feat: add debian12 scripts

- nftables_loopback_is_configured.sh 	-> 4.2.6
- nftables_established_connections.sh 	-> 4.2.7
- iptables_flushed_with_nftables.sh 	-> 4.2.3
- ufw_loopback_is_configured.sh 	-> 4.1.4
- ufw_outbound_connection.sh 		-> 4.1.5
- ufw_default_deny.sh 			-> 4.1.7
- ufw_rules_them_all.sh 		-> 4.1.6

tests/hardening/iptables_flushed_with_nftables.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables iptables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables iptables
+
+}

tests/hardening/nftables_established_connections.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables
+
+}

tests/hardening/nftables_loopback_is_configured.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Prepare test
+    apt install -y nftables
+
+    # not much to test here, unless working on a privileged container
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt remove -y nftables
+
+}

tests/hardening/ufw_default_deny.sh

@@ -0,0 +1,27 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+    sed -i '/DEFAULT_INPUT_POLICY/s/=.*/="ACCEPT"/g' /etc/default/ufw
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the default file
+    describe fix the situation
+    sed -i '/DEFAULT_INPUT_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+    sed -i '/DEFAULT_OUTPUT_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+    sed -i '/DEFAULT_FORWARD_POLICY/s/=.*/="DROP"/g' /etc/default/ufw
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}

tests/hardening/ufw_loopback_is_configured.sh

@@ -0,0 +1,28 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the rules file
+    describe fix the situation
+    # shellcheck disable=2129
+    echo '-A ufw-user-input -i lo -j ACCEPT' >>/etc/ufw/user.rules
+    echo '-A ufw-user-output -o lo -j ACCEPT' >>/etc/ufw/user.rules
+    echo '-A ufw-user-input -s 127.0.0.0/8 -j DROP' >>/etc/ufw/user.rules
+    echo '-A ufw-user-input -s ::1 -j DROP' >>/etc/ufw/user6.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}

tests/hardening/ufw_outbound_connection.sh

@@ -0,0 +1,43 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe prepare test
+    apt install -y ufw
+
+    # default case: we want the outbound all rule to be present, but it is not
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # we can not apply the fix, unless running on a privileged container
+    # we manually update the rules file
+    describe fix the situation
+    # shellcheck disable=2129
+    echo '-A ufw-user-output -o all -j ACCEPT' >>/etc/ufw/user.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reverse case: we don't want the outbound all rule to be present, but it is
+    describe prepare failed test
+    sed -i '/ALLOW_OUTBOUND_ALL/s/=.*/=1/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+    describe Running failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe fix the situation
+    # shellcheck disable=2129
+    sed -i '$d' /etc/ufw/user.rules
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    apt purge -y ufw
+    apt autoremove -y
+}

tests/hardening/ufw_rules_them_all.sh

@@ -0,0 +1,9 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    # no much to test here, unless running on a privileged container, to run ufw commands
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+}