then
cat $NETLISTENLIST | while read LISTENING netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST
do cat $NETLISTENLIST | while read LISTENING
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}') do
if [ "$PROTO_TYPE" == 'tcp6' ]; then PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
PROTO_TYPE="tcp" if [ "$PROTO_TYPE" == 'tcp6' ]; then
PROTO_TYPE="tcp"
fi
if [ "$PROTO_TYPE" == 'udp6' ]; then
PROTO_TYPE="udp"
fi
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}')
if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Ip6tables is not set firewall rules exist for all open ports!"
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi fi
if [ "$PROTO_TYPE" == 'udp6' ]; then else
PROTO_TYPE="udp" ok "Ipv6 has set disabled, so pass."
fi
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}')
if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Ip6tables is not set firewall rules exist for all open ports!"
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ -f $PROTO_PORT ]; then if [ $IPV6_ENABLE -eq 0 ]; then
cat $PROTO_PORT | while read NOSETPAIR if [ -f $PROTO_PORT ]; then
do cat $PROTO_PORT | while read NOSETPAIR
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}') do
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}') PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT" LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
done warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
rm -f $PROTO_PORT done
else rm -f $PROTO_PORT
ok "Ip6tables has set firewall rules exist for all open ports!" else
fi ok "Ip6tables has set firewall rules exist for all open ports!"
fi
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will check config parameters required # This function will check config parameters required

85
bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh
View File

@ -17,56 +17,67 @@ HARDENING_LEVEL=2
PROTOCOL_LIST="tcp udp icmp" PROTOCOL_LIST="tcp udp icmp"
IP6VERSION="IPS6" IP6VERSION="IPS6"
IPV6_ENABLE=1
RET_VALUE1=1 RET_VALUE1=1
RET_VALUE2=1 RET_VALUE2=1
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for protocol in $PROTOCOL_LIST check_ipv6_is_enable
do IPV6_ENABLE=$FNRET
# Check INPUT with ESTABLISHED is config if [ $IPV6_ENABLE -eq 0 ]; then
check_input_with_established_is_accept "${protocol}" "$IP6VERSION" for protocol in $PROTOCOL_LIST
if [ $FNRET = 0 ]; then do
RET_VALUE1=0 # Check INPUT with ESTABLISHED is config
info "Portocol $protocol INPUT is conf" check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
else if [ $FNRET = 0 ]; then
RET_VALUE1=1 RET_VALUE1=0
info "Portocol $protocol INPUT is not conf" info "Portocol $protocol INPUT is conf"
fi else
# Check outbound is config RET_VALUE1=1
check_outbound_connect_is_accept "${protocol}" $IP6VERSION info "Portocol $protocol INPUT is not conf"
if [ $FNRET = 0 ]; then fi
RET_VALUE2=0 # Check outbound is config
info "Portocol $protocol outbound is conf" check_outbound_connect_is_accept "${protocol}" $IP6VERSION
else if [ $FNRET = 0 ]; then
RET_VALUE2=1 RET_VALUE2=0
info "Portocol $protocol outbound is not conf" info "Portocol $protocol outbound is conf"
fi else
done RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured for v6." ok "Outbound and established connections are configured for v6."
else
crit "Outbound and established connections are not configured for v6."
fi
else else
crit "Outbound and established connections are not configured for v6." ok "Ipv6 has set disabled, so pass."
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for protocol in $PROTOCOL_LIST if [ $IPV6_ENABLE -eq 0 ]; then
do for protocol in $PROTOCOL_LIST
# Apply INPUT with ESTABLISHED do
check_input_with_established_is_accept "${protocol}" "$IP6VERSION" # Apply INPUT with ESTABLISHED
if [ $FNRET = 1 ]; then check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT" if [ $FNRET = 1 ]; then
fi warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
# Apply outbound fi
check_outbound_connect_is_accept "${protocol}" "$IP6VERSION" # Apply outbound
if [ $FNRET = 1 ]; then check_outbound_connect_is_accept "${protocol}" "$IP6VERSION"
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT" if [ $FNRET = 1 ]; then
fi warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
done fi
done
else
ok "Ipv6 has set disabled, so pass."
fi
} }
# This function will check config parameters required # This function will check config parameters required

12
lib/utils.sh
View File

@ -860,3 +860,15 @@ extend_touch_file()
fi fi
} }
# Check ipv6 is enable
check_ipv6_is_enable()
{
if [ $(ip -6 addr | wc -l) -gt 0 ]; then
debug "Ipv6 is enabled."
FNRET=0
else
debug "Ipv6 is disabled."
FNRET=1
fi
}