From 5e8b093cd59b313ba65b92bc0a446bc552280fc8 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 6 Nov 2020 14:54:58 +0800 Subject: [PATCH] Add exception method for --allow-service to skip audit and apply. --- ...14.1_security_related_NAT_slipstreaming.sh | 77 +++++++++++-------- 1 file changed, 43 insertions(+), 34 deletions(-) diff --git a/bin/hardening/14.1_security_related_NAT_slipstreaming.sh b/bin/hardening/14.1_security_related_NAT_slipstreaming.sh index 02038ac..ba44829 100755 --- a/bin/hardening/14.1_security_related_NAT_slipstreaming.sh +++ b/bin/hardening/14.1_security_related_NAT_slipstreaming.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +HARDENING_EXCEPTION=sechardened HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf' BLACKLIST_CONF_ITEMS='nf_nat_sip nf_conntrack_sip' @@ -20,61 +21,69 @@ SYSCTL_EXP_RESULT=0 # This function will be called if the script status is on enabled / audit mode audit () { - for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do - check_blacklist_module_set $BLACKLIST_CONF - if [ $FNRET = 0 ]; then - ok "$BLACKLIST_CONF was set to blacklist" - else - crit "$BLACKLIST_CONF is not set to blacklist" - fi - done - if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then + if [ $ISEXCEPTION -eq 1 ]; then + warn "Exception is set to 1, so it's pass!" + else + for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do + check_blacklist_module_set $BLACKLIST_CONF + if [ $FNRET = 0 ]; then + ok "$BLACKLIST_CONF was set to blacklist" + else + crit "$BLACKLIST_CONF is not set to blacklist" + fi + done + if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT if [ $FNRET != 0 ]; then - crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" + crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" elif [ $FNRET = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi - else - crit "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, connection tracking may not be enabled, so please determine the risk yourself." + fi + else + crit "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, connection tracking may not be enabled, so please determine the risk yourself." fi + fi } # This function will be called if the script status is on enabled mode apply () { - for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do - check_blacklist_module_set $BLACKLIST_CONF - if [ $FNRET = 0 ]; then - ok "$BLACKLIST_CONF was set to blacklist" - else - warn "$BLACKLIST_CONF is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE" - if [ -w $HARBIAN_SEC_CONF_FILE ]; then - add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF" + if [ $ISEXCEPTION -eq 1 ]; then + warn "Exception is set to 1, so it's pass!" + else + for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do + check_blacklist_module_set $BLACKLIST_CONF + if [ $FNRET = 0 ]; then + ok "$BLACKLIST_CONF was set to blacklist" else - touch $HARBIAN_SEC_CONF_FILE - add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF" + warn "$BLACKLIST_CONF is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE" + if [ -w $HARBIAN_SEC_CONF_FILE ]; then + add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF" + else + touch $HARBIAN_SEC_CONF_FILE + add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF" + fi fi - fi - done - if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then + done + if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT if [ $FNRET != 0 ]; then - warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" - set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w $SYSCTL_PARAM=$SYSCTL_EXP_RESULT > /dev/null + warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w $SYSCTL_PARAM=$SYSCTL_EXP_RESULT > /dev/null elif [ $FNRET = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" fi - else - warn "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, just set $SYSCTL_PARAM = $SYSCTL_EXP_RESULT to /etc/sysctl.conf" - if [ $(grep "^$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" /etc/sysctl.conf | wc -l) -eq 0 ]; then - echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf else - : + warn "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, just set $SYSCTL_PARAM = $SYSCTL_EXP_RESULT to /etc/sysctl.conf" + if [ $(grep "^$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" /etc/sysctl.conf | wc -l) -eq 0 ]; then + echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf + else + : + fi fi fi }