From fa8bad20db100d95cf089b0b2d897c339327215c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 16 Jul 2019 13:20:30 +0200 Subject: Use -n instead of ! -z --- include/tests_firewalls | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'include/tests_firewalls') diff --git a/include/tests_firewalls b/include/tests_firewalls index 735059fe..99a9bc2a 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -41,7 +41,7 @@ Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FIREWALL_ACTIVE=1 IPTABLES_ACTIVE=1 IPTABLES_MODULE_ACTIVE=1 @@ -73,11 +73,11 @@ # If we have a kernel configuration file, use it for testing # Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming # tests, when using iptables --list - if [ ! -z "${LINUXCONFIGFILE}" ]; then + if [ -n "${LINUXCONFIGFILE}" ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2) # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. @@ -151,11 +151,11 @@ # # Test : FIRE-4512 # Description : Check iptables for empty ruleset (should have at least 5 or more rules) - if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 5 ]; then # Firewall is active, but needs configuration @@ -174,7 +174,7 @@ # # Test : FIRE-4513 # Description : Check iptables for unused rules - if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY}) @@ -212,7 +212,7 @@ # Check status with pfctl LogText "Test: checking pf status via pfctl" - if [ ! -z "${PFCTLBINARY}" ]; then + if [ -n "${PFCTLBINARY}" ]; then FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "Disabled" ]; then if IsVerbose; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED; fi @@ -233,7 +233,7 @@ if [ ${PFFOUND} -eq 0 ]; then # Check for pf kernel module (FreeBSD and similar) LogText "Test: searching for pf kernel module" - if [ ! -z "${KLDSTATBINARY}" ]; then + if [ -n "${KLDSTATBINARY}" ]; then FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" @@ -353,7 +353,7 @@ # Description : Check IPFW (FreeBSD) Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${SYSCTLBINARY}" ]; then + if [ -n "${SYSCTLBINARY}" ]; then # For now, only check for IPv4. FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable 2> /dev/null | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "1" ]; then @@ -386,7 +386,7 @@ Register --test-no FIRE-4532 --weight L --os "macOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check macOS application firewall" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 LogText "Result: application firewall of macOS is enabled" @@ -478,7 +478,7 @@ Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found nftables kernel module" FIREWALL_ACTIVE=1 NFTABLES_ACTIVE=1 @@ -526,7 +526,7 @@ Register --test-no FIRE-4586 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check firewall logging" if [ ${SKIPTEST} -eq 0 ]; then if [ ${IPTABLES_ACTIVE} -eq 1 ]; then - if [ ! -z "${IPTABLESSAVEBINARY}" ]; then + if [ -n "${IPTABLESSAVEBINARY}" ]; then HAS_LOGGING=$(${IPTABLESSAVEBINARY} | ${GREPBINARY} "\-j LOG") if [ -z "${HAS_LOGGING}" ]; then Report "firewall_no_logging[]=iptables" @@ -563,7 +563,7 @@ # Test : FIRE-4594 # Description : Check for APF (Advanced Policy Firewall) Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence" - if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SKIPTEST} -eq 0 ]; then FILE="/etc/apf/conf.apf" LogText "Test: check ${FILE}" -- cgit v1.2.3