diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2016-09-05 13:29:04 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2016-09-05 13:29:04 +0300 |
commit | 2942b4196b6043de151ec240f8db9a98c45466bb (patch) | |
tree | dbe236dc1e183f221ffa3219acf314ea2c5b42e4 /include/tests_firewalls | |
parent | cbed07cdb22938f1eaa27bc3b81869728adfab94 (diff) |
Added test FIRE-4540 and textual changes
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r-- | include/tests_firewalls | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls index 7eff6cdc..fa9a603d 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -384,11 +384,14 @@ if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables"` - if [ ! "${FIND}" = "" ]; then + FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables") + if [ ! -z "${FIND}" ]; then + LogText "Result: found nftables kernel module" FIREWALL_SOFTWARE="nftables" NFTABLES_ACTIVE=1 Report "firewall_software[]=nftables" + else + LogText "Result: no nftables kernel module found" fi fi # @@ -400,19 +403,33 @@ Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration" if [ ${SKIPTEST} -eq 0 ]; then # Retrieve nft version - NFT_VERSION=`${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | tr -d 'v'` + NFT_VERSION=$(${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | ${TRBINARY} -d 'v') Report "nft_version=${NFT_VERSION}" - + LogText "Result: found version ${NFT_VERSION} of nft" + fi +# +################################################################################# +# + # Test : FIRE-4540 + # Description : Check nftables configuration + if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration" + if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=`${NFTBINARY} export json 2> /dev/null | wc -c` + NFT_RULES_LENGTH=$(${NFTBINARY} export json 2> /dev/null | wc -c) if [ ${NFT_RULES_LENGTH} -le 16 ]; then FIREWALL_EMPTY_RULESET=1 + LogText "Result: this firewall set has 16 rules or less and is considered to be empty" + else + LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration" fi - # Ideas: - # Suggestion to disable iptables if nftables is enabled - # Check for specific features in nftables releases fi - +# +################################################################################# +# + # Ideas: + # Suggestion to disable iptables if nftables is enabled + # Check for specific features in nftables releases # ################################################################################# # |