Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_firewalls
diff options
context:
space:
mode:
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r--include/tests_firewalls26
1 files changed, 13 insertions, 13 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls
index c6fd5d0d..59cdcd84 100644
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@@ -38,7 +38,7 @@
#
# Test : FIRE-4502
# Description : Check iptables kernel module
- Register --test-no FIRE-4502 --os Linux --weight L --network NO --description "Check iptables kernel module"
+ Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^ip*_tables"`
if [ ! "${FIND}" = "" ]; then
@@ -100,7 +100,7 @@
# Description : Check iptables chain policies
# Notes : Suggestions are currently disabled, until related page and documentation is available
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check used policies of iptables chains"
+ Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
TABLES="filter"
@@ -146,7 +146,7 @@
# Test : FIRE-4512
# Description : Check iptables for empty ruleset (should have at least 10 or more rules)
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check iptables for empty ruleset"
+ Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '`
if [ ! "${FIND}" = "" ]; then
@@ -169,7 +169,7 @@
# Test : FIRE-4513
# Description : Check iptables for unused rules
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check iptables for unused rules"
+ Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs`
if [ "${FIND}" = "" ]; then
@@ -191,7 +191,7 @@
#
# Test : FIRE-4518
# Description : Checking status of pf firewall components
- Register --test-no FIRE-4518 --weight L --network NO --description "Check pf firewall components"
+ Register --test-no FIRE-4518 --weight L --network NO --category security --description "Check pf firewall components"
if [ ${SKIPTEST} -eq 0 ]; then
PFFOUND=0; PFLOGDFOUND=0
@@ -258,7 +258,7 @@
# Test : FIRE-4520
# Description : Check pf configuration consistency
if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check pf configuration consistency"
+ Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check pf configuration consistency"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check /etc/pf.conf"
# Test for warnings (-n don't load the rules)
@@ -289,7 +289,7 @@
#
# Test : FIRE-4524
# Description : Check for CSF (ConfigServer Security & Firewall)
- Register --test-no FIRE-4524 --weight L --network NO --description "Check for CSF presence"
+ Register --test-no FIRE-4524 --weight L --network NO --category security --description "Check for CSF presence"
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/etc/csf/csf.conf"
LogText "Test: check ${FILE}"
@@ -309,7 +309,7 @@
# Test : FIRE-4526
# Description : Check ipf (Solaris)
if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check ipf status"
+ Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" ]; then
@@ -328,7 +328,7 @@
#
# Test : FIRE-4530
# Description : Check IPFW (FreeBSD)
- Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check IPFW status"
+ Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SYSCTLBINARY}" = "" ]; then
# For now, only check for IPv4.
@@ -362,7 +362,7 @@
# Test : FIRE-4532
# Description : Check Application Firewall in Mac OS X
if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --description "Check Mac OS X application firewall"
+ Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"`
if [ ! "${FIND}" = "" ]; then
@@ -383,7 +383,7 @@
# Test : FIRE-4536
# Description : Check nftables kernel module
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nftables status"
+ Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^nf*_tables"`
if [ ! "${FIND}" = "" ]; then
@@ -398,7 +398,7 @@
# Test : FIRE-4538
# Description : Check nftables configuration
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nftables basic configuration"
+ Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Retrieve nft version
NFT_VERSION=`${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | tr -d 'v'`
@@ -419,7 +419,7 @@
#
# Test : FIRE-4590
# Description : Check if at least one firewall if active
- Register --test-no FIRE-4590 --weight L --network NO --description "Check firewall status"
+ Register --test-no FIRE-4590 --weight L --network NO --category security --description "Check firewall status"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking host based firewall" --result "ACTIVE" --color GREEN
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-13 17:08:32 +0300