feat: add debian12 scripts

- nftables_loopback_is_configured.sh 	-> 4.2.6
- nftables_established_connections.sh 	-> 4.2.7
- iptables_flushed_with_nftables.sh 	-> 4.2.3
- ufw_loopback_is_configured.sh 	-> 4.1.4
- ufw_outbound_connection.sh 		-> 4.1.5
- ufw_default_deny.sh 			-> 4.1.7
- ufw_rules_them_all.sh 		-> 4.1.6

bin/hardening/iptables_flushed_with_nftables.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure iptables are flushed with nftables (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="if running nftables, we don't want to mix rules with iptables"
+PACKAGE="nftables"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    IPTABLES_CHAIN_EMPTY=0
+
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" -eq 0 ]; then
+        for chain in INPUT OUTPUT FORWARD; do
+            # ex of empty INPUT chain: "-P INPUT ACCEPT"
+            # shellcheck disable=2046
+            if [ $($SUDO_CMD iptables -S "$chain" 2>/dev/null | wc -l) -gt 1 ]; then
+                IPTABLES_CHAIN_EMPTY=1
+                crit "nftables is installed, but iptables '$chain' rules are not empty"
+            else
+                ok "nftables is installed and iptables '$chain' rules are empty"
+            fi
+        done
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IPTABLES_CHAIN_EMPTY" -ne 0 ]; then
+        info "Please review the 'iptables' rules, and either move them to 'nftables', or disable this check"
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/nftables_established_connections.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure nftables outbound and established connections are configured (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure nftables outbound and established connections are configured"
+
+NFTABLES_INPUT_ALLOWED=""
+NFTABLES_OUTPUT_ALLOWED=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    local status
+
+    for allowed in $NFTABLES_INPUT_ALLOWED; do
+        protocol=$(awk -F ':' '{print $1}' <<<"$allowed")
+        state=$(awk -F ':' '{print $2}' <<<"$allowed")
+
+        if $SUDO_CMD nft list ruleset 2>/dev/null | awk '/hook input/,/}/' | grep -E "ip protocol $protocol ct state $state accept"; then
+            ok "'$protocol' is accepted for state(s) '$state' in nftables 'input'"
+        else
+            crit "'$protocol' is not accepted for state(s) '$state' in nftables 'input'"
+        fi
+    done
+
+    for allowed in $NFTABLES_OUTPUT_ALLOWED; do
+        protocol=$(awk -F ':' '{print $1}' <<<"$allowed")
+        state=$(awk -F ':' '{print $2}' <<<"$allowed")
+
+        if $SUDO_CMD nft list ruleset 2>/dev/null | awk '/hook output/,/}/' | grep -E "ip protocol $protocol ct state $state accept"; then
+            ok "'$protocol' is accepted for state(s) '$state' in nftables 'output'"
+        else
+            crit "'$protocol' is not accepted for state(s) '$state' in nftables 'output'"
+        fi
+    done
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    info "Please review the rules according to your site policy, and update the check configuration if needed"
+
+}
+
+create_config() {
+    cat <<EOF
+# shellcheck disable=2034
+status=audit
+# Put here the input allowed protocols, space separated
+# protocol:states
+NFTABLES_INPUT_ALLOWED="tcp:established udp:established icmp:established"
+NFTABLES_OUTPUT_ALLOWED="tcp:established,related,new udp:established,related,new icmp:established,related,new"
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/nftables_loopback_is_configured.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure nftables loopback traffic is configured (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure nftables loopback traffic is configured"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    NFTABLES_LOOPBACK=1
+    NFTABLES_LOOPBACK_DROP=1
+    NFTABLES_IPV6_LOOPBACK_DROP=1
+
+    if nft list ruleset 2>/dev/null | awk '/hook input/,/}/' | grep 'iif "lo" accept'; then
+        NFTABLES_LOOPBACK=0
+        ok "loopback is configured for nftables"
+    else
+        crit "loopback is not configured for nftables"
+    fi
+
+    if nft list ruleset 2>/dev/null | awk '/hook input/,/}/' | grep "ip saddr 127.0.0.1.*drop"; then
+        NFTABLES_LOOPBACK_DROP=0
+        ok "nftables input loopack traffic is dropped"
+    else
+        crit "nftables input loopack traffic is not dropped"
+    fi
+
+    is_ipv6_enabled
+    if [ "$FNRET" -eq 0 ]; then
+        if nft list ruleset 2>/dev/null | awk '/hook input/,/}/' | grep "ip6 saddr ::1.*drop"; then
+            NFTABLES_IPV6_LOOPBACK_DROP=0
+            ok "nftables input loopack traffic is dropped"
+        else
+            crit "nftables input loopack traffic is not dropped"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$NFTABLES_LOOPBACK" -ne 0 ]; then
+        info "adding nftables loopback configuration"
+        nft add rule inet filter input iif lo accept
+    fi
+
+    if [ "$NFTABLES_LOOPBACK_DROP" -ne 0 ]; then
+        info "adding nftables loopback drop configuration"
+        nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop
+    fi
+
+    is_ipv6_enabled
+    if [ "$FNRET" -eq 0 ] && [ "$NFTABLES_IPV6_LOOPBACK_DROP" -ne 0 ]; then
+        info "adding nftables ipv6 loopback drop configuration"
+        nft add rule inet filter input ip6 saddr ::1 counter drop
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/ufw_default_deny.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure ufw default deny firewall policy (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure ufw default deny firewall policy"
+UFW_DEFAULT_RULES_FILE="/etc/default/ufw"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    UFW_INPUT_DEFAULT_VALID=1
+    UFW_OUTPUT_DEFAULT_VALID=1
+    UFW_FORWARD_DEFAULT_VALID=1
+
+    # ufw default rules are configured in /etc/default/ufw
+    # easier to parse than ufw output
+    local default_policy
+    default_policy=$(awk -F '=' '/^[^#]*DEFAULT_INPUT_POLICY/ {print $2}' "$UFW_DEFAULT_RULES_FILE" | sed 's/\"//g')
+    if [ "$default_policy" != "DROP" ]; then
+        crit "ufw default input policy is $default_policy instead of DROP"
+    else
+        ok "ufw default input policy is $default_policy"
+        UFW_INPUT_DEFAULT_VALID=0
+    fi
+
+    default_policy=$(awk -F '=' '/^[^#]*DEFAULT_OUTPUT_POLICY/ {print $2}' "$UFW_DEFAULT_RULES_FILE" | sed 's/\"//g')
+    if [ "$default_policy" != "DROP" ]; then
+        crit "ufw default output policy is $default_policy instead of DROP"
+    else
+        ok "ufw default output policy is $default_policy"
+        UFW_OUTPUT_DEFAULT_VALID=0
+    fi
+
+    default_policy=$(awk -F '=' '/^[^#]*DEFAULT_FORWARD_POLICY/ {print $2}' "$UFW_DEFAULT_RULES_FILE" | sed 's/\"//g')
+    if [ "$default_policy" != "DROP" ]; then
+        crit "ufw default forward policy is $default_policy instead of DROP"
+    else
+        ok "ufw default forward policy is $default_policy"
+        UFW_FORWARD_DEFAULT_VALID=0
+    fi
+
+    if [ "$UFW_INPUT_DEFAULT_VALID" -ne 0 ] || [ "$UFW_OUTPUT_DEFAULT_VALID" -ne 0 ] || [ "$UFW_FORWARD_DEFAULT_VALID" -ne 0 ]; then
+        warn "Applying the recommendation will change the default policies to DROP, make sure you have set up the required rules"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$UFW_INPUT_DEFAULT_VALID" -ne 0 ]; then
+        info "changing default input policy to DROP"
+        ufw default deny incoming
+    fi
+
+    if [ "$UFW_OUTPUT_DEFAULT_VALID" -ne 0 ]; then
+        info "changing default output policy to DROP"
+        ufw default deny outgoing
+    fi
+
+    if [ "$UFW_FORWARD_DEFAULT_VALID" -ne 0 ]; then
+        info "changing default forward policy to DROP"
+        ufw default deny routed
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/ufw_loopback_is_configured.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure ufw loopback traffic is configured (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure ufw loopback traffic is configured"
+UFW_RULES_FILE="/etc/ufw/user.rules"
+UFW_IPV6_RULES_FILE="/etc/ufw/user6.rules"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    UFW_LOOPBACK_INPUT=1
+    UFW_LOOPBACK_OUTPUT=1
+    UFW_LOOPBACK_DENY=1
+    UFW_LOOPBACK_DENY_IPV6=1
+
+    # rules are saved in /etc/ufw/user.rules
+    # easier to parse than ufw output
+    if $SUDO_CMD grep "^[^#]*-[A,I].*input -i lo -j ACCEPT" "$UFW_RULES_FILE" >/dev/null 2>&1; then
+        UFW_LOOPBACK_INPUT=0
+        ok "ufw loopback input is configured"
+    else
+        crit "ufw loopback input is not configured"
+    fi
+
+    if $SUDO_CMD grep "^[^#]*-[A,I].*output -o lo -j ACCEPT" "$UFW_RULES_FILE" >/dev/null 2>&1; then
+        UFW_LOOPBACK_OUTPUT=0
+        ok "ufw loopback output is configured"
+    else
+        crit "ufw loopback output is not configured"
+    fi
+
+    if $SUDO_CMD grep "^[^#]*-[A,I].*input -s 127.0.0.0/8 -j DROP" "$UFW_RULES_FILE" >/dev/null 2>&1; then
+        UFW_LOOPBACK_DENY=0
+        ok "ufw traffic from 127.0.0.0/8 is dropped"
+    else
+        crit "ufw traffic 127.0.0.0/8 is not dropped"
+    fi
+
+    is_ipv6_enabled
+    if [ "$FNRET" -eq 0 ]; then
+        if $SUDO_CMD grep "^[^#]*-[A,I].*input -s ::1 -j DROP" "$UFW_IPV6_RULES_FILE" >/dev/null 2>&1; then
+            UFW_LOOPBACK_DENY_IPV6=0
+            ok "ufw traffic from ipv6 ::1 is dropped"
+        else
+            crit "ufw traffic from ipv6 ::1 is not dropped"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$UFW_LOOPBACK_INPUT" -ne 0 ]; then
+        info "adding ufw rule to allow loopback input"
+        ufw allow in on lo
+    fi
+
+    if [ "$UFW_LOOPBACK_OUTPUT" -ne 0 ]; then
+        info "adding ufw rule to allow loopback output"
+        ufw allow out on lo
+    fi
+
+    if [ "$UFW_LOOPBACK_DENY" -ne 0 ]; then
+        info "adding ufw rule to drop traffic from 127.0.0.0/8"
+        ufw ufw deny in from 127.0.0.0/8
+    fi
+
+    is_ipv6_enabled
+    if [ "$FNRET" -eq 0 ] && [ "$UFW_LOOPBACK_DENY_IPV6" -ne 0 ]; then
+        info "adding ufw rule to drop traffic from ::1"
+        ufw ufw deny in from ::1
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/ufw_outbound_connection.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure ufw outbound connections are configured (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure ufw outbound connections are configured"
+UFW_RULES_FILE="/etc/ufw/user.rules"
+# variable defined in config file
+ALLOW_OUTBOUND_ALL=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    UFW_RULE_IS_VALID=1
+    # rules are saved in /etc/ufw/user.rules
+    # easier to parse than ufw output
+    if $SUDO_CMD grep "^[^#]*-[A,I].*output -o all -j ACCEPT" "$UFW_RULES_FILE" >/dev/null 2>&1; then
+        if [ "$ALLOW_OUTBOUND_ALL" -eq 0 ]; then
+            UFW_RULE_IS_VALID=0
+            ok "ufw output is allowed for all"
+        else
+            crit "ufw output is allowed for all, and ALLOW_OUTBOUND_ALL=1"
+        fi
+    else
+        if [ "$ALLOW_OUTBOUND_ALL" -eq 1 ]; then
+            UFW_RULE_IS_VALID=0
+            ok "ufw output is not allowed for all"
+        else
+            crit "ufw output is not allowed for all, and ALLOW_OUTBOUND_ALL=0"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$UFW_RULE_IS_VALID" -ne 0 ]; then
+        info "Please review the output rules according to your site policy, and update 'ALLOW_OUTBOUND_ALL' in configuration accordingly"
+    fi
+}
+
+create_config() {
+    cat <<EOF
+# shellcheck disable=2034
+status=audit
+# ALLOW_OUTBOUND_ALL=0 means true, we want the rule to be present
+# ALLOW_OUTBOUND_ALL=1 means false, we don't want the rule to be present
+ALLOW_OUTBOUND_ALL=0
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/ufw_rules_them_all.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure ufw firewall rules exist for all open ports (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure ufw firewall rules exist for all open ports"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    UFW_IS_VALID=0
+    local ufw_ports_rules
+    local listening_ports
+
+    ufw_ports_rules=$($SUDO_CMD ufw status verbose 2>/dev/null | grep -Po '^\h*\d+\b' | sort -u)
+    listening_ports=$($SUDO_CMD ss -tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/\[?::1\]?:/) {split($5, a, ":"); print a[2]}' | sort -u)
+
+    for port in $listening_ports; do
+        if ! grep "$port" <<<"$ufw_ports_rules"; then
+            crit "$port does not have an ufw rule"
+            UFW_IS_VALID=1
+        fi
+    done
+
+    if [ "$UFW_IS_VALID" -eq 0 ]; then
+        ok "all listening ports have a corresponding rule in ufw"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$UFW_IS_VALID" -ne 0 ]; then
+        # Debian 12 CIS marks this script as "Automated", but we wont do it
+        # How can we know if a rule should be allowed or denied ?
+        warn "Please review the ufw rules and update them accordingly"
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

cisharden.sudoers

@@ -14,6 +14,7 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                         /usr/bin/cut,\
                         /sbin/iptables -nL,\
                         /sbin/iptables -nL *,\
+                        /sbin/iptables -S *,\
                         /sbin/sysctl net.*,\
                         /sbin/sysctl fs.*,\
                         /sbin/sysctl kernel.*,\
@@ -28,6 +29,7 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                         /usr/bin/ss *,\
                         /bin/ss *,\
                         /usr/bin/pgrep *,\
-                        /usr/sbin/nft list *
+                        /usr/sbin/nft list *,\
+                        /usr/sbin/ufw status *
 
 cisharden ALL = (root) NOPASSWD: SCL_CMD

tests/hardening/iptables_flushed_with_nftables.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables iptables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables iptables
+
+}

tests/hardening/nftables_established_connections.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables
+
+}

tests/hardening/nftables_loopback_is_configured.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables
+
+}

tests/hardening/ufw_default_deny.sh

@@ -0,0 +1,27 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+    sed -i '/DEFAULT_INPUT_POLICY/s/=.*/="ACCEPT"/g' /etc/default/ufw
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the default file
+    describe fix the situation
+    sed -i '/DEFAULT_INPUT_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+    sed -i '/DEFAULT_OUTPUT_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+    sed -i '/DEFAULT_FORWARD_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}

tests/hardening/ufw_loopback_is_configured.sh

@@ -0,0 +1,28 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the rules file
+    describe fix the situation
+    # shellcheck disable=2129
+    echo '-A ufw-user-input -i lo -j ACCEPT' >>/etc/ufw/user.rules
+    echo '-A ufw-user-output -o lo -j ACCEPT' >>/etc/ufw/user.rules
+    echo '-A ufw-user-input -s 127.0.0.0/8 -j DROP' >>/etc/ufw/user.rules
+    echo '-A ufw-user-input -s ::1 -j DROP' >>/etc/ufw/user6.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}

tests/hardening/ufw_outbound_connection.sh

@@ -0,0 +1,43 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+
+    # default case: we want the outbound all rule to be present, but it is not
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the rules file
+    describe fix the situation
+    # shellcheck disable=2129
+    echo '-A ufw-user-output -o all -j ACCEPT' >>/etc/ufw/user.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reverse case: we don't want the outbound all rule to be present, but it is
+    describe prepare failed test
+    sed -i '/ALLOW_OUTBOUND_ALL/s/=.*/=1/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+    describe Running failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe fix the situation
+    # shellcheck disable=2129
+    sed -i '$d' /etc/ufw/user.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}

tests/hardening/ufw_rules_them_all.sh

@@ -0,0 +1,9 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    # no much to test here, unless running on a privileged container, to run ufw commands
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}