mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-31 18:48:56 +01:00
More AUDIT changes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
d2ab27c071
commit
814494e277
@ -315,7 +315,7 @@ our %config_files = ( #accounting => 1,
|
|||||||
#
|
#
|
||||||
# Options that involve the the AUDIT target
|
# Options that involve the the AUDIT target
|
||||||
#
|
#
|
||||||
my @auditoptions = qw( BLACKLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
|
my @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
|
||||||
#
|
#
|
||||||
# Directories to search for configuration files
|
# Directories to search for configuration files
|
||||||
#
|
#
|
||||||
@ -3362,12 +3362,12 @@ sub get_configuration( $ ) {
|
|||||||
|
|
||||||
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
||||||
unless ( $val =~ /^A?REJECT$/ ) {
|
unless ( $val =~ /^A?REJECT$/ ) {
|
||||||
unless ( $val =~ /^A?DROP/ ) {
|
if ( $val =~ /^A?DROP/ ) {
|
||||||
if ( $val eq 'ACCEPT' ) {
|
$globals{MACLIST_TARGET} = $val;
|
||||||
$globals{MACLIST_TARGET} = 'RETURN';
|
} elsif ( $val eq 'ACCEPT' ) {
|
||||||
} else {
|
$globals{MACLIST_TARGET} = 'RETURN';
|
||||||
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
|
} else {
|
||||||
}
|
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
@ -168,9 +168,9 @@ sub initialize( $ ) {
|
|||||||
%usedactions = ();
|
%usedactions = ();
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
|
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AUDIT AACCEPT ADROP AREJECT/;
|
||||||
} else {
|
} else {
|
||||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
|
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AUDIT AACCEPT ADROP AREJECT/;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1291,10 +1291,21 @@ sub Limit( $$$$ ) {
|
|||||||
add_rule $chainref, '-j ACCEPT';
|
add_rule $chainref, '-j ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub AUDIT( $$$$) {
|
||||||
|
my ($chainref, $level, $tag, $type ) = @_;
|
||||||
|
|
||||||
|
require_capability 'AUDIT_TARGET' , 'AUDIT rules', '';
|
||||||
|
|
||||||
|
fatal_error "Logging is not permitted in the AUDIT action" if $level;
|
||||||
|
fatal_error "AUDIT requires a 'type' parameter";
|
||||||
|
fatal_error "Invalid AUDIT type ($type)" unless $type =~ /^(accept|drop|reject)$/;
|
||||||
|
add_rule $chainref , "-j AUDIT --type $type";
|
||||||
|
}
|
||||||
|
|
||||||
sub AACCEPT ( $$$ ) {
|
sub AACCEPT ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
require_capability 'AUDIT_TARGET' , 'AACCEPT policies and rules', '';
|
require_capability 'AUDIT_TARGET' , 'AACCEPT rules', '';
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
|
log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
|
||||||
add_rule $chainref , '-j AUDIT --type accept';
|
add_rule $chainref , '-j AUDIT --type accept';
|
||||||
@ -1304,7 +1315,7 @@ sub AACCEPT ( $$$ ) {
|
|||||||
sub ADROP ( $$$ ) {
|
sub ADROP ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
require_capability 'AUDIT_TARGET' , 'ADROP policies and rules', '';
|
require_capability 'AUDIT_TARGET' , 'ADROP rules', '';
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
|
log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
|
||||||
add_rule $chainref , '-j AUDIT --type drop';
|
add_rule $chainref , '-j AUDIT --type drop';
|
||||||
@ -1314,7 +1325,7 @@ sub ADROP ( $$$ ) {
|
|||||||
sub AREJECT ( $$$ ) {
|
sub AREJECT ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
require_capability 'AUDIT_TARGET' , 'AREJECT policies and rules', '';
|
require_capability 'AUDIT_TARGET' , 'AREJECT rules', '';
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
|
log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
|
||||||
add_rule $chainref , '-j AUDIT --type reject';
|
add_rule $chainref , '-j AUDIT --type reject';
|
||||||
@ -1329,7 +1340,12 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
|
|||||||
'allowInvalid' => \&allowInvalid,
|
'allowInvalid' => \&allowInvalid,
|
||||||
'allowinUPnP' => \&allowinUPnP,
|
'allowinUPnP' => \&allowinUPnP,
|
||||||
'forwardUPnP' => \&forwardUPnP,
|
'forwardUPnP' => \&forwardUPnP,
|
||||||
'Limit' => \&Limit, );
|
'Limit' => \&Limit,
|
||||||
|
'AUDIT' => \&AUDIT,
|
||||||
|
'AACCEPT' => \&AACCEPT,
|
||||||
|
'ADROP' => \&ADROP,
|
||||||
|
'AREJECT' => \&AREJECT
|
||||||
|
);
|
||||||
|
|
||||||
#
|
#
|
||||||
# This function is called prior to processing of the policy file. It:
|
# This function is called prior to processing of the policy file. It:
|
||||||
@ -1463,14 +1479,16 @@ sub process_action( $) {
|
|||||||
sub process_actions2 () {
|
sub process_actions2 () {
|
||||||
progress_message2 "$doing policy actions...";
|
progress_message2 "$doing policy actions...";
|
||||||
|
|
||||||
for ( map normalized_action_name $_, grep $auditpolicies{$_}, @auditoptions ) {
|
my $ref;
|
||||||
if ( my $ref = use_action( $_ ) ) {
|
|
||||||
|
for ( map normalized_action_name $_, grep $auditpolicies{$config{$_}}, @auditoptions ) {
|
||||||
|
if ( $ref = use_action( $_ ) ) {
|
||||||
process_action( $ref );
|
process_action( $ref );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) {
|
for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) {
|
||||||
if ( my $ref = use_action( $_ ) ) {
|
if ( $ref = use_action( $_ ) ) {
|
||||||
process_action( $ref );
|
process_action( $ref );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
14
Shorewall/action.AAccept
Normal file
14
Shorewall/action.AAccept
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4 - Audit Accept Action
|
||||||
|
#
|
||||||
|
# /usr/share/shorewall/action.AAccept
|
||||||
|
#
|
||||||
|
# Specify this as the ACCEPT_ACTION if you want ACCEPT policies to be
|
||||||
|
# Audited
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||||
|
#
|
||||||
|
# Audit the result
|
||||||
|
#
|
||||||
|
AUDIT('accept')
|
60
Shorewall/action.ADrop
Normal file
60
Shorewall/action.ADrop
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4 - Drop Action
|
||||||
|
#
|
||||||
|
# /usr/share/shorewall/action.ADrop
|
||||||
|
#
|
||||||
|
# Like action.Drop but also Audits
|
||||||
|
#
|
||||||
|
# This action is invoked before a DROP policy is enforced. The purpose
|
||||||
|
# of the action is:
|
||||||
|
#
|
||||||
|
# a) Avoid logging lots of useless cruft.
|
||||||
|
# b) Ensure that 'auth' requests are rejected, even if the policy is
|
||||||
|
# DROP. Otherwise, you may experience problems establishing
|
||||||
|
# connections with servers that use auth.
|
||||||
|
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||||
|
# internet operation are always ACCEPTed.
|
||||||
|
#
|
||||||
|
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||||
|
#
|
||||||
|
# Count packets that come through here
|
||||||
|
#
|
||||||
|
COUNT
|
||||||
|
#
|
||||||
|
# Reject 'auth'
|
||||||
|
#
|
||||||
|
Auth(REJECT)
|
||||||
|
#
|
||||||
|
# Don't log broadcasts
|
||||||
|
#
|
||||||
|
dropBcast
|
||||||
|
#
|
||||||
|
# ACCEPT critical ICMP types
|
||||||
|
#
|
||||||
|
AllowICMPs - - icmp
|
||||||
|
#
|
||||||
|
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||||
|
# and just confuse people when they appear in the log.
|
||||||
|
#
|
||||||
|
dropInvalid
|
||||||
|
#
|
||||||
|
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||||
|
#
|
||||||
|
SMB(DROP)
|
||||||
|
DropUPnP
|
||||||
|
#
|
||||||
|
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||||
|
#
|
||||||
|
dropNotSyn - - tcp
|
||||||
|
#
|
||||||
|
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||||
|
# the log.
|
||||||
|
#
|
||||||
|
DropDNSrep
|
||||||
|
#
|
||||||
|
# Audit the result
|
||||||
|
#
|
||||||
|
AUDIT('drop')
|
59
Shorewall/action.AReject
Normal file
59
Shorewall/action.AReject
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4 - AReject Action
|
||||||
|
#
|
||||||
|
# /usr/share/shorewall/action.Reject
|
||||||
|
#
|
||||||
|
# This action is like Reject only it also audits
|
||||||
|
#
|
||||||
|
# This action is invoked before a REJECT policy is enforced. The purpose
|
||||||
|
# of the action is:
|
||||||
|
#
|
||||||
|
# a) Avoid logging lots of useless cruft.
|
||||||
|
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||||
|
# internet operation are always ACCEPTed.
|
||||||
|
#
|
||||||
|
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||||
|
###############################################################################
|
||||||
|
#TARGET SOURCE DEST PROTO
|
||||||
|
#
|
||||||
|
# Count packets that come through here
|
||||||
|
#
|
||||||
|
COUNT
|
||||||
|
#
|
||||||
|
# Don't log 'auth' -- REJECT
|
||||||
|
#
|
||||||
|
Auth(REJECT)
|
||||||
|
#
|
||||||
|
# Drop Broadcasts so they don't clutter up the log
|
||||||
|
# (broadcasts must *not* be rejected).
|
||||||
|
#
|
||||||
|
dropBcast
|
||||||
|
#
|
||||||
|
# ACCEPT critical ICMP types
|
||||||
|
#
|
||||||
|
AllowICMPs - - icmp
|
||||||
|
#
|
||||||
|
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||||
|
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||||
|
# rejected).
|
||||||
|
#
|
||||||
|
dropInvalid
|
||||||
|
#
|
||||||
|
# Reject Microsoft noise so that it doesn't clutter up the log.
|
||||||
|
#
|
||||||
|
SMB(REJECT)
|
||||||
|
DropUPnP
|
||||||
|
#
|
||||||
|
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||||
|
#
|
||||||
|
dropNotSyn - - tcp
|
||||||
|
#
|
||||||
|
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||||
|
# the log.
|
||||||
|
#
|
||||||
|
DropDNSrep
|
||||||
|
#
|
||||||
|
# Audit the result
|
||||||
|
#
|
||||||
|
AUDIT('reject')
|
||||||
|
|
@ -8,6 +8,9 @@
|
|||||||
#
|
#
|
||||||
# Builtin Actions are:
|
# Builtin Actions are:
|
||||||
#
|
#
|
||||||
|
# AACCEPT # Audits then accepts a connection request
|
||||||
|
# ADROP # Audits then drops a connection request
|
||||||
|
# AREJECT # Audits then drops a connection request
|
||||||
# allowBcast # Silently Allow Broadcast/multicast
|
# allowBcast # Silently Allow Broadcast/multicast
|
||||||
# dropBcast # Silently Drop Broadcast/multicast
|
# dropBcast # Silently Drop Broadcast/multicast
|
||||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||||
|
Loading…
Reference in New Issue
Block a user