tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1. Add method for if ipv6 is disabled. 

2. Modify ipv6 iptables rules check with check_ipv6_is_enable.
This commit is contained in:
Samson-W 2019-04-17 03:48:49 +08:00
parent e8459b26e0
commit 97d921c2c6
6 changed files with 229 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
View File

@ -18,26 +18,68 @@ HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
IPV4_RET=1
IPV6_RET=1
IPV6_ISENABLE=1
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 -o $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
crit "Ip4tables/Ip6tables is not set rules of protect DOS attacks!"
# ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!"
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
else
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!"
if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else
warn "Ip4tables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
ok "Iptables has set rules for protect DOS attacks!"
fi
else
if [ $IPV6_ISENABLE -eq 0 ]; then
warn "Iptables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
else
warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it."
fi
fi
}

12
bin/hardening/7.7.5.1_ensure_default_deny_firewall_policy_for_v6.sh
View File

@ -16,9 +16,13 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
IPV6_ENABLE=1
# This function will be called if the script status is on enabled / audit mode
audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
@ -26,15 +30,23 @@ audit () {
ok "Ip6tables has set default deny for firewall policy!"
FNRET=0
fi
else
ok "Ipv6 has set disabled, so pass."
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $FNRET = 0 ]; then
ok "Ip6tables has set default deny for firewall policy!"
else
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required

12
bin/hardening/7.7.5.2_ensure_loopback_traffic_is_configured_for_v6.sh
View File

@ -19,9 +19,13 @@ INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
IP6VERSION="IPS6"
IPV6_ENABLE=1
# This function will be called if the script status is on enabled / audit mode
audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
@ -49,15 +53,20 @@ audit () {
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $INPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!"
else
@ -75,6 +84,9 @@ apply () {
else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required

12
bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
View File

@ -16,16 +16,19 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
IPV6_ENABLE=1
NETLISTENLIST="/dev/shm/7.7.5.3"
PROTO_PORT="/dev/shm/proto_port_pair_v6"
# This function will be called if the script status is on enabled / audit mode
audit () {
# For ipv4
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
# For ipv6
if [ $IPV6_ENABLE -eq 0 ]; then
netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING
do
@ -50,10 +53,14 @@ audit () {
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
if [ -f $PROTO_PORT ]; then
cat $PROTO_PORT | while read NOSETPAIR
do
@ -65,6 +72,9 @@ apply () {
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required

11
bin/hardening/7.7.5.4_ensure_outbound_and_established_connections_are_configured_for_v6.sh
View File

@ -17,12 +17,16 @@ HARDENING_LEVEL=2
PROTOCOL_LIST="tcp udp icmp"
IP6VERSION="IPS6"
IPV6_ENABLE=1
RET_VALUE1=1
RET_VALUE2=1
# This function will be called if the script status is on enabled / audit mode
audit () {
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST
do
# Check INPUT with ESTABLISHED is config
@ -50,10 +54,14 @@ audit () {
else
crit "Outbound and established connections are not configured for v6."
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST
do
# Apply INPUT with ESTABLISHED
@ -67,6 +75,9 @@ apply () {
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi
done
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required

12
lib/utils.sh
View File

@ -860,3 +860,15 @@ extend_touch_file()
fi
}
# Check ipv6 is enable
check_ipv6_is_enable()
{
if [ $(ip -6 addr | wc -l) -gt 0 ]; then
debug "Ipv6 is enabled."
FNRET=0
else
debug "Ipv6 is disabled."
FNRET=1
fi
}