diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2016-08-25 16:31:33 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2016-08-25 16:31:33 +0300 |
| commit | 679e8c628e2a42df13bec79da256b1bf7b68d6b3 (patch) | |
| tree | d58b1567c5e9e0f28e1accf9421eb0bf786a1c48 /include/tests_firewalls | |
| parent | a6b04a3ace0385bb0c912cbbf48a14d59be7f88a (diff) | |
Use detected binaries
Diffstat (limited to 'include/tests_firewalls')
| -rw-r--r-- | include/tests_firewalls | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls index a7420852..50f9431d 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -40,7 +40,7 @@ # Description : Check iptables kernel module Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^ip*_tables"` + FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables"` if [ ! "${FIND}" = "" ]; then FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" @@ -69,7 +69,7 @@ if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" - FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1` + FIND=`${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1` if [ ! "${FIND}" = "" ]; then HAVEMOD=`echo ${FIND} | cut -d '=' -f2` # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the @@ -106,13 +106,13 @@ TABLES="filter" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | egrep -z -o -w '[A-Z]+' | awk -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'` + FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'` done echo "${FIND}" | while read line; do - table=`echo ${line} | awk '{ print $1 }'` - chainname=`echo ${line} | awk '{ print $2 }'` - policy=`echo ${line} | awk '{ print $3 }'` + table=`echo ${line} | ${AWKBINARY} '{ print $1 }'` + chainname=`echo ${line} | ${AWKBINARY} '{ print $2 }'` + policy=`echo ${line} | ${AWKBINARY} '{ print $3 }'` LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}." LogText "Result: ${policy}" @@ -148,7 +148,7 @@ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '` + FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | tr -d ' '` if [ ! "${FIND}" = "" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 10 ]; then @@ -171,7 +171,7 @@ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs` + FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | xargs` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" @@ -199,7 +199,7 @@ # Check status with pfctl LogText "Test: checking pf status via pfctl" if [ ! "${PFCTLBINARY}" = "" ]; then - FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'` + FIND=`${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | head -1 | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "Enabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN LogText "Result: pf is enabled" @@ -222,7 +222,7 @@ # Check for pf kernel module (FreeBSD and similar) LogText "Test: searching for pf kernel module" if [ ! "${KLDSTATBINARY}" = "" ]; then - FIND=`${KLDSTATBINARY} | grep 'pf.ko'` + FIND=`${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko'` if [ "${FIND}" = "" ]; then LogText "Result: Can not find pf KLD" else @@ -265,7 +265,7 @@ if [ -f /etc/pf.conf ]; then LogText "Result: /etc/pf.conf exists" # Check results from pfctl - PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'` + PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning'` if [ "${PFWARNINGS}" = "" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" @@ -311,7 +311,7 @@ if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'` + FIND=`${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "yes" ]; then Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: ipf is enabled and running" @@ -332,14 +332,14 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SYSCTLBINARY}" = "" ]; then # For now, only check for IPv4. - FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` + FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "1" ]; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: IPFW is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" Report "firewall_software[]=ipfw" - IPFW_ENABLED=`service -e | grep -o ipfw` + IPFW_ENABLED=`service -e | ${GREPBINARY} -o ipfw` if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" @@ -364,7 +364,7 @@ if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"` + FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled"` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 @@ -385,7 +385,7 @@ if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^nf*_tables"` + FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables"` if [ ! "${FIND}" = "" ]; then FIREWALL_SOFTWARE="nftables" NFTABLES_ACTIVE=1 |