inspec/docs/resources/firewalld.md.erb

108 lines
3.1 KiB
Text
Raw Normal View History

firewalld resource: inspect the status and configuration of firewalld (#2074) * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resourec - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications made * installed? method now tells by checking if firewall-cmd is a command on the system * The firewalld_command method now strips the stdout of the return * added another test for testing multiple active zones Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing rake lint issue Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing match and returning boolean for seeing if firewalld is running Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing lint issues Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Empty commit to rerun. Accidentally updated branch. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Rerunning test, accidentally updated branch. needs sign off commit Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 12:05:35 +00:00
---
title: About the firewalld Resource
platform: linux
firewalld resource: inspect the status and configuration of firewalld (#2074) * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resourec - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications made * installed? method now tells by checking if firewall-cmd is a command on the system * The firewalld_command method now strips the stdout of the return * added another test for testing multiple active zones Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing rake lint issue Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing match and returning boolean for seeing if firewalld is running Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing lint issues Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Empty commit to rerun. Accidentally updated branch. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Rerunning test, accidentally updated branch. needs sign off commit Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 12:05:35 +00:00
---
# firewalld
Use the `firewalld` InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system.
A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
<br>
firewalld resource: inspect the status and configuration of firewalld (#2074) * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resourec - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications made * installed? method now tells by checking if firewall-cmd is a command on the system * The firewalld_command method now strips the stdout of the return * added another test for testing multiple active zones Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing rake lint issue Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing match and returning boolean for seeing if firewalld is running Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing lint issues Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Empty commit to rerun. Accidentally updated branch. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Rerunning test, accidentally updated branch. needs sign off commit Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 12:05:35 +00:00
## Syntax
describe firewalld do
it { should be_running }
its('default_zone') { should eq 'public' }
it { should have_service_enabled_in_zone('ssh', 'public') }
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
end
Use the where clause to test open interfaces, sources, and services in active zones.
describe firewalld.where { zone == 'public' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
its('services') { should cmp ['ssh', 'icmp'] }
end
<br>
firewalld resource: inspect the status and configuration of firewalld (#2074) * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resourec - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications made * installed? method now tells by checking if firewall-cmd is a command on the system * The firewalld_command method now strips the stdout of the return * added another test for testing multiple active zones Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing rake lint issue Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing match and returning boolean for seeing if firewalld is running Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing lint issues Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Empty commit to rerun. Accidentally updated branch. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Rerunning test, accidentally updated branch. needs sign off commit Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 12:05:35 +00:00
## Properties
firewalld resource: inspect the status and configuration of firewalld (#2074) * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resourec - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications made * installed? method now tells by checking if firewall-cmd is a command on the system * The firewalld_command method now strips the stdout of the return * added another test for testing multiple active zones Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing rake lint issue Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing match and returning boolean for seeing if firewalld is running Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing lint issues Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Empty commit to rerun. Accidentally updated branch. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Rerunning test, accidentally updated branch. needs sign off commit Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 12:05:35 +00:00
### interfaces
The `interfaces` property is used in conjunction with the where class to display open interfaces in an active zone.
describe firewalld.where { zone == 'public' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
end
### sources
The `sources` property is used in conjunction with the where class to display open sources in an active zone.
describe firewalld.where { zone == 'public' } do
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
end
### services
The `services` property is used in conjunction with the where class to display open services in an active zone.
describe firewalld.where { zone == 'public' } do
its('services') { should cmp ['ssh', 'icmp'] }
end
### default_zone
The `default_zone` property displays the default active zone to be used.
its('default_zone') { should eq 'public' }
<br>
firewalld resource: inspect the status and configuration of firewalld (#2074) * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resourec - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications made * installed? method now tells by checking if firewall-cmd is a command on the system * The firewalld_command method now strips the stdout of the return * added another test for testing multiple active zones Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing rake lint issue Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing match and returning boolean for seeing if firewalld is running Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing lint issues Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Empty commit to rerun. Accidentally updated branch. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Rerunning test, accidentally updated branch. needs sign off commit Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 12:05:35 +00:00
## Matchers
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
firewalld resource: inspect the status and configuration of firewalld (#2074) * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resourec - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications made * installed? method now tells by checking if firewall-cmd is a command on the system * The firewalld_command method now strips the stdout of the return * added another test for testing multiple active zones Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing rake lint issue Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing match and returning boolean for seeing if firewalld is running Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing lint issues Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Empty commit to rerun. Accidentally updated branch. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Rerunning test, accidentally updated branch. needs sign off commit Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 12:05:35 +00:00
### `be_installed`
The `be_installed` matcher tests if the firewalld service is installed:
it { should be_installed }
### `be_running`
The `be_running` matcher tests if the firewalld service is running:
it { should be_running }
### `have_zone`
firewalld resource: inspect the status and configuration of firewalld (#2074) * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * New Resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resourec - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazos <dromazmj@dukes.jmu.edu> * Modifications to new resource firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications to new resource - firewalld Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Modifications made * installed? method now tells by checking if firewall-cmd is a command on the system * The firewalld_command method now strips the stdout of the return * added another test for testing multiple active zones Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing rake lint issue Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing match and returning boolean for seeing if firewalld is running Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Fixing lint issues Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Empty commit to rerun. Accidentally updated branch. Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu> * Rerunning test, accidentally updated branch. needs sign off commit Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 12:05:35 +00:00
`have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active.
it { should have_zone('public') }
### `have_service_enabled_in_zone`
`have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone.
it { should have_service_enabled_in_zone('ssh', 'public') }
### `have_port_enabled_in_zone`
`have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone.
it { should have_port_enabled_in_zone('22/tcp', 'public') }
### `have_rule_enabled`
`have_rule_enabled` returns true or false if the rich-rule has been specified in the zone.
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
It is not necessary to add the "rule" string, and you can start with the optional flags that are used in firewalld and end with the action