tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-25 23:05:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update tests_firewalls

Browse Source
This commit is contained in:
nser77 2024-10-14 12:10:58 +02:00 committed by GitHub
parent d61ac72d49
commit 06b220e503
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
include/tests_firewalls
View File

@ -109,65 +109,70 @@
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
tables="filter nat mangle raw security" IPTABLES_TABLES="filter nat mangle raw security"
for t in ${tables} for IPTABLES_TABLE in ${IPTABLES_TABLES}
do do
${IPTABLESBINARY} -t "${t}" -S -w 1 2>/dev/zero | ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero |
{ {
while IFS="$(printf '\n')" read -r line while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE
do do
set -- ${line} set -- ${IPTABLES_OUTPUT_LINE}
while [ $# -gt 0 ] while [ $# -gt 0 ]
do do
if [ "${1}" = "-P" ] if [ "${1}" = "-P" ]
then then
c="${2}" IPTABLES_CHAIN="${2}"
j="${3}" IPTABLES_TARGET="${3}"
shift 3 shift 3
elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ]
then then
c="${2}" IPTABLES_CHAIN="${2}"
shift 2 shift 2
elif [ "${1}" = "-j" ] elif [ "${1}" = "-j" ]
then then
j="${2}" IPTABLES_TARGET="${2}"
shift shift
else else
shift shift
fi fi
done done
# logics # logics
if [ "${t}" = "filter" ] || [ "${t}" = "security" ] if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ]
then then
if [ "${c}" = "INPUT" ] if [ "${IPTABLES_CHAIN}" = "INPUT" ]
then then
if [ "${j}" = "ACCEPT" ] if [ "${IPTABLES_TARGET}" = "ACCEPT" ]
then then
errqueue="${errqueue}\n${t} ${c} ${j} YELLOW" IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW"
AddHP 1 3 AddHP 1 3
elif [ "${j}" = "DROP" ] elif [ "${IPTABLES_TARGET}" = "DROP" ]
then then
errqueue="${errqueue}\n${t} ${c} ${j} GREEN" IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN"
AddHP 3 3 AddHP 3 3
fi fi
fi fi
if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ]
then then
if [ "${j}" = "NFQUEUE" ] if [ "${IPTABLES_TARGET}" = "NFQUEUE" ]
then then
errqueue="${errqueue}\n${t} ${c} ${j} RED" IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED"
AddHP 0 3 AddHP 0 3
fi fi
fi fi
fi fi
done done
# resume # resume
if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi if [ ! "${SORTBINARY}" = "" ]
echo "${eq}" | while IFS="$(printf '\n')" read -r eql then
IPTABLES_OUTPUT="$( echo "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )"
else
IPTABLES_OUTPUT="${IPTABLES_OUTPUT_QUEUE}"
fi
echo "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE
do do
if [ ! "$eql" = "" ] if [ ! "$IPTABLES_OUTPUT_LINE" = "" ]
then then
set -- ${eql} set -- ${IPTABLES_OUTPUT_LINE}
while [ $# -gt 0 ] while [ $# -gt 0 ]
do do
Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}"