Update firewalld resource to include more properties

Signed-off-by: Daniel Tingstrom <dtingstrom@mitre.org>
2024-11-26 14:40:26 +00:00 · 2021-07-08 16:50:48 -04:00 · 2021-07-08 16:50:48 -04:00 · 3e8738a4e6
commit 3e8738a4e6
parent 01baf2f7c0
12 changed files with 139 additions and 2 deletions
--- a/lib/inspec/resources/firewalld.rb
+++ b/lib/inspec/resources/firewalld.rb
@ -32,6 +32,15 @@ module Inspec::Resources
      .register_column(:interfaces, field: "interfaces")
      .register_column(:sources,    field: "sources")
      .register_column(:services,   field: "services")
+      .register_column(:target,   field: "target")
+      .register_column(:icmp_block_inversion,   field: "icmp_block_inversion")
+      .register_column(:ports,   field: "ports")
+      .register_column(:protocols,   field: "protocols")
+      .register_column(:masquerade,   field: "masquerade")
+      .register_column(:forward_ports,   field: "forward_ports")
+      .register_column(:source_ports,   field: "source_ports")
+      .register_column(:icmp_blocks,   field: "icmp_blocks")
+      .register_column(:rich_rules,   field: "rich_rules")

    filter.install_filter_methods_on_resource(self, :params)

@ -74,7 +83,7 @@ module Inspec::Resources
    end

    def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
-      # return: String of protocoals open
+      # return: String of protocols open
      # example: ['icmp', 'ipv4', 'igmp']
      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(" ")
    end
@ -120,9 +129,72 @@ module Inspec::Resources
        "interfaces" => line.split(":")[1].split(" "),
        "services" => services_bound(zone),
        "sources" => sources_bound(zone),
+        "target" => target_bound(zone),
+        "icmp_block_inversion" => icmp_block_inversion_bound(zone),
+        "ports" => ports_bound(zone),
+        "protocols" => protocols_bound(zone),
+        "masquerade" => masquerade_bound(zone),
+        "forward_ports" => forward_ports_bound(zone),
+        "source_ports" => source_ports_bound(zone),
+        "icmp_blocks" => icmp_blocks_bound(zone),
+        "rich_rules" => rich_rules_bound(zone),
      }
    end

+    def target_bound(query_zone)
+      # result: a target bound for the zone
+      # example: 'DROP'
+      firewalld_command("--permanent --zone=#{query_zone} --get-target").strip()
+    end
+
+    def icmp_block_inversion_bound(query_zone)
+      # result: true/false whether inversion of icmp blocks has been enabled for a zone
+      # example: true
+      firewalld_command("--zone=#{query_zone} --query-icmp-block-inversion") == "yes"
+    end
+
+    def ports_bound(query_zone)
+      # result: a list of ports bound for a zone
+      # example: ['80/tcp', '443/tcp']
+      firewalld_command("--zone=#{query_zone} --list-ports").split(" ")
+    end
+
+    def protocols_bound(query_zone)
+      # result: a list of protocols added for a zone
+      # example: ['icmp', 'ipv4', 'igmp']
+      firewalld_command("--zone=#{query_zone} --list-protocols").split(" ")
+    end
+
+    def masquerade_bound(query_zone)
+      # result: true/false whether IPv4 masquerading has been enabled for a zone
+      # example: true
+      firewalld_command("--zone=#{query_zone} --query-masquerade") == "yes"
+    end
+
+    def forward_ports_bound(query_zone)
+      # result: a list of IPv4 forward ports bound to a zone
+      # example: ['port=80:proto=tcp:toport=88', 'port=12345:proto=tcp:toport=54321:toaddr=192.168.1.3']
+      firewalld_command("--zone=#{query_zone} --list-forward-ports").split("\n")
+    end
+
+    def source_ports_bound(query_zone)
+      # result: a list of source ports bound to a zone
+      # example: ['80/tcp', '8080/tcp']
+      firewalld_command("--zone=#{query_zone} --list-source-ports").split(" ")
+    end
+
+    def icmp_blocks_bound(query_zone)
+      # result: a list of internet ICMP type blocks bound to a zone
+      # example: ['echo-request', 'echo-reply']
+      firewalld_command("--zone=#{query_zone} --list-icmp-blocks").split(" ")
+    end
+
+    def rich_rules_bound(query_zone)
+      # result: a list of rich language rules bound to a zone
+      # example: ['rule protocol value="ah" accept', 'rule service name="ftp" log limit value="1/m" audit accept']
+      firewalld_command("--zone=#{query_zone} --list-rich-rules").split("\n")
+    end
+
    def sources_bound(query_zone)
      # result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
      # example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
@ -145,4 +217,4 @@ module Inspec::Resources
      result.stdout.strip
    end
  end
-end
+end
--- a/test/fixtures/cmd/firewall-cmd-get-target
+++ b/test/fixtures/cmd/firewall-cmd-get-target
@ -0,0 +1 @@
+default
--- a/test/fixtures/cmd/firewall-cmd-list-forward-ports
+++ b/test/fixtures/cmd/firewall-cmd-list-forward-ports
@ -0,0 +1,2 @@
+port=80:proto=tcp:toport=88:toaddr=
+port=12345:proto=tcp:toport=54321:toaddr=192.168.1.3
--- a/test/fixtures/cmd/firewall-cmd-list-icmp-blocks
+++ b/test/fixtures/cmd/firewall-cmd-list-icmp-blocks
@ -0,0 +1 @@
+echo-request echo-reply
--- a/test/fixtures/cmd/firewall-cmd-list-ports
+++ b/test/fixtures/cmd/firewall-cmd-list-ports
@ -0,0 +1 @@
+80/tcp 443/tcp
--- a/test/fixtures/cmd/firewall-cmd-list-protocols
+++ b/test/fixtures/cmd/firewall-cmd-list-protocols
@ -0,0 +1 @@
+icmp ipv4
--- a/test/fixtures/cmd/firewall-cmd-list-rich-rules
+++ b/test/fixtures/cmd/firewall-cmd-list-rich-rules
@ -0,0 +1,2 @@
+rule protocol value="ah" accept
+rule service name="ftp" log limit value="1/m" audit accept
--- a/test/fixtures/cmd/firewall-cmd-list-source-ports
+++ b/test/fixtures/cmd/firewall-cmd-list-source-ports
@ -0,0 +1 @@
+80/tcp 8080/tcp
--- a/test/fixtures/cmd/firewall-cmd-query-icmp-block-inversion
+++ b/test/fixtures/cmd/firewall-cmd-query-icmp-block-inversion
@ -0,0 +1 @@
+no
--- a/test/fixtures/cmd/firewall-cmd-query-masquerade
+++ b/test/fixtures/cmd/firewall-cmd-query-masquerade
@ -0,0 +1 @@
+no
--- a/test/helpers/mock_loader.rb
+++ b/test/helpers/mock_loader.rb
@ -505,6 +505,15 @@ class MockLoader
      "firewall-cmd --zone=default --list-services" => cmd.call("firewall-cmd-services-bound"),
      "firewall-cmd --zone=public --list-sources" => cmd.call("firewall-cmd-sources-bound"),
      "firewall-cmd --zone=default --list-sources" => cmd.call("firewall-cmd-sources-bound"),
+      "firewall-cmd --permanent --zone=public --get-target" => cmd.call("firewall-cmd-get-target"),
+      "firewall-cmd --permanent --zone=public --query-icmp-block-inversion" => cmd.call("firewall-cmd-query-icmp-block-inversion"),
+      "firewall-cmd --zone=public --list-ports" => cmd.call("firewall-cmd-list-ports"),
+      "firewall-cmd --zone=public --list-protocols" => cmd.call("firewall-cmd-list-protocols"),
+      "firewall-cmd --zone=public --query-masquerade" => cmd.call("firewall-cmd-query-masquerade"),
+      "firewall-cmd --zone=public --list-forward-ports" => cmd.call("firewall-cmd-list-forward-ports"),
+      "firewall-cmd --zone=public --list-source-ports" => cmd.call("firewall-cmd-list-source-ports"),
+      "firewall-cmd --zone=public --list-icmp-blocks" => cmd.call("firewall-cmd-list-icmp-blocks"),
+      "firewall-cmd --zone=public --list-rich-rules" => cmd.call("firewall-cmd-list-rich-rules"),
      "firewall-cmd --zone=public --query-rich-rule=rule family=ipv4 source address=192.168.0.14 accept" => cmd.call("firewall-cmd-has-rule-enabled"),
      "sh -c 'type \"firewall-cmd\"'" => cmd.call("firewall-cmd"),
      "rpm -qia firewalld" => cmd.call("pkg-info-firewalld"),
--- a/test/unit/resources/firewalld_test.rb
+++ b/test/unit/resources/firewalld_test.rb
@ -40,6 +40,51 @@ describe "Inspec::Resources::FirewallD" do
    _(entries.sources).must_equal [["192.168.1.0/24", "192.168.1.2"]]
  end

+  it "detects target in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.target).must_equal ["default"]
+  end
+
+  it "detects whether ICMP block inversion is enabled in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.icmp_block_inversion).must_equal [false]
+  end
+
+  it "detects ports in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.ports).must_equal [["80/tcp", "443/tcp"]]
+  end
+
+  it "detects protocols in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.protocols).must_equal [["icmp", "ipv4"]]
+  end
+
+  it "detects whether IPv4 masquerading is enabled in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.masquerade).must_equal [false]
+  end
+
+  it "detects IPv4 forward ports in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.forward_ports).must_equal [["port=80:proto=tcp:toport=88:toaddr=", "port=12345:proto=tcp:toport=54321:toaddr=192.168.1.3"]]
+  end
+
+  it "detects source ports in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.source_ports).must_equal [["80/tcp", "8080/tcp"]]
+  end
+
+  it "detects ICMP blocks in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.icmp_blocks).must_equal [["echo-request", "echo-reply"]]
+  end
+
+  it "detects rich rules in an active zone" do
+    entries = cent_resource.where { zone == "public" }
+    _(entries.rich_rules).must_equal [["rule protocol value=\"ah\" accept", "rule service name=\"ftp\" log limit value=\"1/m\" audit accept"]]
+  end
+
  it "verify firewalld detects a whether or not a service is allowed in a zone" do
    _(cent_resource.has_service_enabled_in_zone?("ssh", "public")).must_equal true
  end