diff options
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r-- | include/tests_firewalls | 54 |
1 files changed, 27 insertions, 27 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls index 4fe18533..27883c91 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -51,7 +51,7 @@ for I in ${FIND}; do LogText "Found module: ${I}" done - else + else Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE # If we can't find an active module, try to find the Linux configuration file and check that @@ -75,16 +75,16 @@ # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. if [ "${HAVEMOD}" = "y" ]; then - LogText "Result: iptables available as a module in the configuration" - IPTABLES_ACTIVE=1 - IPTABLES_INKERNEL_ACTIVE=1 - FIREWALL_ACTIVE=1 - FIREWALL_SOFTWARE="iptables" - Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN - else + LogText "Result: iptables available as a module in the configuration" + IPTABLES_ACTIVE=1 + IPTABLES_INKERNEL_ACTIVE=1 + FIREWALL_ACTIVE=1 + FIREWALL_SOFTWARE="iptables" + Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN + else LogText "Result: no iptables found in Linux kernel config file" fi - else + else LogText "Result: no Linux configuration file found" Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -157,7 +157,7 @@ LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" - else + else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN fi @@ -175,7 +175,7 @@ if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" - else + else Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more possible unused rules" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" @@ -209,7 +209,7 @@ LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 - else + else Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW ReportException ${TEST_NO} "Unknown status of pf firewall" fi @@ -223,7 +223,7 @@ FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" - else + else LogText "Result: pf KLD loaded" PFFOUND=1 fi @@ -237,7 +237,7 @@ Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN PFFOUND=1 PFLOGDFOUND=1 - else + else LogText "Result: pflog daemon not found in process list" fi fi @@ -246,7 +246,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" Report "firewall_software[]=pf" - else + else LogText "Result: pf not running on this system" fi fi @@ -267,12 +267,12 @@ if [ -z "${PFWARNINGS}" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" - else + else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi - else + else LogText "Result: /etc/pf.conf does NOT exist" fi fi @@ -296,7 +296,7 @@ FIREWALL_SOFTWARE="csf" Report "firewall_software[]=csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: ${FILE} does NOT exist" fi fi @@ -315,7 +315,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" Report "firewall_software[]=ipf" - else + else Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: ipf is not running" fi @@ -340,15 +340,15 @@ if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" - else + else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW LogText "Result: IPFW is disabled at start-up for IPv4" fi - else + else if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi LogText "Result: IPFW is not running for IPv4" fi - else + else ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" fi fi @@ -369,7 +369,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "firewall_software[]=macosx-app-fw" Report "app_fw[]=macosx-app-fw" - else + else if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: application firewall of macOS is disabled" @@ -390,7 +390,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "app_fw[]=little-snitch" Report "firewall_software[]=little-snitch" - else + else if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: could not find Little Snitch" @@ -411,7 +411,7 @@ FIREWALL_ACTIVE=1 NFTABLES_ACTIVE=1 Report "firewall_software[]=nftables" - else + else LogText "Result: no nftables kernel module found" fi fi @@ -441,7 +441,7 @@ if [ ${NFT_RULES_LENGTH} -le 16 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 16 rules or less and is considered to be empty" - else + else LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration" fi fi @@ -484,7 +484,7 @@ # YYY Solaris ipf (determine default policy) Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 - else + else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" |