[bulk change] cleaning up, code enhancements, initialization of variables, and new tests

1 files changed, 29 insertions, 29 deletions

diff --git a/include/tests_firewalls b/include/tests_firewalls
index c1fca4ff..fd6338a2 100644
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@@ -166,7 +166,7 @@
                 LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
                 Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
                 ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
-              else
+            else
                 LogText "Result: one or more rules are available (${FIND} rules)"
                 Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
             fi
@@ -181,10 +181,10 @@
     Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
-        if [ -z "${FIND}" ]; then
+        if IsEmpty "${FIND}"; then
             Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
             LogText "Result: There are no unused rules present"
-          else
+        else
             Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW
             LogText "Result: Found one or more possible unused rules"
             LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
@@ -226,7 +226,7 @@
                 LogText "Result: pf is enabled"
                 PFFOUND=1
                 AddHP 3 3
-              else
+            else
                 Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW
                 ReportException ${TEST_NO} "Unknown status of pf firewall"
             fi
@@ -240,11 +240,11 @@
                 FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
                 if [ -z "${FIND}" ]; then
                     LogText "Result: Can not find pf KLD"
-                  else
+                else
                     LogText "Result: pf KLD loaded"
                     PFFOUND=1
                 fi
-              else
+            else
                 LogText "Result: no kldstat binary, skipping this part"
             fi
 
@@ -254,7 +254,7 @@
                 Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
                 PFFOUND=1
                 PFLOGDFOUND=1
-              else
+            else
                 LogText "Result: pflog daemon not found in process list"
             fi
         fi
@@ -263,7 +263,7 @@
             FIREWALL_ACTIVE=1
             FIREWALL_SOFTWARE="pf"
             Report "firewall_software[]=pf"
-          else
+        else
             LogText "Result: pf not running on this system"
         fi
     fi
@@ -284,12 +284,12 @@
             if [ -z "${PFWARNINGS}" ]; then
                 Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
                 LogText "Result: no pf filter warnings found"
-              else
+            else
                 Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
                 LogText "Result: found one or more warnings in the pf filter rules"
                 ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
             fi
-          else
+        else
             LogText "Result: /etc/pf.conf does NOT exist"
         fi
     fi
@@ -313,7 +313,7 @@
             FIREWALL_SOFTWARE="csf"
             Report "firewall_software[]=csf"
             Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
-          else
+        else
             LogText "Result: ${FILE} does NOT exist"
         fi
     fi
@@ -332,7 +332,7 @@
             FIREWALL_ACTIVE=1
             FIREWALL_SOFTWARE="ipf"
             Report "firewall_software[]=ipf"
-          else
+        else
             Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
             LogText "Result: ipf is not running"
         fi
@@ -357,15 +357,15 @@
                 if [ "${IPFW_ENABLED}" = "ipfw" ]; then
                     Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
                     LogText "Result: IPFW is enabled at start-up for IPv4"
-                  else
+                else
                     Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW
                     LogText "Result: IPFW is disabled at start-up for IPv4"
                 fi
-              else
+            else
                 if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi
                 LogText "Result: IPFW is not running for IPv4"
             fi
-          else
+        else
             ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
         fi
     fi
@@ -386,7 +386,7 @@
             APPLICATION_FIREWALL_ACTIVE=1
             Report "firewall_software[]=macosx-app-fw"
             Report "app_fw[]=macosx-app-fw"
-          else
+        else
             if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi
             AddHP 1 3
             LogText "Result: application firewall of macOS is disabled"
@@ -407,7 +407,7 @@
             APPLICATION_FIREWALL_ACTIVE=1
             Report "app_fw[]=little-snitch"
             Report "firewall_software[]=little-snitch"
-          else
+        else
             if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi
             AddHP 1 3
             LogText "Result: could not find Little Snitch"
@@ -418,7 +418,7 @@
 #
     # Test        : FIRE-4536
     # Description : Check nftables kernel module
-    if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
@@ -428,7 +428,7 @@
             FIREWALL_ACTIVE=1
             NFTABLES_ACTIVE=1
             Report "firewall_software[]=nftables"
-          else
+        else
             LogText "Result: no nftables kernel module found"
         fi
     fi
@@ -437,7 +437,7 @@
 #
     # Test        : FIRE-4538
     # Description : Check nftables configuration
-    if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Retrieve nft version
@@ -450,7 +450,7 @@
 #
     # Test        : FIRE-4540
     # Description : Check nftables configuration
-    if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check for empty ruleset
@@ -458,19 +458,13 @@
         if [ ${NFT_RULES_LENGTH} -le 16 ]; then
             FIREWALL_EMPTY_RULESET=1
             LogText "Result: this firewall set has 16 rules or less and is considered to be empty"
-          else
+        else
             LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration"
         fi
     fi
 #
 #################################################################################
 #
-    # Ideas:
-    # Suggestion to disable iptables if nftables is enabled
-    # Check for specific features in nftables releases
-#
-#################################################################################
-#
     # Test        : FIRE-4586
     # Description : Check firewall logging
     if [ ${FIREWALL_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -501,7 +495,7 @@
             # YYY Solaris ipf (determine default policy)
             Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
             AddHP 5 5
-          else
+        else
             Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
             LogText "Result: no host based firewall/packet filter found or configured"
             ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
@@ -521,5 +515,11 @@ Report "firewall_software=${FIREWALL_SOFTWARE}"
 WaitForKeyPress
 
 #
+#################################################################################
+#
+    # TODO
+    # Suggestion to disable iptables if nftables is enabled
+    # Check for specific features in nftables releases
+#
 #================================================================================
 # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com