Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-23 21:23:29 +00:00
Code Issues Projects Releases Packages Wiki Activity

#5597 edits

Browse source 
Signed-off-by: Deepa Kumaraswamy <dkumaras@progress.com>
This commit is contained in:
Deepa Kumaraswamy 2021-09-07 19:15:30 +05:30 committed by Clinton Wolfe
parent d0e13b48f7
commit 06dccd2d9f
1 changed files with 41 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

82
docs-chef-io/content/inspec/resources/firewalld.md
View file

@ -11,7 +11,7 @@ platform = "linux"
parent = "inspec/resources/os" parent = "inspec/resources/os"
+++ +++
Use the `firewalld` Chef InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system. Use the `firewalld` Chef InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services, and ports on a system.
A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports. A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
@ -27,21 +27,21 @@ This resource first became available in v1.40.0 of InSpec.
## Syntax ## Syntax
describe firewalld do describe firewalld do
it { should be_running } it { should be_running }
its('default_zone') { should eq 'public' } its('default_zone') { should eq 'PUBLIC' }
it { should have_service_enabled_in_zone('ssh', 'public') } it { should have_service_enabled_in_zone('SSH', 'PUBLIC') }
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') } it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'PUBLIC') }
end end
Use the where clause to test open interfaces, sources, and services that are in active zones. Use the where clause to test open interfaces, sources, and services that are in active zones.
describe firewalld.where { zone == 'public' } do describe firewalld.where { zone == 'PUBLIC' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] } its('interfaces') { should cmp ['ENP0S3', 'ENO2'] }
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] } its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
its('services') { should cmp ['ssh', 'icmp'] } its('services') { should cmp ['SSH', 'icmp'] }
its('target') { should cmp ['default'] } its('target') { should cmp ['default'] }
end end
## Properties ## Properties
@ -60,57 +60,57 @@ Use the where clause to test open interfaces, sources, and services that are in
### interfaces ### interfaces
The `interfaces` property is used in conjunction with the where class to display open interfaces in an active zone. The `interfaces` property is used in conjunction with the class to display open interfaces in an active zone.
describe firewalld.where { zone == 'public' } do describe firewalld.where { zone == 'PUBLIC' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] } its('interfaces') { should cmp ['enp0s3', 'eno2'] }
end end
### `sources` ### `sources`
The `sources` property is used in conjunction with the where class to display open sources in an active zone. The `sources` property is used in conjunction with the class to display open sources in an active zone.
describe firewalld.where { zone == 'public' } do describe firewalld.where { zone == 'PUBLIC' } do
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] } its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
end end
### `services` ### `services`
The `services` property is used in conjunction with the where class to display open services in an active zone. The `services` property is used in conjunction with the class to display open services in an active zone.
describe firewalld.where { zone == 'public' } do describe firewalld.where { zone == 'PUBLIC' } do
its('services') { should cmp ['ssh', 'icmp'] } its('services') { should cmp ['SSH', 'icmp'] }
end end
### target ### target
The `target` property is used in conjunction with the where class to display the target action in an active zone. The `target` property is used in conjunction with the class to display the target action in an active zone.
describe firewalld.where { zone == 'public' } do describe firewalld.where { zone == 'PUBLIC' } do
its('target') { should cmp ['default'] } # or ['DROP'], ['ACCEPT'], etc. its('target') { should cmp ['default'] } # or ['DROP'], ['ACCEPT'], etc.
end end
### ports ### ports
The `ports` property is used in conjunction with the where class to display the ports used by an active zone. The `ports` property is used in conjunction with the class to display the ports used by an active zone.
describe firewalld.where { zone == 'public' } do describe firewalld.where { zone == 'PUBLIC' } do
its('ports') { should cmp ["80/tcp", "443/tcp"] } its('ports') { should cmp ["80/tcp", "443/tcp"] }
end end
### protocols ### protocols
The `protocols` property is used in conjunction with the where class to display the protocols used by an active zone. The `protocols` property is used in conjunction with the class to display the protocols used by an active zone.
describe firewalld.where { zone == 'public' } do describe firewalld.where { zone == 'PUBLIC' } do
its('protocols') { should cmp ["icmp", "ipv4"] } its('protocols') { should cmp ["icmp", "ipv4"] }
end end
### default_zone ### default_zone
The `default_zone` property displays the default active zone to be used. The `default_zone` property displays the default active zone to be used.
its('default_zone') { should eq 'public' } its('default_zone') { should eq 'PUBLIC' }
## Matchers ## Matchers
@ -132,25 +132,25 @@ The `be_running` matcher tests if the firewalld service is running:
`have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active. `have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active.
it { should have_zone('public') } it { should have_zone('PUBLIC') }
### `have_service_enabled_in_zone` ### `have_service_enabled_in_zone`
`have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone. `have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone.
it { should have_service_enabled_in_zone('ssh', 'public') } it { should have_service_enabled_in_zone('SSH', 'PUBLIC') }
### `have_port_enabled_in_zone` ### `have_port_enabled_in_zone`
`have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone. `have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone.
it { should have_port_enabled_in_zone('22/tcp', 'public') } it { should have_port_enabled_in_zone('22/tcp', 'PUBLIC') }
### `have_rule_enabled` ### `have_rule_enabled`
`have_rule_enabled` returns true or false if the rich-rule has been specified in the zone. `have_rule_enabled` returns true or false if the rich-rule has been specified in the zone.
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') } it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'PUBLIC') }
It is not necessary to add the "rule" string, and you can start with the optional flags that are used in firewalld and end with the action. It is not necessary to add the "rule" string, and you can start with the optional flags that are used in firewalld and end with the action.