diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2017-04-30 18:59:35 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2017-04-30 18:59:35 +0300 |
commit | 4ecb9d4d05124b813cd4d7ddcaf5671c2f4c4765 (patch) | |
tree | 282f5a4e9e3530ada04d00bda3e8ac118cf70bbd /include/tests_firewalls | |
parent | 5ccd0912cf74f5d3dd07e5ed5fe0e6a30571fbb5 (diff) |
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r-- | include/tests_firewalls | 58 |
1 files changed, 29 insertions, 29 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls index c1fca4ff..fd6338a2 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -166,7 +166,7 @@ LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" - else + else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN fi @@ -181,10 +181,10 @@ Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY}) - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" - else + else Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more possible unused rules" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" @@ -226,7 +226,7 @@ LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 - else + else Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW ReportException ${TEST_NO} "Unknown status of pf firewall" fi @@ -240,11 +240,11 @@ FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" - else + else LogText "Result: pf KLD loaded" PFFOUND=1 fi - else + else LogText "Result: no kldstat binary, skipping this part" fi @@ -254,7 +254,7 @@ Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN PFFOUND=1 PFLOGDFOUND=1 - else + else LogText "Result: pflog daemon not found in process list" fi fi @@ -263,7 +263,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" Report "firewall_software[]=pf" - else + else LogText "Result: pf not running on this system" fi fi @@ -284,12 +284,12 @@ if [ -z "${PFWARNINGS}" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" - else + else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi - else + else LogText "Result: /etc/pf.conf does NOT exist" fi fi @@ -313,7 +313,7 @@ FIREWALL_SOFTWARE="csf" Report "firewall_software[]=csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: ${FILE} does NOT exist" fi fi @@ -332,7 +332,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" Report "firewall_software[]=ipf" - else + else Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: ipf is not running" fi @@ -357,15 +357,15 @@ if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" - else + else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW LogText "Result: IPFW is disabled at start-up for IPv4" fi - else + else if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi LogText "Result: IPFW is not running for IPv4" fi - else + else ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" fi fi @@ -386,7 +386,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "firewall_software[]=macosx-app-fw" Report "app_fw[]=macosx-app-fw" - else + else if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: application firewall of macOS is disabled" @@ -407,7 +407,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "app_fw[]=little-snitch" Report "firewall_software[]=little-snitch" - else + else if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: could not find Little Snitch" @@ -418,7 +418,7 @@ # # Test : FIRE-4536 # Description : Check nftables kernel module - if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables") @@ -428,7 +428,7 @@ FIREWALL_ACTIVE=1 NFTABLES_ACTIVE=1 Report "firewall_software[]=nftables" - else + else LogText "Result: no nftables kernel module found" fi fi @@ -437,7 +437,7 @@ # # Test : FIRE-4538 # Description : Check nftables configuration - if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration" if [ ${SKIPTEST} -eq 0 ]; then # Retrieve nft version @@ -450,7 +450,7 @@ # # Test : FIRE-4540 # Description : Check nftables configuration - if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset @@ -458,19 +458,13 @@ if [ ${NFT_RULES_LENGTH} -le 16 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 16 rules or less and is considered to be empty" - else + else LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration" fi fi # ################################################################################# # - # Ideas: - # Suggestion to disable iptables if nftables is enabled - # Check for specific features in nftables releases -# -################################################################################# -# # Test : FIRE-4586 # Description : Check firewall logging if [ ${FIREWALL_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -501,7 +495,7 @@ # YYY Solaris ipf (determine default policy) Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 - else + else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" @@ -521,5 +515,11 @@ Report "firewall_software=${FIREWALL_SOFTWARE}" WaitForKeyPress # +################################################################################# +# + # TODO + # Suggestion to disable iptables if nftables is enabled + # Check for specific features in nftables releases +# #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com |