mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 06:54:29 +01:00
feat: add nftables to firewall software allow list (#203)
* feat: add nftables to firewall software allow list fixes #191 * fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
This commit is contained in:
parent
9d3fb18e6b
commit
5370ec2ef6
@ -15,32 +15,42 @@ set -u # One variable unset, it's over
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
|
DESCRIPTION="Ensure firewall is active (either nftables or iptables is installed, does not check for its configuration)."
|
||||||
|
|
||||||
# Note: CIS recommends your iptables rules to be persistent.
|
# Note: CIS recommends your iptables rules to be persistent.
|
||||||
# Do as you want, but this script does not handle this
|
# Do as you want, but this script does not handle this
|
||||||
# At OVH, we use iptables
|
|
||||||
|
|
||||||
PACKAGE='iptables'
|
PACKAGES='iptables nftables'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
|
FOUND=false
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
ok "$PACKAGE provides firewalling feature"
|
||||||
else
|
FOUND=true
|
||||||
ok "$PACKAGE is installed"
|
fi
|
||||||
|
done
|
||||||
|
if [ "$FOUND" = false ]; then
|
||||||
|
crit "None of the following firewall packages are installed: $PACKAGES"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE provides firewalling feature"
|
||||||
else
|
FOUND=true
|
||||||
crit "$PACKAGE is absent, installing it"
|
fi
|
||||||
apt_install "$PACKAGE"
|
done
|
||||||
|
if [ "$FOUND" = false ]; then
|
||||||
|
crit "None of the following firewall packages are installed: $PACKAGES, installing them"
|
||||||
|
# FIXME : iptables is hardcoded, we will have to change this in the future
|
||||||
|
# This will install nftables and iptables
|
||||||
|
apt_install "iptables"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -45,7 +45,7 @@ audit() {
|
|||||||
crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}."
|
crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}."
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "cant find chain $chain"
|
crit "Unable to find chain $chain"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
@ -2,10 +2,18 @@
|
|||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
test_audit() {
|
test_audit() {
|
||||||
describe Running on blank host
|
describe Running on blank host
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 1
|
||||||
dismiss_count_for_test
|
dismiss_count_for_test
|
||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
describe Correcting situation
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y iptables
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "provides firewalling feature"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -4,8 +4,7 @@ test_audit() {
|
|||||||
describe Running on blank host
|
describe Running on blank host
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
dismiss_count_for_test
|
dismiss_count_for_test
|
||||||
# shellcheck disable=2154
|
# Do not run any check, iptables do not work in a docker
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
#run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
# TODO fill comprehensive tests
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user