Add audit and apply methods for ip6tables check: 7.7.2 7.7.3

2025-07-31 01:24:58 +02:00 · 2019-03-08 23:52:52 +08:00 · 2019-03-08 23:52:52 +08:00 · d5152a656f
commit d5152a656f
parent ba1e7b4195
2 changed files with 37 additions and 17 deletions
--- a/bin/hardening/7.7.2_ensure_set_firewall_rules.sh
+++ b/bin/hardening/7.7.2_ensure_set_firewall_rules.sh
@ -1,11 +1,12 @@
 #!/bin/bash
 #
-# harbian audit 9  Hardening
+# harbian audit 9 Hardening
 #
 #
 # 7.7.2 Ensure the Firewall is set rules (Scored)
 # Include ipv4 and ipv6
 # Add this feature:Authors : Samson wen, Samson <sccxboy@gmail.com> 
 #
@ -14,16 +15,25 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=2
 IPS4=$(which iptables)
 IPS6=$(which ip6tables)
 # Quick note here : CIS recommends your iptables rules to be persistent. 
 # Do as you want, but this script does not handle this
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    if [ $(/sbin/iptables -S | grep -Ec "^-A|^-I") -eq 0 ]; then
+    if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
-        crit "Iptables is not set rule!"
+        crit "Ip4tables is not set rule!"
-        FNRET=1
+		if [ $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
 			crit "Ip6tables is not set rule!"
 			FNRET=1
 		else
 			ok "Ip6tables rules are set!"
 			FNRET=0
 		fi
    else
-        ok "Iptables rules are set!"
+        ok "Ip4tables rules are set!"
        FNRET=0
    fi
 }
@ -31,9 +41,9 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
    if [ $FNRET = 0 ]; then
-        ok "Iptables rules are set!"
+        ok "Iptables/Ip6tables rules are set!"
    else
-        warn "Iptables rules are not set, need the administrator to manually add it."
+        warn "Iptables/Ip6tables rules are not set, need the administrator to manually add it."
    fi
 }
--- a/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
+++ b/bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
@ -1,11 +1,12 @@
 #!/bin/bash
 #
-# harbian audit 9  Hardening
+# harbian audit 9 Hardening
 #
 #
 # 7.7.3 Ensure the Firewall is set rules of protect DOS attacks (Scored)
 # Include ipv4 and ipv6
 # Add this feature:Authors : Samson wen, Samson <sccxboy@gmail.com>
 #
@ -14,26 +15,35 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=2
 IPS4=$(which iptables)
 IPS6=$(which ip6tables)
 # Quick note here : CIS recommends your iptables rules to be persistent. 
 # Do as you want, but this script does not handle this
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    if [ $(/sbin/iptables -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
+    if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
-        crit "Iptables is not set rules of protect DOS attacks!"
+		crit "Ip4tables is not set rules of protect DOS attacks!"
-        FNRET=1
+		if [ $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
-    else
+			crit "Ip6tables is not set rule!"
-        ok "Iptables has set rules for protect DOS attacks!"
+			FNRET=1
-        FNRET=0
+		else
-    fi
+			ok "Ip6tables rules are set!"
 			FNRET=0
 		fi
 	else
 		ok "Ip4tables has set rules for protect DOS attacks!"
 		FNRET=0
 	fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
    if [ $FNRET = 0 ]; then
-        ok "Iptables has set rules for protect DOS attacks!"
+        ok "Ip4tables/Ip6tables has set rules for protect DOS attacks!"
    else
-        warn "Iptables is not set rules of protect DOS attacks! need the administrator to manually add it."
+        warn "Ip4tables/Ip6tables is not set rules of protect DOS attacks! need the administrator to manually add it."
    fi
 }