From 2d4ec42696b662001244f69d804a23c9d0631fa2 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:57:16 +0200 Subject: [PATCH] Update tests_firewalls --- include/tests_firewalls | 152 ++++++++++++++++++++++++++++------------ 1 file changed, 109 insertions(+), 43 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index e6dfafbb..a73d8fc3 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -109,53 +109,119 @@ Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN - TABLES="filter nat mangle raw security" - for table in ${TABLES}; do - chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING" - if [ "${table}" = "filter" ]; then - chains="INPUT FORWARD OUTPUT" - fi - for chain in ${chains}; do - ${IPTABLESBINARY} -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do - set -- ${line} - while [ $# -gt 0 ]; do - if [ "${1}" = "-P" ]; then - target="${3}" + tables="filter nat mangle raw security" + for t in ${tables} + do + ${iptables_binary} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line + do + set -- ${line} + while [ $# -gt 0 ] + do + if [ "${1}" = "!" ] + then + not="${1}" + if [ "${2}" = "-d" ] + then + d="${not} ${3}" + shift 3 + elif [ "${2}" = "-s" ] + then + s="${not} ${3}" + shift 3 + elif [ "${2}" = "-i" ] + then + p="${not} ${3}" + shift 3 + elif [ "${2}" = "-o" ] + then + o="${not} ${3}" + shift 3 + elif [ "${2}" = "-f" ] + then + p="${not} ${3}" shift 3 - elif [ "${1}" = "-j" ]; then - target="${2}" - shift - elif [ "${1}" = "-d" ]; then - dst="${2}" - shift - elif [ "${1}" = "-s" ]; then - src="${2}" - shift - else - shift fi - done - - # logics - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW - AddHP 1 3 - fi - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN - AddHP 3 3 - fi - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color RED - ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" - AddHP 0 3 + shift + elif [ "${1}" = "-P" ] + then + c="${2}" + j="${3}" + shift 3 + elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] + then + c="${2}" + shift 2 + elif [ "${1}" = "-j" ] + then + j="${2}" + shift + elif [ "${1}" = "-p" ] + then + p="${2}" + shift + elif [ "${1}" = "-d" ] + then + d="${2}" + shift + elif [ "${1}" = "-s" ] + then + s="${2}" + shift + elif [ "${1}" = "-m" ] + then + m="${2}" + shift + elif [ "${1}" = "-g" ] + then + g="${2}" + shift + elif [ "${1}" = "-i" ] + then + i="${2}" + shift + elif [ "${1}" = "-o" ] + then + o="${2}" + shift + elif [ "${1}" = "-f" ] + then + f="${2}" + shift + elif [ "${1}" = "-c" ] + then + pc="${2}" + bc="${3}" + shift 3 + else + shift fi done - done - done + # logics + if [ "${t}" = "filter" ] || [ "${t}" = "security" ] + then + if [ "${c}" = "INPUT" ] && [ "${j}" = "ACCEPT" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW + AddHP 1 3 + elif [ "${c}" = "INPUT" ] && [ "${j}" = "DROP" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN + AddHP 3 3 + elif [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + then + if [ "${j}" = "NFQUEUE" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color RED + ReportSuggestion "${TEST_NO}" "Consider avoid ${j} target if possible (iptables chain ${c}, table: ${t})" + AddHP 0 3 + fi + fi + fi + done + done fi # #################################################################################