diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2016-09-10 17:12:44 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2016-09-10 17:12:44 +0300 |
commit | 903016df362e39444d314a81dd4a0ebc61b67da0 (patch) | |
tree | e922e2e0039428dec461bfea52ff8e503720370a /include/tests_firewalls | |
parent | 2534fb99a9dbc869fd90f0967c6917191b306b69 (diff) |
Code cleanups and generic enhancements
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r-- | include/tests_firewalls | 83 |
1 files changed, 41 insertions, 42 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls index 76aff719..cf1e48f2 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -40,8 +40,8 @@ # Description : Check iptables kernel module Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables"` - if [ ! "${FIND}" = "" ]; then + FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables") + if [ ! -z "${FIND}" ]; then FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" IPTABLES_ACTIVE=1 @@ -51,14 +51,14 @@ for I in ${FIND}; do LogText "Found module: ${I}" done - else + else Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE # If we can't find an active module, try to find the Linux configuration file and check that if [ -f /proc/config.gz ]; then LINUXCONFIGFILE="/proc/config.gz"; tCATCMD="zcat"; fi - sLINUXCONFIGFILE="/boot/config-`uname -r`" + sLINUXCONFIGFILE="/boot/config-$(uname -r)" if [ -f ${sLINUXCONFIGFILE} ]; then LINUXCONFIGFILE=${sLINUXCONFIGFILE}; tCATCMD="cat"; fi @@ -69,9 +69,9 @@ if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" - FIND=`${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1` - if [ ! "${FIND}" = "" ]; then - HAVEMOD=`echo ${FIND} | ${CUTBINARY} -d '=' -f2` + FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1) + if [ ! -z "${FIND}" ]; then + HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2) # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. if [ "${HAVEMOD}" = "y" ]; then @@ -81,10 +81,10 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: no iptables found in Linux kernel config file" fi - else + else LogText "Result: no Linux configuration file found" Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -110,9 +110,9 @@ done echo "${FIND}" | while read line; do - table=`echo ${line} | ${AWKBINARY} '{ print $1 }'` - chainname=`echo ${line} | ${AWKBINARY} '{ print $2 }'` - policy=`echo ${line} | ${AWKBINARY} '{ print $3 }'` + table=$(echo ${line} | ${AWKBINARY} '{ print $1 }') + chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }') + policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }') LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}." LogText "Result: ${policy}" @@ -148,8 +148,8 @@ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | ${TRBINARY} -d ' '` - if [ ! "${FIND}" = "" ]; then + FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') + if [ ! -z "${FIND}" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 10 ]; then # Firewall is active, but clearly needs configuration @@ -157,7 +157,7 @@ LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" - else + else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN fi @@ -168,20 +168,19 @@ # # Test : FIRE-4513 # Description : Check iptables for unused rules - if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | xargs` - if [ "${FIND}" = "" ]; then + FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY}) + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" - else + else Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more possible unused rules" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." LogText "Output: iptables rule numbers: ${FIND}" - #ReportWarning ${TEST_NO} "Found possible unused iptables rules ($FIND)" ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used" LogText "Tip: iptables --list --numeric --line-numbers --verbose" fi @@ -198,19 +197,19 @@ # Check status with pfctl LogText "Test: checking pf status via pfctl" - if [ ! "${PFCTLBINARY}" = "" ]; then - FIND=`${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | head -1 | ${AWKBINARY} '{ print $2 }'` + if [ ! -z "${PFCTLBINARY}" ]; then + FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "Enabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 - else + else if [ "${FIND}" = "Disabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED LogText "Result: pf is disabled" AddHP 0 3 - else + else Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW ReportException ${TEST_NO} "Unknown status of pf firewall" fi @@ -221,11 +220,11 @@ if [ ${PFFOUND} -eq 0 ]; then # Check for pf kernel module (FreeBSD and similar) LogText "Test: searching for pf kernel module" - if [ ! "${KLDSTATBINARY}" = "" ]; then - FIND=`${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko'` - if [ "${FIND}" = "" ]; then + if [ ! -z "${KLDSTATBINARY}" ]; then + FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') + if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" - else + else LogText "Result: pf KLD loaded" PFFOUND=1 fi @@ -239,7 +238,7 @@ Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN PFFOUND=1 PFLOGDFOUND=1 - else + else LogText "Result: pflog daemon not found in process list" fi fi @@ -248,7 +247,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" Report "firewall_software[]=pf" - else + else LogText "Result: pf not running on this system" fi fi @@ -266,15 +265,15 @@ LogText "Result: /etc/pf.conf exists" # Check results from pfctl PFWARNINGS=$(${PFCTLBINARY} -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning') - if [ "${PFWARNINGS}" = "" ]; then + if [ -z "${PFWARNINGS}" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" - else + else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi - else + else LogText "Result: /etc/pf.conf does NOT exist" fi fi @@ -298,7 +297,7 @@ FIREWALL_SOFTWARE="csf" Report "firewall_software[]=csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: ${FILE} does NOT exist" fi fi @@ -310,14 +309,14 @@ if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }'` + FIND=$(${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "yes" ]; then Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: ipf is enabled and running" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" Report "firewall_software[]=ipf" - else + else Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: ipf is not running" fi @@ -329,9 +328,9 @@ # Description : Check IPFW (FreeBSD) Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${SYSCTLBINARY}" = "" ]; then + if [ ! -z "${SYSCTLBINARY}" ]; then # For now, only check for IPv4. - FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }'` + FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "1" ]; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: IPFW is running for IPv4" @@ -363,14 +362,14 @@ if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled"` - if [ ! "${FIND}" = "" ]; then + FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled") + if [ ! -z "${FIND}" ]; then Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 LogText "Result: application firewall of Mac OS X is enabled" APPLICATION_FIREWALL_ACTIVE=1 Report "app_fw[]=macosx-app-fw" - else + else Display --indent 2 --text "- Checking IPFW" --result "${STATUS_DISABLED}" --color YELLOW AddHP 1 3 LogText "Result: application firewall of Mac OS X is disabled" @@ -447,7 +446,7 @@ # YYY Solaris ipf (determine default policy) Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 - else + else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" |