Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-23 13:13:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

#5597 edits

Browse source 
Signed-off-by: Deepa Kumaraswamy <dkumaras@progress.com>
This commit is contained in:
Deepa Kumaraswamy 2021-09-07 19:15:30 +05:30 committed by Clinton Wolfe
parent d0e13b48f7
commit 06dccd2d9f
1 changed files with 41 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

82
docs-chef-io/content/inspec/resources/firewalld.md
View file

@ -11,7 +11,7 @@ platform = "linux"
parent = "inspec/resources/os"
+++
Use the `firewalld` Chef InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system.
Use the `firewalld` Chef InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services, and ports on a system.
A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
@ -27,21 +27,21 @@ This resource first became available in v1.40.0 of InSpec.
## Syntax
describe firewalld do
it { should be_running }
its('default_zone') { should eq 'public' }
it { should have_service_enabled_in_zone('ssh', 'public') }
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
end
describe firewalld do
it { should be_running }
its('default_zone') { should eq 'PUBLIC' }
it { should have_service_enabled_in_zone('SSH', 'PUBLIC') }
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'PUBLIC') }
end
Use the where clause to test open interfaces, sources, and services that are in active zones.
describe firewalld.where { zone == 'public' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
its('services') { should cmp ['ssh', 'icmp'] }
its('target') { should cmp ['default'] }
end
describe firewalld.where { zone == 'PUBLIC' } do
its('interfaces') { should cmp ['ENP0S3', 'ENO2'] }
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
its('services') { should cmp ['SSH', 'icmp'] }
its('target') { should cmp ['default'] }
end
## Properties
@ -60,57 +60,57 @@ Use the where clause to test open interfaces, sources, and services that are in
### interfaces
The `interfaces` property is used in conjunction with the where class to display open interfaces in an active zone.
The `interfaces` property is used in conjunction with the class to display open interfaces in an active zone.
describe firewalld.where { zone == 'public' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
end
describe firewalld.where { zone == 'PUBLIC' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
end
### `sources`
The `sources` property is used in conjunction with the where class to display open sources in an active zone.
The `sources` property is used in conjunction with the class to display open sources in an active zone.
describe firewalld.where { zone == 'public' } do
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
end
describe firewalld.where { zone == 'PUBLIC' } do
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
end
### `services`
The `services` property is used in conjunction with the where class to display open services in an active zone.
The `services` property is used in conjunction with the class to display open services in an active zone.
describe firewalld.where { zone == 'public' } do
its('services') { should cmp ['ssh', 'icmp'] }
describe firewalld.where { zone == 'PUBLIC' } do
its('services') { should cmp ['SSH', 'icmp'] }
end
### target
The `target` property is used in conjunction with the where class to display the target action in an active zone.
The `target` property is used in conjunction with the class to display the target action in an active zone.
describe firewalld.where { zone == 'public' } do
its('target') { should cmp ['default'] } # or ['DROP'], ['ACCEPT'], etc.
end
describe firewalld.where { zone == 'PUBLIC' } do
its('target') { should cmp ['default'] } # or ['DROP'], ['ACCEPT'], etc.
end
### ports
The `ports` property is used in conjunction with the where class to display the ports used by an active zone.
The `ports` property is used in conjunction with the class to display the ports used by an active zone.
describe firewalld.where { zone == 'public' } do
its('ports') { should cmp ["80/tcp", "443/tcp"] }
end
describe firewalld.where { zone == 'PUBLIC' } do
its('ports') { should cmp ["80/tcp", "443/tcp"] }
end
### protocols
The `protocols` property is used in conjunction with the where class to display the protocols used by an active zone.
The `protocols` property is used in conjunction with the class to display the protocols used by an active zone.
describe firewalld.where { zone == 'public' } do
its('protocols') { should cmp ["icmp", "ipv4"] }
end
describe firewalld.where { zone == 'PUBLIC' } do
its('protocols') { should cmp ["icmp", "ipv4"] }
end
### default_zone
The `default_zone` property displays the default active zone to be used.
its('default_zone') { should eq 'public' }
its('default_zone') { should eq 'PUBLIC' }
## Matchers
@ -132,25 +132,25 @@ The `be_running` matcher tests if the firewalld service is running:
`have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active.
it { should have_zone('public') }
it { should have_zone('PUBLIC') }
### `have_service_enabled_in_zone`
`have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone.
it { should have_service_enabled_in_zone('ssh', 'public') }
it { should have_service_enabled_in_zone('SSH', 'PUBLIC') }
### `have_port_enabled_in_zone`
`have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone.
it { should have_port_enabled_in_zone('22/tcp', 'public') }
it { should have_port_enabled_in_zone('22/tcp', 'PUBLIC') }
### `have_rule_enabled`
`have_rule_enabled` returns true or false if the rich-rule has been specified in the zone.
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'PUBLIC') }
It is not necessary to add the "rule" string, and you can start with the optional flags that are used in firewalld and end with the action.