Skip to content

Commit

Permalink
Merge pull request #10587 from dodys/iptables
Browse files Browse the repository at this point in the history
Add Ubuntu SCE checks for iptables rules
  • Loading branch information
Mab879 authored May 18, 2023
2 parents 04fee0c + 49036c8 commit 267401c
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# check-import = stdout

# Pass rule if IPv6 is disabled on kernel
if [ ! -e /proc/sys/net/ipv6/conf/all/disable_ipv6 ] || [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" -eq 1 ]; then
exit "$XCCDF_RESULT_PASS"
fi

output="$(ip6tables -L | grep Chain)"
if [ -z "${output}" ]; then
exit "$XCCDF_RESULT_FAIL"
fi

while read -r line; do
chain=$(echo "$line" | awk '{print $1, $2}')
policy=$(echo "$line" | awk '{print $4}' | tr -d ")")
if [ "$chain" = "Chain INPUT" ] || [ "$chain" = "Chain FORWARD" ] ||
[ "$chain" = "Chain OUTPUT" ]; then
if [ "$policy" != "DROP" ] && [ "$policy" != "REJECT" ]; then
exit "$XCCDF_RESULT_FAIL"
fi
fi
done <<< "$output"

exit "$XCCDF_RESULT_PASS"
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# check-import = stdout

# Pass rule if IPv6 is disabled on kernel
if [ ! -e /proc/sys/net/ipv6/conf/all/disable_ipv6 ] || [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" -eq 1 ]; then
exit "$XCCDF_RESULT_PASS"
fi

regex="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+lo\s+\*\s+::\/0\s+::\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+\*\s+\*\s+::1\s+::\/0"

# Check chain INPUT for loopback related rules
if ! ip6tables -L INPUT -v -n | grep -Ezq "$regex" ; then
exit "$XCCDF_RESULT_FAIL"
fi

# Check chain OUTPUT for loopback related rules
if ! ip6tables -L OUTPUT -v -n | grep -Eq "\s[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+\*\s+lo\s+::\/0\s+::\/0" ; then
exit "$XCCDF_RESULT_FAIL"
fi

exit "$XCCDF_RESULT_PASS"
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# check-import = stdout

regex="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+lo\s+\*\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+--\s+\*\s+\*\s+127\.0\.0\.0\/8\s+0\.0\.0\.0\/0"

# Check chain INPUT for loopback related rules
if ! iptables -L INPUT -v -n | grep -Ezq "$regex" ; then
exit "$XCCDF_RESULT_FAIL"
fi

# Check chain OUTPUT for loopback related rules
if ! iptables -L OUTPUT -v -n | grep -Eq "\s[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+--\s+\*\s+lo\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0" ; then
exit "$XCCDF_RESULT_FAIL"
fi

exit "$XCCDF_RESULT_PASS"
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# check-import = stdout

output="$(iptables -L | grep Chain)"
if [ -z "${output}" ]; then
exit "$XCCDF_RESULT_FAIL"
fi

while read -r line; do
chain=$(echo "$line" | awk '{print $1, $2}')
policy=$(echo "$line" | awk '{print $4}' | tr -d ')')
if [ "$chain" = "Chain INPUT" ] || [ "$chain" = "Chain FORWARD" ] ||
[ "$chain" = "Chain OUTPUT" ]; then
if [ "$policy" != "DROP" ] && [ "$policy" != "REJECT" ]; then
exit "$XCCDF_RESULT_FAIL"
fi
fi
done <<< "$output"

exit "${XCCDF_RESULT_PASS}"

0 comments on commit 267401c

Please sign in to comment.