mirror of
https://github.com/inspec/inspec
synced 2025-01-07 02:39:10 +00:00
142 lines
2.7 KiB
Text
142 lines
2.7 KiB
Text
|
---
|
||
|
|
title: About the windows_firewall_rule Resource
|
||
|
|
platform: windows
|
||
|
|
---
|
||
|
|
|
||
|
|
# windows_firewall_rule
|
||
|
|
|
||
|
|
Use the `windows_firewall_rule` Chef InSpec audit resource to test if a firewall rule is correctly configured on a Windows system.
|
||
|
|
|
||
|
|
<br>
|
||
|
|
|
||
|
|
## Availability
|
||
|
|
|
||
|
|
### Installation
|
||
|
|
|
||
|
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||
|
|
|
||
|
|
## Syntax
|
||
|
|
|
||
|
|
A `windows_firewall_rule` resource block specifies which rule to validate:
|
||
|
|
|
||
|
|
describe windows_firewall_rule('name') do
|
||
|
|
it { should be_enabled }
|
||
|
|
end
|
||
|
|
|
||
|
|
where
|
||
|
|
|
||
|
|
* `('name')` must specify the name of a firewall rule, which is not the firewall rule's display name
|
||
|
|
* `be_enabled` is a valid matcher for this resource
|
||
|
|
|
||
|
|
<br>
|
||
|
|
|
||
|
|
## Examples
|
||
|
|
|
||
|
|
The following example shows how to use this Chef InSpec audit resource.
|
||
|
|
|
||
|
|
### Test if the firewall contains a rule for outbound HTTPS
|
||
|
|
|
||
|
|
describe windows_firewall_rule('HTTPS Out') do
|
||
|
|
it { should be_enabled }
|
||
|
|
it { should be_allowed }
|
||
|
|
it { should be_outbound }
|
||
|
|
it { should be_tcp }
|
||
|
|
|
||
|
|
its('remote_port') { should eq 443 }
|
||
|
|
end
|
||
|
|
|
||
|
|
<br>
|
||
|
|
|
||
|
|
## Properties
|
||
|
|
|
||
|
|
The resource compiles the following list of firewall rule properties:
|
||
|
|
|
||
|
|
* `description`
|
||
|
|
* `displayname`
|
||
|
|
* `group`
|
||
|
|
* `local_address`
|
||
|
|
* `local_port`
|
||
|
|
* `remote_address`
|
||
|
|
* `remote_port`
|
||
|
|
* `direction`
|
||
|
|
* `protocol`
|
||
|
|
* `icmp_type`
|
||
|
|
* `action`
|
||
|
|
* `profile`
|
||
|
|
* `program`
|
||
|
|
* `service`
|
||
|
|
* `interface_type`
|
||
|
|
|
||
|
|
Each of these properties can be used in two distinct ways:
|
||
|
|
|
||
|
|
its('remote_address') { should cmp '192.0.2.42' }
|
||
|
|
|
||
|
|
or via matcher:
|
||
|
|
|
||
|
|
it { should have_remote_address '192.0.2.42' }
|
||
|
|
|
||
|
|
## Matchers
|
||
|
|
|
||
|
|
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||
|
|
|
||
|
|
### exist
|
||
|
|
|
||
|
|
The `be_enabled` matcher tests if the rule does exist:
|
||
|
|
|
||
|
|
it { should exist }
|
||
|
|
|
||
|
|
### be_enabled
|
||
|
|
|
||
|
|
The `be_enabled` matcher tests if the rule is enabled:
|
||
|
|
|
||
|
|
it { should be_enabled }
|
||
|
|
|
||
|
|
### be_allowed
|
||
|
|
|
||
|
|
The `be_allowed` matcher tests if the rule is allowing traffic:
|
||
|
|
|
||
|
|
it { should be_allowed }
|
||
|
|
|
||
|
|
### be_inbound
|
||
|
|
|
||
|
|
The `be_inbound` matcher tests if the rule is an inbound rule:
|
||
|
|
|
||
|
|
it { should be_inbound }
|
||
|
|
|
||
|
|
### be_outbound
|
||
|
|
|
||
|
|
The `be_outbound` matcher tests if the rule is an outbound rule:
|
||
|
|
|
||
|
|
it { should be_outbound }
|
||
|
|
|
||
|
|
### be_tcp
|
||
|
|
|
||
|
|
The `be_tcp` matcher tests if the rule is for the TCP protocol:
|
||
|
|
|
||
|
|
it { should be_tcp }
|
||
|
|
|
||
|
|
### be_ucp
|
||
|
|
|
||
|
|
The `be_ucp` matcher tests if the rule is for the DCP protocol:
|
||
|
|
|
||
|
|
it { should be_dcp }
|
||
|
|
|
||
|
|
### be_icmp
|
||
|
|
|
||
|
|
The `be_icmp` matcher tests if the rule is for any ICMP protocol:
|
||
|
|
|
||
|
|
it { should be_icmp }
|
||
|
|
|
||
|
|
### be_icmpv4
|
||
|
|
|
||
|
|
The `be_icmpv4` matcher tests if the rule is for the ICMPv4 protocol:
|
||
|
|
|
||
|
|
it { should be_icmpv4 }
|
||
|
|
|
||
|
|
### be_icmpv6
|
||
|
|
|
||
|
|
The `be_icmpv6` matcher tests if the rule is for any ICMPv6 protocol:
|
||
|
|
|
||
|
|
it { should be_icmpv6 }
|
||
|
|
|