feat: add nftables to firewall software allow list (#203)

* feat: add nftables to firewall software allow list

fixes #191

* fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
This commit is contained in:
GoldenKiwi 2023-09-07 14:36:08 +02:00 committed by GitHub
parent 9d3fb18e6b
commit 5370ec2ef6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 37 additions and 20 deletions

View File

@ -15,32 +15,42 @@ set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)." DESCRIPTION="Ensure firewall is active (either nftables or iptables is installed, does not check for its configuration)."
# Note: CIS recommends your iptables rules to be persistent. # Note: CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
# At OVH, we use iptables
PACKAGE='iptables' PACKAGES='iptables nftables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
FOUND=false
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is not installed!" ok "$PACKAGE provides firewalling feature"
else FOUND=true
ok "$PACKAGE is installed" fi
done
if [ "$FOUND" = false ]; then
crit "None of the following firewall packages are installed: $PACKAGES"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE provides firewalling feature"
else FOUND=true
crit "$PACKAGE is absent, installing it" fi
apt_install "$PACKAGE" done
if [ "$FOUND" = false ]; then
crit "None of the following firewall packages are installed: $PACKAGES, installing them"
# FIXME : iptables is hardcoded, we will have to change this in the future
# This will install nftables and iptables
apt_install "iptables"
fi fi
} }

View File

@ -45,7 +45,7 @@ audit() {
crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}." crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}."
fi fi
else else
echo "cant find chain $chain" crit "Unable to find chain $chain"
fi fi
done done
fi fi

View File

@ -2,10 +2,18 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 1
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests describe Correcting situation
apt-get update
apt-get install -y iptables
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "provides firewalling feature"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

View File

@ -4,8 +4,7 @@ test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # Do not run any check, iptables do not work in a docker
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all #run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests # TODO fill comprehensive tests
} }