1. Add method for if ipv6 is disabled.

2. Modify ipv6 iptables rules check with check_ipv6_is_enable.
This commit is contained in:
Samson-W 2019-04-17 03:48:49 +08:00
parent e8459b26e0
commit 97d921c2c6
6 changed files with 229 additions and 130 deletions

View File

@ -18,26 +18,68 @@ HARDENING_LEVEL=2
IPS4=$(which iptables)
IPS6=$(which ip6tables)
IPV4_RET=1
IPV6_RET=1
IPV6_ISENABLE=1
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 -o $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
crit "Ip4tables/Ip6tables is not set rules of protect DOS attacks!"
FNRET=1
# ipv4
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Iptables is not set rules of protect DOS attacks!"
IPV4_RET=1
else
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!"
FNRET=0
info "Iptables has set rules for protect DOS attacks!"
IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
else
if [ $IPV4_RET -eq 1 ]; then
crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!"
if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else
ok "Iptables has set rules for protect DOS attacks!"
fi
else
warn "Ip4tables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
if [ $IPV6_ISENABLE -eq 0 ]; then
warn "Iptables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
else
warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it."
fi
fi
}

View File

@ -16,25 +16,37 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
IPV6_ENABLE=1
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $(${IPS6} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Ip6tables: Firewall policy is not default deny!"
FNRET=1
else
ok "Ip6tables has set default deny for firewall policy!"
FNRET=0
fi
else
ok "Ip6tables has set default deny for firewall policy!"
ok "Ipv6 has set disabled, so pass."
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "Ip6tables has set default deny for firewall policy!"
else
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
fi
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $FNRET = 0 ]; then
ok "Ip6tables has set default deny for firewall policy!"
else
warn "Ip6tables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: ip6tables -P INPUT DROP; ip6tables -P OUTPUT DROP; ip6tables -P FORWARD DROP."
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required

View File

@ -19,61 +19,73 @@ INPUT_ACCEPT=1
OUTPUT_ACCEPT=1
INPUT_DENY=1
IP6VERSION="IPS6"
IPV6_ENABLE=1
# This function will be called if the script status is on enabled / audit mode
audit () {
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Ip6tables loopback traffic INPUT has configured!"
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
# Check the loopback interface to accept INPUT traffic.
ensure_lo_traffic_input_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Ip6tables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Ip6tables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Ip6tables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Ip6tables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
fi
else
INPUT_ACCEPT=1
info "Ip6tables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept $IP6VERSION
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Ip6tables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Ip6tables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny $IP6VERSION
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Ip6tables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq -a $OUTPUT_ACCEPT -eq ]; then
ok "Loopback traffic rules were configured for v6!"
else
crit "Loopback traffic rules are not configured for v6!"
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $INPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!"
else
warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT"
fi
if [ $IPV6_ENABLE -eq 0 ]; then
if [ $INPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic INPUT has configured!"
else
warn "Ip6tables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic OUTPUT has configured!"
else
warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Ip6tables loopback traffic OUTPUT has configured!"
else
warn "Ip6tables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: ip6tables -A OUTPUT -o lo -j ACCEPT"
fi
if [ $INPUT_DENY = 0 ]; then
ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
if [ $INPUT_DENY = 0 ]; then
ok "Ip6tables loopback traffic INPUT deny from other interfaces has configured!"
else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
else
warn "Ip6tables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: ip6tables -A INPUT -s 127.0.0.0/8 -j DROP"
ok "Ipv6 has set disabled, so pass."
fi
}

View File

@ -16,55 +16,65 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2
IPS6=$(which ip6tables)
IPV6_ENABLE=1
NETLISTENLIST="/dev/shm/7.7.5.3"
PROTO_PORT="/dev/shm/proto_port_pair_v6"
# This function will be called if the script status is on enabled / audit mode
audit () {
# For ipv4
rm -f $NETLISTENLIST
rm -f $PROTO_PORT
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
# For ipv6
netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING
do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
if [ "$PROTO_TYPE" == 'tcp6' ]; then
PROTO_TYPE="tcp"
if [ $IPV6_ENABLE -eq 0 ]; then
netstat -ln | egrep -w '^tcp6|^udp6' > $NETLISTENLIST
cat $NETLISTENLIST | while read LISTENING
do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
if [ "$PROTO_TYPE" == 'tcp6' ]; then
PROTO_TYPE="tcp"
fi
if [ "$PROTO_TYPE" == 'udp6' ]; then
PROTO_TYPE="udp"
fi
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}')
if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Ip6tables is not set firewall rules exist for all open ports!"
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
if [ "$PROTO_TYPE" == 'udp6' ]; then
PROTO_TYPE="udp"
fi
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}')
if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set ipv6 firewall rules."
fi
done
rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Ip6tables is not set firewall rules exist for all open ports!"
else
ok "Ip6tables has set firewall rules exist for all open ports!"
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ -f $PROTO_PORT ]; then
cat $PROTO_PORT | while read NOSETPAIR
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
done
rm -f $PROTO_PORT
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
if [ $IPV6_ENABLE -eq 0 ]; then
if [ -f $PROTO_PORT ]; then
cat $PROTO_PORT | while read NOSETPAIR
do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: ip6tables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
done
rm -f $PROTO_PORT
else
ok "Ip6tables has set firewall rules exist for all open ports!"
fi
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required

View File

@ -17,56 +17,67 @@ HARDENING_LEVEL=2
PROTOCOL_LIST="tcp udp icmp"
IP6VERSION="IPS6"
IPV6_ENABLE=1
RET_VALUE1=1
RET_VALUE2=1
# This function will be called if the script status is on enabled / audit mode
audit () {
for protocol in $PROTOCOL_LIST
do
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" $IP6VERSION
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
fi
done
check_ipv6_is_enable
IPV6_ENABLE=$FNRET
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST
do
# Check INPUT with ESTABLISHED is config
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" $IP6VERSION
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
fi
done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured for v6."
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured for v6."
else
crit "Outbound and established connections are not configured for v6."
fi
else
crit "Outbound and established connections are not configured for v6."
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for protocol in $PROTOCOL_LIST
do
# Apply INPUT with ESTABLISHED
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
fi
# Apply outbound
check_outbound_connect_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 1 ]; then
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi
done
if [ $IPV6_ENABLE -eq 0 ]; then
for protocol in $PROTOCOL_LIST
do
# Apply INPUT with ESTABLISHED
check_input_with_established_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 1 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: ip6tables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT"
fi
# Apply outbound
check_outbound_connect_is_accept "${protocol}" "$IP6VERSION"
if [ $FNRET = 1 ]; then
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: ip6tables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT"
fi
done
else
ok "Ipv6 has set disabled, so pass."
fi
}
# This function will check config parameters required

View File

@ -860,3 +860,15 @@ extend_touch_file()
fi
}
# Check ipv6 is enable
check_ipv6_is_enable()
{
if [ $(ip -6 addr | wc -l) -gt 0 ]; then
debug "Ipv6 is enabled."
FNRET=0
else
debug "Ipv6 is disabled."
FNRET=1
fi
}