diff --git a/bin/hardening/iptables_flushed_with_nftables.sh b/bin/hardening/iptables_flushed_with_nftables.sh new file mode 100755 index 0000000..c76641d --- /dev/null +++ b/bin/hardening/iptables_flushed_with_nftables.sh @@ -0,0 +1,73 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure iptables are flushed with nftables (Manual) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="if running nftables, we don't want to mix rules with iptables" +PACKAGE="nftables" + +# This function will be called if the script status is on enabled / audit mode +audit() { + IPTABLES_CHAIN_EMPTY=0 + + is_pkg_installed "$PACKAGE" + if [ "$FNRET" -eq 0 ]; then + for chain in INPUT OUTPUT FORWARD; do + # ex of empty INPUT chain: "-P INPUT ACCEPT" + # shellcheck disable=2046 + if [ $($SUDO_CMD iptables -S "$chain" 2>/dev/null | wc -l) -gt 1 ]; then + IPTABLES_CHAIN_EMPTY=1 + crit "nftables is installed, but iptables '$chain' rules are not empty" + else + ok "nftables is installed and iptables '$chain' rules are empty" + fi + done + fi + +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$IPTABLES_CHAIN_EMPTY" -ne 0 ]; then + info "Please review the 'iptables' rules, and either move them to 'nftables', or disable this check" + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi + +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/nftables_established_connections.sh b/bin/hardening/nftables_established_connections.sh new file mode 100755 index 0000000..bba4ec3 --- /dev/null +++ b/bin/hardening/nftables_established_connections.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure nftables outbound and established connections are configured (Manual) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Ensure nftables outbound and established connections are configured" + +NFTABLES_INPUT_ALLOWED="" +NFTABLES_OUTPUT_ALLOWED="" + +# This function will be called if the script status is on enabled / audit mode +audit() { + local status + + for allowed in $NFTABLES_INPUT_ALLOWED; do + protocol=$(awk -F ':' '{print $1}' <<<"$allowed") + state=$(awk -F ':' '{print $2}' <<<"$allowed") + + if $SUDO_CMD nft list ruleset 2>/dev/null | awk '/hook input/,/}/' | grep -E "ip protocol $protocol ct state $state accept"; then + ok "'$protocol' is accepted for state(s) '$state' in nftables 'input'" + else + crit "'$protocol' is not accepted for state(s) '$state' in nftables 'input'" + fi + done + + for allowed in $NFTABLES_OUTPUT_ALLOWED; do + protocol=$(awk -F ':' '{print $1}' <<<"$allowed") + state=$(awk -F ':' '{print $2}' <<<"$allowed") + + if $SUDO_CMD nft list ruleset 2>/dev/null | awk '/hook output/,/}/' | grep -E "ip protocol $protocol ct state $state accept"; then + ok "'$protocol' is accepted for state(s) '$state' in nftables 'output'" + else + crit "'$protocol' is not accepted for state(s) '$state' in nftables 'output'" + fi + done + +} + +# This function will be called if the script status is on enabled mode +apply() { + info "Please review the rules according to your site policy, and update the check configuration if needed" + +} + +create_config() { + cat </dev/null | awk '/hook input/,/}/' | grep 'iif "lo" accept'; then + NFTABLES_LOOPBACK=0 + ok "loopback is configured for nftables" + else + crit "loopback is not configured for nftables" + fi + + if nft list ruleset 2>/dev/null | awk '/hook input/,/}/' | grep "ip saddr 127.0.0.1.*drop"; then + NFTABLES_LOOPBACK_DROP=0 + ok "nftables input loopack traffic is dropped" + else + crit "nftables input loopack traffic is not dropped" + fi + + is_ipv6_enabled + if [ "$FNRET" -eq 0 ]; then + if nft list ruleset 2>/dev/null | awk '/hook input/,/}/' | grep "ip6 saddr ::1.*drop"; then + NFTABLES_IPV6_LOOPBACK_DROP=0 + ok "nftables input loopack traffic is dropped" + else + crit "nftables input loopack traffic is not dropped" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$NFTABLES_LOOPBACK" -ne 0 ]; then + info "adding nftables loopback configuration" + nft add rule inet filter input iif lo accept + fi + + if [ "$NFTABLES_LOOPBACK_DROP" -ne 0 ]; then + info "adding nftables loopback drop configuration" + nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop + fi + + is_ipv6_enabled + if [ "$FNRET" -eq 0 ] && [ "$NFTABLES_IPV6_LOOPBACK_DROP" -ne 0 ]; then + info "adding nftables ipv6 loopback drop configuration" + nft add rule inet filter input ip6 saddr ::1 counter drop + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi + +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/ufw_default_deny.sh b/bin/hardening/ufw_default_deny.sh new file mode 100755 index 0000000..48c80b2 --- /dev/null +++ b/bin/hardening/ufw_default_deny.sh @@ -0,0 +1,102 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure ufw default deny firewall policy (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Ensure ufw default deny firewall policy" +UFW_DEFAULT_RULES_FILE="/etc/default/ufw" + +# This function will be called if the script status is on enabled / audit mode +audit() { + UFW_INPUT_DEFAULT_VALID=1 + UFW_OUTPUT_DEFAULT_VALID=1 + UFW_FORWARD_DEFAULT_VALID=1 + + # ufw default rules are configured in /etc/default/ufw + # easier to parse than ufw output + local default_policy + default_policy=$(awk -F '=' '/^[^#]*DEFAULT_INPUT_POLICY/ {print $2}' "$UFW_DEFAULT_RULES_FILE" | sed 's/\"//g') + if [ "$default_policy" != "DROP" ]; then + crit "ufw default input policy is $default_policy instead of DROP" + else + ok "ufw default input policy is $default_policy" + UFW_INPUT_DEFAULT_VALID=0 + fi + + default_policy=$(awk -F '=' '/^[^#]*DEFAULT_OUTPUT_POLICY/ {print $2}' "$UFW_DEFAULT_RULES_FILE" | sed 's/\"//g') + if [ "$default_policy" != "DROP" ]; then + crit "ufw default output policy is $default_policy instead of DROP" + else + ok "ufw default output policy is $default_policy" + UFW_OUTPUT_DEFAULT_VALID=0 + fi + + default_policy=$(awk -F '=' '/^[^#]*DEFAULT_FORWARD_POLICY/ {print $2}' "$UFW_DEFAULT_RULES_FILE" | sed 's/\"//g') + if [ "$default_policy" != "DROP" ]; then + crit "ufw default forward policy is $default_policy instead of DROP" + else + ok "ufw default forward policy is $default_policy" + UFW_FORWARD_DEFAULT_VALID=0 + fi + + if [ "$UFW_INPUT_DEFAULT_VALID" -ne 0 ] || [ "$UFW_OUTPUT_DEFAULT_VALID" -ne 0 ] || [ "$UFW_FORWARD_DEFAULT_VALID" -ne 0 ]; then + warn "Applying the recommendation will change the default policies to DROP, make sure you have set up the required rules" + fi + +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$UFW_INPUT_DEFAULT_VALID" -ne 0 ]; then + info "changing default input policy to DROP" + ufw default deny incoming + fi + + if [ "$UFW_OUTPUT_DEFAULT_VALID" -ne 0 ]; then + info "changing default output policy to DROP" + ufw default deny outgoing + fi + + if [ "$UFW_FORWARD_DEFAULT_VALID" -ne 0 ]; then + info "changing default forward policy to DROP" + ufw default deny routed + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/ufw_loopback_is_configured.sh b/bin/hardening/ufw_loopback_is_configured.sh new file mode 100755 index 0000000..4040e0b --- /dev/null +++ b/bin/hardening/ufw_loopback_is_configured.sh @@ -0,0 +1,111 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure ufw loopback traffic is configured (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Ensure ufw loopback traffic is configured" +UFW_RULES_FILE="/etc/ufw/user.rules" +UFW_IPV6_RULES_FILE="/etc/ufw/user6.rules" + +# This function will be called if the script status is on enabled / audit mode +audit() { + UFW_LOOPBACK_INPUT=1 + UFW_LOOPBACK_OUTPUT=1 + UFW_LOOPBACK_DENY=1 + UFW_LOOPBACK_DENY_IPV6=1 + + # rules are saved in /etc/ufw/user.rules + # easier to parse than ufw output + if $SUDO_CMD grep "^[^#]*-[A,I].*input -i lo -j ACCEPT" "$UFW_RULES_FILE" >/dev/null 2>&1; then + UFW_LOOPBACK_INPUT=0 + ok "ufw loopback input is configured" + else + crit "ufw loopback input is not configured" + fi + + if $SUDO_CMD grep "^[^#]*-[A,I].*output -o lo -j ACCEPT" "$UFW_RULES_FILE" >/dev/null 2>&1; then + UFW_LOOPBACK_OUTPUT=0 + ok "ufw loopback output is configured" + else + crit "ufw loopback output is not configured" + fi + + if $SUDO_CMD grep "^[^#]*-[A,I].*input -s 127.0.0.0/8 -j DROP" "$UFW_RULES_FILE" >/dev/null 2>&1; then + UFW_LOOPBACK_DENY=0 + ok "ufw traffic from 127.0.0.0/8 is dropped" + else + crit "ufw traffic 127.0.0.0/8 is not dropped" + fi + + is_ipv6_enabled + if [ "$FNRET" -eq 0 ]; then + if $SUDO_CMD grep "^[^#]*-[A,I].*input -s ::1 -j DROP" "$UFW_IPV6_RULES_FILE" >/dev/null 2>&1; then + UFW_LOOPBACK_DENY_IPV6=0 + ok "ufw traffic from ipv6 ::1 is dropped" + else + crit "ufw traffic from ipv6 ::1 is not dropped" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$UFW_LOOPBACK_INPUT" -ne 0 ]; then + info "adding ufw rule to allow loopback input" + ufw allow in on lo + fi + + if [ "$UFW_LOOPBACK_OUTPUT" -ne 0 ]; then + info "adding ufw rule to allow loopback output" + ufw allow out on lo + fi + + if [ "$UFW_LOOPBACK_DENY" -ne 0 ]; then + info "adding ufw rule to drop traffic from 127.0.0.0/8" + ufw ufw deny in from 127.0.0.0/8 + fi + + is_ipv6_enabled + if [ "$FNRET" -eq 0 ] && [ "$UFW_LOOPBACK_DENY_IPV6" -ne 0 ]; then + info "adding ufw rule to drop traffic from ::1" + ufw ufw deny in from ::1 + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/ufw_outbound_connection.sh b/bin/hardening/ufw_outbound_connection.sh new file mode 100755 index 0000000..bafd12b --- /dev/null +++ b/bin/hardening/ufw_outbound_connection.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure ufw outbound connections are configured (Manual) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Ensure ufw outbound connections are configured" +UFW_RULES_FILE="/etc/ufw/user.rules" +# variable defined in config file +ALLOW_OUTBOUND_ALL="" + +# This function will be called if the script status is on enabled / audit mode +audit() { + UFW_RULE_IS_VALID=1 + # rules are saved in /etc/ufw/user.rules + # easier to parse than ufw output + if $SUDO_CMD grep "^[^#]*-[A,I].*output -o all -j ACCEPT" "$UFW_RULES_FILE" >/dev/null 2>&1; then + if [ "$ALLOW_OUTBOUND_ALL" -eq 0 ]; then + UFW_RULE_IS_VALID=0 + ok "ufw output is allowed for all" + else + crit "ufw output is allowed for all, and ALLOW_OUTBOUND_ALL=1" + fi + else + if [ "$ALLOW_OUTBOUND_ALL" -eq 1 ]; then + UFW_RULE_IS_VALID=0 + ok "ufw output is not allowed for all" + else + crit "ufw output is not allowed for all, and ALLOW_OUTBOUND_ALL=0" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$UFW_RULE_IS_VALID" -ne 0 ]; then + info "Please review the output rules according to your site policy, and update 'ALLOW_OUTBOUND_ALL' in configuration accordingly" + fi +} + +create_config() { + cat </dev/null | grep -Po '^\h*\d+\b' | sort -u) + listening_ports=$($SUDO_CMD ss -tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/\[?::1\]?:/) {split($5, a, ":"); print a[2]}' | sort -u) + + for port in $listening_ports; do + if ! grep "$port" <<<"$ufw_ports_rules"; then + crit "$port does not have an ufw rule" + UFW_IS_VALID=1 + fi + done + + if [ "$UFW_IS_VALID" -eq 0 ]; then + ok "all listening ports have a corresponding rule in ufw" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$UFW_IS_VALID" -ne 0 ]; then + # Debian 12 CIS marks this script as "Automated", but we wont do it + # How can we know if a rule should be allowed or denied ? + warn "Please review the ufw rules and update them accordingly" + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/cisharden.sudoers b/cisharden.sudoers index bff8dc3..c1ea6a8 100644 --- a/cisharden.sudoers +++ b/cisharden.sudoers @@ -14,6 +14,7 @@ Cmnd_Alias SCL_CMD = /bin/grep ,\ /usr/bin/cut,\ /sbin/iptables -nL,\ /sbin/iptables -nL *,\ + /sbin/iptables -S *,\ /sbin/sysctl net.*,\ /sbin/sysctl fs.*,\ /sbin/sysctl kernel.*,\ @@ -28,6 +29,7 @@ Cmnd_Alias SCL_CMD = /bin/grep ,\ /usr/bin/ss *,\ /bin/ss *,\ /usr/bin/pgrep *,\ - /usr/sbin/nft list * + /usr/sbin/nft list *,\ + /usr/sbin/ufw status * cisharden ALL = (root) NOPASSWD: SCL_CMD diff --git a/tests/hardening/iptables_flushed_with_nftables.sh b/tests/hardening/iptables_flushed_with_nftables.sh new file mode 100644 index 0000000..f0c1e89 --- /dev/null +++ b/tests/hardening/iptables_flushed_with_nftables.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Prepare test + apt install -y nftables iptables + + # not much to test here, unless working on a privileged container + describe Running on blank host + register_test retvalshouldbe 0 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe clean test + apt remove -y nftables iptables + +} diff --git a/tests/hardening/nftables_established_connections.sh b/tests/hardening/nftables_established_connections.sh new file mode 100644 index 0000000..b51fec8 --- /dev/null +++ b/tests/hardening/nftables_established_connections.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Prepare test + apt install -y nftables + + # not much to test here, unless working on a privileged container + describe Running on blank host + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe clean test + apt remove -y nftables + +} diff --git a/tests/hardening/nftables_loopback_is_configured.sh b/tests/hardening/nftables_loopback_is_configured.sh new file mode 100644 index 0000000..b51fec8 --- /dev/null +++ b/tests/hardening/nftables_loopback_is_configured.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Prepare test + apt install -y nftables + + # not much to test here, unless working on a privileged container + describe Running on blank host + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe clean test + apt remove -y nftables + +} diff --git a/tests/hardening/ufw_default_deny.sh b/tests/hardening/ufw_default_deny.sh new file mode 100644 index 0000000..acdafb0 --- /dev/null +++ b/tests/hardening/ufw_default_deny.sh @@ -0,0 +1,27 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe prepare test + apt install -y ufw + sed -i '/DEFAULT_INPUT_POLICY/s/=.*/="ACCEPT"/g' /etc/default/ufw + + describe Running on blank host + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + # we can not apply the fix, unless running on a privileged container + # we manually update the default file + describe fix the situation + sed -i '/DEFAULT_INPUT_POLICY/s/=.*/="DROP"/g' /etc/default/ufw + sed -i '/DEFAULT_OUTPUT_POLICY/s/=.*/="DROP"/g' /etc/default/ufw + sed -i '/DEFAULT_FORWARD_POLICY/s/=.*/="DROP"/g' /etc/default/ufw + + describe Checking resolved state + register_test retvalshouldbe 0 + run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe clean test + apt purge -y ufw + apt autoremove -y +} diff --git a/tests/hardening/ufw_loopback_is_configured.sh b/tests/hardening/ufw_loopback_is_configured.sh new file mode 100644 index 0000000..b820d2f --- /dev/null +++ b/tests/hardening/ufw_loopback_is_configured.sh @@ -0,0 +1,28 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe prepare test + apt install -y ufw + + describe Running on blank host + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + # we can not apply the fix, unless running on a privileged container + # we manually update the rules file + describe fix the situation + # shellcheck disable=2129 + echo '-A ufw-user-input -i lo -j ACCEPT' >>/etc/ufw/user.rules + echo '-A ufw-user-output -o lo -j ACCEPT' >>/etc/ufw/user.rules + echo '-A ufw-user-input -s 127.0.0.0/8 -j DROP' >>/etc/ufw/user.rules + echo '-A ufw-user-input -s ::1 -j DROP' >>/etc/ufw/user6.rules + + describe Checking resolved state + register_test retvalshouldbe 0 + run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe clean test + apt purge -y ufw + apt autoremove -y +} diff --git a/tests/hardening/ufw_outbound_connection.sh b/tests/hardening/ufw_outbound_connection.sh new file mode 100644 index 0000000..52b2000 --- /dev/null +++ b/tests/hardening/ufw_outbound_connection.sh @@ -0,0 +1,43 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe prepare test + apt install -y ufw + + # default case: we want the outbound all rule to be present, but it is not + describe Running on blank host + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + # we can not apply the fix, unless running on a privileged container + # we manually update the rules file + describe fix the situation + # shellcheck disable=2129 + echo '-A ufw-user-output -o all -j ACCEPT' >>/etc/ufw/user.rules + + describe Checking resolved state + register_test retvalshouldbe 0 + run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + # reverse case: we don't want the outbound all rule to be present, but it is + describe prepare failed test + sed -i '/ALLOW_OUTBOUND_ALL/s/=.*/=1/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" + + describe Running failed test + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe fix the situation + # shellcheck disable=2129 + sed -i '$d' /etc/ufw/user.rules + + describe Checking resolved state + register_test retvalshouldbe 0 + run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe clean test + apt purge -y ufw + apt autoremove -y +} diff --git a/tests/hardening/ufw_rules_them_all.sh b/tests/hardening/ufw_rules_them_all.sh new file mode 100644 index 0000000..8180da8 --- /dev/null +++ b/tests/hardening/ufw_rules_them_all.sh @@ -0,0 +1,9 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + # no much to test here, unless running on a privileged container, to run ufw commands + describe Running on blank host + register_test retvalshouldbe 0 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all +}