V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4470_hardening_ufw.sh

@@ -15,7 +15,10 @@ guard_sourcing
 #######################################
 # Hardening 'ufw'.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_FINAL_NIC
+#   VAR_RUN_RECOVERY
 #   VAR_SSH_PORT
 #   VAR_UFW_OUT
 # Arguments:
@@ -26,16 +29,22 @@ guard_sourcing
 hardening_ufw() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log"
-  declare -r  var_rules="${TARGET}/etc/ufw/before6.rules"
+  declare     var_target="${TARGET}"
 
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
-    touch "${TARGET}/var/log/ufw.log"
-    chmod 0640 "${TARGET}/var/log/ufw.log"
+  declare -r  var_rules="${var_target}/etc/ufw/before6.rules"
+
+
+  chroot_logger "${var_target}${var_logfile}"
+
+  if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
+    touch "${var_target}/var/log/ufw.log"
+    chmod 0640 "${var_target}/var/log/ufw.log"
   fi
 
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
     ufw --force reset
     ufw logging medium
     ufw default deny incoming
@@ -48,7 +57,7 @@ hardening_ufw() {
   ### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected.
   if [[ "${VAR_UFW_OUT}" = "deny" ]]; then
 
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
       ufw allow out   21/tcp comment 'Outgoing FTP'
       ufw allow out   22/tcp comment 'Outgoing SSH'
       ufw allow out   25/tcp comment 'Outgoing SMTP'
@@ -71,12 +80,11 @@ hardening_ufw() {
   fi
 
   ### Allowing ICMP IPv4 outgoing per default.
-  sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${TARGET}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
-
+  sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${var_target}/etc/ufw/before.rules"
 
   ### Remove previous custom blocks (idempotent).
   sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
@@ -90,10 +98,9 @@ hardening_ufw() {
   ### Useful if local daemons join multicast groups, and you want clean logs.
   sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"
 
+  chroot_script "${var_target}" "echo 'y' | ufw enable 2>&1"
 
-  chroot_script "${TARGET}" "echo 'y' | ufw enable 2>&1"
-
-  chroot_script "${TARGET}" "ufw status verbose >> ${var_logfile}"
+  chroot_script "${var_target}" "ufw status verbose >> ${var_logfile}"
 
   guard_dir && return 0
 }