diff --git a/docs-chef-io/content/inspec/resources/firewalld.md b/docs-chef-io/content/inspec/resources/firewalld.md index 1cafc9039..ab1ea13b1 100644 --- a/docs-chef-io/content/inspec/resources/firewalld.md +++ b/docs-chef-io/content/inspec/resources/firewalld.md @@ -11,7 +11,7 @@ platform = "linux" parent = "inspec/resources/os" +++ -Use the `firewalld` Chef InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system. +Use the `firewalld` Chef InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services, and ports on a system. A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports. @@ -27,21 +27,21 @@ This resource first became available in v1.40.0 of InSpec. ## Syntax - describe firewalld do - it { should be_running } - its('default_zone') { should eq 'public' } - it { should have_service_enabled_in_zone('ssh', 'public') } - it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') } - end +describe firewalld do + it { should be_running } + its('default_zone') { should eq 'PUBLIC' } + it { should have_service_enabled_in_zone('SSH', 'PUBLIC') } + it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'PUBLIC') } +end Use the where clause to test open interfaces, sources, and services that are in active zones. - describe firewalld.where { zone == 'public' } do - its('interfaces') { should cmp ['enp0s3', 'eno2'] } - its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] } - its('services') { should cmp ['ssh', 'icmp'] } - its('target') { should cmp ['default'] } - end +describe firewalld.where { zone == 'PUBLIC' } do + its('interfaces') { should cmp ['ENP0S3', 'ENO2'] } + its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] } + its('services') { should cmp ['SSH', 'icmp'] } + its('target') { should cmp ['default'] } +end ## Properties @@ -60,57 +60,57 @@ Use the where clause to test open interfaces, sources, and services that are in ### interfaces -The `interfaces` property is used in conjunction with the where class to display open interfaces in an active zone. +The `interfaces` property is used in conjunction with the class to display open interfaces in an active zone. - describe firewalld.where { zone == 'public' } do - its('interfaces') { should cmp ['enp0s3', 'eno2'] } - end +describe firewalld.where { zone == 'PUBLIC' } do + its('interfaces') { should cmp ['enp0s3', 'eno2'] } +end ### `sources` -The `sources` property is used in conjunction with the where class to display open sources in an active zone. +The `sources` property is used in conjunction with the class to display open sources in an active zone. - describe firewalld.where { zone == 'public' } do - its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] } - end +describe firewalld.where { zone == 'PUBLIC' } do + its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] } +end ### `services` -The `services` property is used in conjunction with the where class to display open services in an active zone. +The `services` property is used in conjunction with the class to display open services in an active zone. - describe firewalld.where { zone == 'public' } do - its('services') { should cmp ['ssh', 'icmp'] } + describe firewalld.where { zone == 'PUBLIC' } do + its('services') { should cmp ['SSH', 'icmp'] } end ### target -The `target` property is used in conjunction with the where class to display the target action in an active zone. +The `target` property is used in conjunction with the class to display the target action in an active zone. - describe firewalld.where { zone == 'public' } do - its('target') { should cmp ['default'] } # or ['DROP'], ['ACCEPT'], etc. - end +describe firewalld.where { zone == 'PUBLIC' } do + its('target') { should cmp ['default'] } # or ['DROP'], ['ACCEPT'], etc. +end ### ports -The `ports` property is used in conjunction with the where class to display the ports used by an active zone. +The `ports` property is used in conjunction with the class to display the ports used by an active zone. - describe firewalld.where { zone == 'public' } do - its('ports') { should cmp ["80/tcp", "443/tcp"] } - end +describe firewalld.where { zone == 'PUBLIC' } do + its('ports') { should cmp ["80/tcp", "443/tcp"] } +end ### protocols -The `protocols` property is used in conjunction with the where class to display the protocols used by an active zone. +The `protocols` property is used in conjunction with the class to display the protocols used by an active zone. - describe firewalld.where { zone == 'public' } do - its('protocols') { should cmp ["icmp", "ipv4"] } - end +describe firewalld.where { zone == 'PUBLIC' } do + its('protocols') { should cmp ["icmp", "ipv4"] } +end ### default_zone The `default_zone` property displays the default active zone to be used. - its('default_zone') { should eq 'public' } + its('default_zone') { should eq 'PUBLIC' } ## Matchers @@ -132,25 +132,25 @@ The `be_running` matcher tests if the firewalld service is running: `have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active. - it { should have_zone('public') } + it { should have_zone('PUBLIC') } ### `have_service_enabled_in_zone` `have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone. - it { should have_service_enabled_in_zone('ssh', 'public') } + it { should have_service_enabled_in_zone('SSH', 'PUBLIC') } ### `have_port_enabled_in_zone` `have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone. - it { should have_port_enabled_in_zone('22/tcp', 'public') } + it { should have_port_enabled_in_zone('22/tcp', 'PUBLIC') } ### `have_rule_enabled` `have_rule_enabled` returns true or false if the rich-rule has been specified in the zone. - it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') } + it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'PUBLIC') } It is not necessary to add the "rule" string, and you can start with the optional flags that are used in firewalld and end with the action.