elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity
c0ecc9cd6f
debian-cis/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
Thibault Ayanides 7ce8ec8b89 Renum 2.x and 3.x files to comply with debian10 CIS 
renamed:    bin/hardening/3.7_disable_ipv6.sh -> bin/hardening/3.1.1_disable_ipv6.sh
	renamed:    bin/hardening/3.6_disable_wireless.sh -> bin/hardening/3.1.2_disable_wireless.sh
	renamed:    bin/hardening/3.1.2_disable_send_packet_redirects.sh -> bin/hardening/3.2.1_disable_send_packet_redirects.sh
	renamed:    bin/hardening/3.1.1_disable_ip_forwarding.sh -> bin/hardening/3.2.2_disable_ip_forwarding.sh
	renamed:    bin/hardening/3.2.1_disable_source_routed_packets.sh -> bin/hardening/3.3.1_disable_source_routed_packets.sh
	renamed:    bin/hardening/3.2.2_disable_icmp_redirect.sh -> bin/hardening/3.3.2_disable_icmp_redirect.sh
	renamed:    bin/hardening/3.2.3_disable_secure_icmp_redirect.sh -> bin/hardening/3.3.3_disable_secure_icmp_redirect.sh
	renamed:    bin/hardening/3.2.4_log_martian_packets.sh -> bin/hardening/3.3.4_log_martian_packets.sh
	renamed:    bin/hardening/3.2.5_ignore_broadcast_requests.sh -> bin/hardening/3.3.5_ignore_broadcast_requests.sh
	renamed:    bin/hardening/3.2.6_enable_bad_error_message_protection.sh -> bin/hardening/3.3.6_enable_bad_error_message_protection.sh
	renamed:    bin/hardening/3.2.7_enable_source_route_validation.sh -> bin/hardening/3.3.7_enable_source_route_validation.sh
	renamed:    bin/hardening/3.2.8_enable_tcp_syn_cookies.sh -> bin/hardening/3.3.8_enable_tcp_syn_cookies.sh
	renamed:    bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh -> bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	renamed:    bin/hardening/3.5_enable_firewall.sh -> bin/hardening/3.5.1.1_enable_firewall.sh
	renamed:    bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh -> bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
	renamed:    bin/hardening/3.3.1_install_tcp_wrapper.sh -> bin/hardening/99.3.3.1_install_tcp_wrapper.sh
	renamed:    bin/hardening/3.3.2_hosts_allow.sh -> bin/hardening/99.3.3.2_hosts_allow.sh
	renamed:    bin/hardening/3.3.3_hosts_deny.sh -> bin/hardening/99.3.3.3_hosts_deny.sh
	renamed:    bin/hardening/3.3.4_hosts_allow_permissions.sh -> bin/hardening/99.3.3.4_hosts_allow_permissions.sh
	renamed:    bin/hardening/3.3.5_hosts_deny_permissions.sh -> bin/hardening/99.3.3.5_hosts_deny_permissions.sh
	renamed:    tests/hardening/3.1.2_disable_send_packet_redirects.sh -> tests/hardening/3.1.1_disable_ipv6.sh
	renamed:    tests/hardening/3.2.1_disable_source_routed_packets.sh -> tests/hardening/3.1.2_disable_wireless.sh
	renamed:    tests/hardening/3.2.2_disable_icmp_redirect.sh -> tests/hardening/3.2.1_disable_send_packet_redirects.sh
	renamed:    tests/hardening/3.1.1_disable_ip_forwarding.sh -> tests/hardening/3.2.2_disable_ip_forwarding.sh
	renamed:    tests/hardening/3.2.3_disable_secure_icmp_redirect.sh -> tests/hardening/3.3.1_disable_source_routed_packets.sh
	renamed:    tests/hardening/3.2.4_log_martian_packets.sh -> tests/hardening/3.3.2_disable_icmp_redirect.sh
	renamed:    tests/hardening/3.2.5_ignore_broadcast_requests.sh -> tests/hardening/3.3.3_disable_secure_icmp_redirect.sh
	renamed:    tests/hardening/3.2.6_enable_bad_error_message_protection.sh -> tests/hardening/3.3.4_log_martian_packets.sh
	renamed:    tests/hardening/3.2.7_enable_source_route_validation.sh -> tests/hardening/3.3.5_ignore_broadcast_requests.sh
	renamed:    tests/hardening/3.2.8_enable_tcp_syn_cookies.sh -> tests/hardening/3.3.6_enable_bad_error_message_protection.sh
	renamed:    tests/hardening/3.2.9_disable_ipv6_router_advertisement.sh -> tests/hardening/3.3.7_enable_source_route_validation.sh
	renamed:    tests/hardening/3.3.1_install_tcp_wrapper.sh -> tests/hardening/3.3.8_enable_tcp_syn_cookies.sh
	renamed:    tests/hardening/3.3.2_hosts_allow.sh -> tests/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	renamed:    tests/hardening/3.3.3_hosts_deny.sh -> tests/hardening/3.5.1.1_enable_firewall.sh
	renamed:    tests/hardening/3.3.4_hosts_allow_permissions.sh -> tests/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
	renamed:    tests/hardening/3.3.5_hosts_deny_permissions.sh -> tests/hardening/99.3.3.1_install_tcp_wrapper.sh
	renamed:    tests/hardening/3.5.1.1_net_fw_default_policy_drop.sh -> tests/hardening/99.3.3.2_hosts_allow.sh
	renamed:    tests/hardening/3.5_enable_firewall.sh -> tests/hardening/99.3.3.3_hosts_deny.sh
	renamed:    tests/hardening/3.6_disable_wireless.sh -> tests/hardening/99.3.3.4_hosts_allow_permissions.sh
	renamed:    tests/hardening/3.7_disable_ipv6.sh -> tests/hardening/99.3.3.5_hosts_deny_permissions.sh

	renamed:    bin/hardening/2.2.1.2_configure_ntp.sh -> bin/hardening/2.2.1.4_configure_ntp.sh
	renamed:    tests/hardening/2.2.1.2_configure_ntp.sh -> tests/hardening/2.2.1.4_configure_ntp.sh
2020-12-22 08:52:43 +01:00

81 lines
2.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# run-shellcheck
#
# OVH Security audit
#
#
# 3.5.4.1.1 Ensure default deny firewall policy (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWARD."
PACKAGE="iptables"
FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP"
# This function will be called if the script status is on enabled / audit mode
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
if [[ -z "$ipt" ]]; then
crit "Empty return from $PACKAGE command. Aborting..."
return
fi
for chain in $FW_CHAINS; do
regex="Chain $chain \(policy ([A-Z]+)\)"
# previous line will capture actual policy
if [[ "$ipt" =~ $regex ]]; then
actual_policy=${BASH_REMATCH[1]}
if [[ "$actual_policy" = "$FW_POLICY" ]]; then
ok "Policy correctly set to $FW_POLICY for chain $chain"
else
crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}."
fi
else
echo "cant find chain $chain"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply() {
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
Reference in New Issue View Git Blame Copy Permalink