diff options
author | mboelen <michael@cisofy.com> | 2015-12-02 18:55:41 +0300 |
---|---|---|
committer | mboelen <michael@cisofy.com> | 2015-12-02 18:55:41 +0300 |
commit | 4ab96e4f39081b8e8f14f8332ccd27125a2f2cbb (patch) | |
tree | a6c82a61d191c58d2aee81557fa748129325be6c /include/tests_firewalls | |
parent | 0144c9953331432ff50578a4c80161d076ff7e0d (diff) |
Improved test FIRE-4512 so that it also triggers if no more than 10 rules are found
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r-- | include/tests_firewalls | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls index 302fd733..da933cb0 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -90,21 +90,22 @@ ################################################################################# # # Test : FIRE-4512 - # Description : Check iptables for empty ruleset + # Description : Check iptables for empty ruleset (should have at least 10 or more rules) if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '` - if [ "${FIND}" = "0" ]; then - # Firewall is active, but clearly needs configuration + FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '` + if [ ! "${FIND}" = "" ]; then FIREWALL_ACTIVE=1 - logtext "Result: iptables ruleset is empty" - Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED - ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active" - ReportSuggestion ${TEST_NO} "Disable iptables kernel module if not used or make sure rules are being used" - else - logtext "Result: one or more rules are available" - Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN + if [ ${FIND} -le 10 ]; then + # Firewall is active, but clearly needs configuration + logtext "Result: iptables ruleset seems to be empty (found ${FIND} rules)" + Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED + ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active" + else + logtext "Result: one or more rules are available (${FIND} rules)" + Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN + fi fi fi # |