tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-29 08:44:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update tests_firewalls

Browse Source
This commit is contained in:
nser77 2024-10-09 00:57:16 +02:00 committed by GitHub
parent d90413e243
commit 2d4ec42696
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 109 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
include/tests_firewalls
View File

@ -109,53 +109,119 @@
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
TABLES="filter nat mangle raw security" tables="filter nat mangle raw security"
for table in ${TABLES}; do for t in ${tables}
chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING" do
if [ "${table}" = "filter" ]; then ${iptables_binary} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line
chains="INPUT FORWARD OUTPUT" do
fi set -- ${line}
for chain in ${chains}; do while [ $# -gt 0 ]
${IPTABLESBINARY} -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do do
set -- ${line} if [ "${1}" = "!" ]
while [ $# -gt 0 ]; do then
if [ "${1}" = "-P" ]; then not="${1}"
target="${3}" if [ "${2}" = "-d" ]
then
d="${not} ${3}"
shift 3
elif [ "${2}" = "-s" ]
then
s="${not} ${3}"
shift 3
elif [ "${2}" = "-i" ]
then
p="${not} ${3}"
shift 3
elif [ "${2}" = "-o" ]
then
o="${not} ${3}"
shift 3
elif [ "${2}" = "-f" ]
then
p="${not} ${3}"
shift 3 shift 3
elif [ "${1}" = "-j" ]; then
target="${2}"
shift
elif [ "${1}" = "-d" ]; then
dst="${2}"
shift
elif [ "${1}" = "-s" ]; then
src="${2}"
shift
else
shift
fi fi
done shift
elif [ "${1}" = "-P" ]
# logics then
if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then c="${2}"
LogText "Result: Found ${target} for ${chain} (table: ${table})" j="${3}"
Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW shift 3
AddHP 1 3 elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ]
fi then
if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then c="${2}"
LogText "Result: Found ${target} for ${chain} (table: ${table})" shift 2
Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN elif [ "${1}" = "-j" ]
AddHP 3 3 then
fi j="${2}"
if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then shift
LogText "Result: Found ${target} for ${chain} (table: ${table})" elif [ "${1}" = "-p" ]
Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color RED then
ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" p="${2}"
AddHP 0 3 shift
elif [ "${1}" = "-d" ]
then
d="${2}"
shift
elif [ "${1}" = "-s" ]
then
s="${2}"
shift
elif [ "${1}" = "-m" ]
then
m="${2}"
shift
elif [ "${1}" = "-g" ]
then
g="${2}"
shift
elif [ "${1}" = "-i" ]
then
i="${2}"
shift
elif [ "${1}" = "-o" ]
then
o="${2}"
shift
elif [ "${1}" = "-f" ]
then
f="${2}"
shift
elif [ "${1}" = "-c" ]
then
pc="${2}"
bc="${3}"
shift 3
else
shift
fi fi
done done
done # logics
done if [ "${t}" = "filter" ] || [ "${t}" = "security" ]
then
if [ "${c}" = "INPUT" ] && [ "${j}" = "ACCEPT" ]
then
LogText "Result: Found ${j} for ${c} (table: ${t})"
Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW
AddHP 1 3
elif [ "${c}" = "INPUT" ] && [ "${j}" = "DROP" ]
then
LogText "Result: Found ${j} for ${c} (table: ${t})"
Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN
AddHP 3 3
elif [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ]
then
if [ "${j}" = "NFQUEUE" ]
then
LogText "Result: Found ${j} for ${c} (table: ${t})"
Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color RED
ReportSuggestion "${TEST_NO}" "Consider avoid ${j} target if possible (iptables chain ${c}, table: ${t})"
AddHP 0 3
fi
fi
fi
done
done
fi fi
# #
################################################################################# #################################################################################