From 3b66a22f39f2b45dcaba33f87ef56d99cd30f521 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=28=E2=95=AF=C2=B0=E2=96=A1=C2=B0=EF=BC=89=E2=95=AF?=
 =?UTF-8?q?=EF=B8=B5=20u=E1=B4=89=C7=9DssnH=20=C9=90=C9=9F=C9=90=CA=87soW?=
 <mostafa.hussein91@gmail.com>
Date: Mon, 10 Jul 2017 16:23:32 +0300
Subject: Firewall check updates (#414)

* Check if CSF is running

* Check for APF presence
---
 include/tests_firewalls | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

(limited to 'include/tests_firewalls')

diff --git a/include/tests_firewalls b/include/tests_firewalls
index aa5d5fe6..b4ea4f05 100644
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@@ -321,6 +321,13 @@
             else
                 Display --indent 4 --text "- Check if CSF testing mode is disabled" --result "${STATUS_WARNING}" --color RED
             fi
+
+            LogText "Test: check if CSF is running"
+            if [ ! -f /etc/csf/csf.disable ]; then
+                Display --indent 4 --text "- Check if CSF is running" --result "${STATUS_OK}" --color GREEN
+            else
+                Display --indent 4 --text "- Check if CSF is running" --result "${STATUS_WARNING}" --color RED
+            fi
         else
             LogText "Result: ${FILE} does NOT exist"
         fi
@@ -512,6 +519,42 @@
     fi
 #
 #################################################################################
+#
+    # Test        : FIRE-4594
+    # Description : Check for APF (Advanced Policy Firewall)
+    Register --test-no FIRE-4592 --weight L --network NO --category security --description "Check for APF presence"
+    if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FILE="/etc/apf/conf.apf"
+        LogText "Test: check ${FILE}"
+        if [ -f ${FILE} ]; then
+            LogText "Result: ${FILE} exists"
+            FIREWALL_ACTIVE=1
+            FIREWALL_SOFTWARE="apf"
+            Report "firewall_software[]=apf"
+            Display --indent 2 --text "- Checking APF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
+
+            LogText "Test: check if APF testing mode is disabled"
+            FIND=$(${GREPBINARY} -P "^DEVEL_MODE(\s|=)" ${FILE} | ${CUTBINARY} -d= -f2 | ${XARGSBINARY})
+            if [ "${FIND}" = "0" ]; then
+                Display --indent 4 --text "- Check if APF testing mode is disabled" --result "${STATUS_OK}" --color GREEN
+            else
+                Display --indent 4 --text "- Check if APF testing mode is disabled" --result "${STATUS_WARNING}" --color RED
+            fi
+
+            LogText "Test: check if APF is running"
+            FIND=$(${IPTABLESBINARY} -L -n | ${GREPBINARY} -iom1 sanity | ${WCBINARY} -l)
+            if [ "${FIND}" = "1" ]; then
+                Display --indent 4 --text "- Check if APF is running" --result "${STATUS_OK}" --color GREEN
+            else
+                Display --indent 4 --text "- Check if APF is running" --result "${STATUS_WARNING}" --color RED
+            fi
+        else
+            LogText "Result: ${FILE} does NOT exist"
+        fi
+    fi
+#
+#################################################################################
 #
 
 # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
-- 
cgit v1.2.3