nser77
commented
1 month ago Hello @teoberi , can we work togheter on this module?
CC: @mboelen
Closed teoberi closed 1 month ago
nser77
commented
1 month ago Hello @teoberi , can we work togheter on this module?
CC: @mboelen
teoberi
commented
1 month ago Whatever you want! I tested the changes in Slackware and Ubuntu. It seems to me that they are OK, but you can also test.
mboelen
commented
1 month ago Thanks, changes merged.
nser77
commented
1 month ago Hello @teoberi , I produced the following patch: https://github.com/nser77/lynis/tree/nser77-patch-4
I think it helps with a more flexible parsing of iptables output.
As starting point, I replicated the existing module controls and also added NFQUEUE; documentation regarding NFQUEUE might be the following: Scapy - https://github.com/secdev/scapy/blob/93c94722da7ac3c8a5e02d164bfd9237172e0f6e/doc/notebooks/Scapy%20in%2015%20minutes.ipynb#L1149 .
It should be POSIX compliant and this is the result in my environment.
Versions:
Program version: 3.1.3
Operating system: Linux
Operating system name: Ubuntu
Operating system version: 24.04
Kernel version: 6.8.0
Hardware platform: x86_64
Hostname: host01Audit:
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Checking chain INPUT (table: filter, chain INPUT) [ DROP ]
- Checking chain INPUT (table: filter, chain INPUT) [ NFQUEUE ]
- Checking chain INPUT (table: filter, chain INPUT) [ NFQUEUE ]
- Checking chain INPUT (table: filter, chain INPUT) [ NFQUEUE ]
- Checking chain OUTPUT (table: filter, chain OUTPUT) [ NFQUEUE ]
- Checking chain INPUT (table: security, chain INPUT) [ ACCEPT ]
- Checking for empty ruleset [ WARNING ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall Suggestins:
* Consider avoid NFQUEUE target if possible (iptables chain INPUT, table: filter) [FIRE-4508]
https://cisofy.com/lynis/controls/FIRE-4508/
* Consider avoid NFQUEUE target if possible (iptables chain INPUT, table: filter) [FIRE-4508]
https://cisofy.com/lynis/controls/FIRE-4508/
* Consider avoid NFQUEUE target if possible (iptables chain INPUT, table: filter) [FIRE-4508]
https://cisofy.com/lynis/controls/FIRE-4508/
* Consider avoid NFQUEUE target if possible (iptables chain OUTPUT, table: filter) [FIRE-4508]
https://cisofy.com/lynis/controls/FIRE-4508/My iptables rules:
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -d 8.8.8.8/32 -j NFQUEUE --queue-num 0
-A INPUT -d 8.8.8.8/32 -j NFQUEUE --queue-num 0 --queue-bypass
-A INPUT ! -d 8.8.8.8/32 -j NFQUEUE --queue-num 0 --queue-bypass
-A OUTPUT ! -d 8.8.8.8/32 -j NFQUEUE --queue-num 0 --queue-bypass
-A OUTPUT -d 8.8.8.8/32 -j DROP
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P PREROUTING ACCEPT
-P OUTPUT ACCEPTIf you can test it I would really appreciate it.
If both of you are ok with the new changes (CC @mboelen), my idea is to push it in upstream.
Regards,
teoberi
commented
1 month ago I haven't used NFQUEUE so I don't really know about it. Maybe you can modify the output to get unique records, for example:
I will test in the following days, now I am busy with another project.
wileyhy
commented
1 month ago Would it run faster like this?
if [ "${table}" = "filter" ] || [ "${table}" = "security" ] then if [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] then LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW AddHP 1 3 elif [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] then LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN AddHP 3 3 elif [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] then if [ "${target}" = "NFQUEUE" ] then LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color RED ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" AddHP 0 3 fi fi fi
On Tue, Oct 8, 2024, 06:01 teoberi @.***> wrote:
I haven't used NFQUEUE so I don't really know about it. Maybe you can modify the output to get unique records, for example:
- Checking chain INPUT (table: filter, chain INPUT) [ NFQUEUE ]
I will test in the following days, now I am busy with another project.
— Reply to this email directly, view it on GitHub https://github.com/CISOfy/lynis/pull/1555#issuecomment-2399783956, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUF2F25Q6X57AWC6MZ3H3ZDZ2PJTHAVCNFSM6AAAAABPMNMQW2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJZG44DGOJVGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>
nser77
commented
1 month ago I haven't used NFQUEUE so I don't really know about it. Maybe you can modify the output to get unique records, for example:
- Checking chain INPUT (table: filter, chain INPUT) [ NFQUEUE ]
I will test in the following days, now I am busy with another project.
Thanks for your input: I will check it and get back to you.
Would it run faster like this? if [ "${table}" = "filter" ] || [ "${table}" = "security" ] then if [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] then LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW AddHP 1 3 elif [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] then LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN AddHP 3 3 elif [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] then if [ "${target}" = "NFQUEUE" ] then LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color RED ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" AddHP 0 3 fi fi fi … On Tue, Oct 8, 2024, 06:01 teoberi @.> wrote: I haven't used NFQUEUE so I don't really know about it. Maybe you can modify the output to get unique records, for example: - Checking chain INPUT (table: filter, chain INPUT) [ NFQUEUE ] I will test in the following days, now I am busy with another project. — Reply to this email directly, view it on GitHub <#1555 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUF2F25Q6X57AWC6MZ3H3ZDZ2PJTHAVCNFSM6AAAAABPMNMQW2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJZG44DGOJVGY . You are receiving this because you are subscribed to this thread.Message ID: @.>
Thanks for your suggestion: yes, I agree with you; let me work on it.
nser77
commented
1 month ago Hello, I addressed both suggestions with: https://github.com/nser77/lynis/tree/nser77-patch-7
iptables:
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -d 8.8.8.8/32 -j NFQUEUE --queue-num 0
-A INPUT -d 8.8.8.8/32 -j NFQUEUE --queue-num 0 --queue-bypass
-A INPUT ! -d 8.8.8.8/32 -j NFQUEUE --queue-num 0 --queue-bypass
-A INPUT -d 8.8.8.8/32 -p tcp -j NFQUEUE --queue-num 0
-A OUTPUT ! -d 8.8.8.8/32 -j NFQUEUE --queue-num 0 --queue-bypass
-A OUTPUT -d 8.8.8.8/32 -j DROPDetails:
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
Checking chain INPUT (table: filter, target: DROP) [ DROP ]
Checking chain INPUT (table: filter, target: NFQUEUE) [ NFQUEUE ]
Checking chain OUTPUT (table: filter, target: NFQUEUE) [ NFQUEUE ]
Checking chain INPUT (table: security, target: ACCEPT) [ ACCEPT ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]Suggestions:
* Consider avoid NFQUEUE target if possible (iptables chain INPUT, table: filter) [FIRE-4508]
https://cisofy.com/lynis/controls/FIRE-4508/
* Consider avoid NFQUEUE target if possible (iptables chain OUTPUT, table: filter) [FIRE-4508]
https://cisofy.com/lynis/controls/FIRE-4508/Kindly requesting your review and inputs @teoberi and @wileyhy .
Thanks!
teoberi
commented
1 month ago The result for:
Checking iptables policies of chains [ FOUND ]
should be ordered alphabetically (it's easier to find what you're looking for)
Checking chain INPUT (table: security, target: ACCEPT) [ ACCEPT ] Checking chain INPUT (table: filter, target: DROP) [ DROP ] Checking chain INPUT (table: filter, target: NFQUEUE) [ NFQUEUE ] Checking chain OUTPUT (table: filter, target: NFQUEUE) [ NFQUEUE ]
The while do, if elif structure is extremely long for me. You can make a pull request to see what others say.
nser77
commented
1 month ago Hello, thanks for your answer.
The while do, if elif structure is extremely long for me.
The scope here is not relaying over external tools to parse the iptables output and also creating a framework for further contributions, this should allow us to run the control in almost every system where only iptables is present and also diging deeper if needed. When sort is present, we also display informations; this is something I'm not really happy but I agree with your previos suggestion. What I will do is adding an additional if statement to check if sort binary is present otherwise I will display the results without sorting or uniqe values.
I can also remove all of those not required mappings like -s, -d, -m, etc.. ; and this should reduce the size of the whole structure.
should be ordered alphabetically (it's easier to find what you're looking for)
I'm not sure if it's really needed but let me check.
Include #1554 Fix FIND variable (remove "\n" and -z) Add sort + uniq while read line from FIND