mirror of
https://github.com/inspec/inspec
synced 2025-01-07 02:39:10 +00:00
9b4a276e9f
* adding control statement to add rule in front of string as long as it doesn't already contain rule. Correcting resource name in firewalld from etc_hosts_deny adding tests for both branches of the statement created in firewalld Signed-off-by: Vern Burton <me@vernburton.com> * moving to unless with a start_with Signed-off-by: Vern Burton <me@vernburton.com> * adding documentation that states that it is not needed to add `rule` string Signed-off-by: Vern Burton <me@vernburton.com>
68 lines
2.4 KiB
Ruby
68 lines
2.4 KiB
Ruby
# encoding: utf-8
|
|
# author: Matthew Dromazos
|
|
|
|
require 'helper'
|
|
require 'inspec/resource'
|
|
|
|
describe 'Inspec::Resources::FirewallD' do
|
|
centResource = MockLoader.new(:centos7).load_resource('firewalld')
|
|
|
|
it 'verify firewalld detects a zone' do
|
|
_(centResource.has_zone?('public')).must_equal true
|
|
_(centResource.has_zone?('zonenotinfirewalld')).must_equal false
|
|
end
|
|
|
|
it 'verity firewalld is running' do
|
|
_(centResource.running?).must_equal true
|
|
end
|
|
|
|
it 'verify firewalld detects a default_zone' do
|
|
_(centResource.default_zone).must_equal 'public'
|
|
end
|
|
|
|
it 'parses zones with multiple interfaces' do
|
|
entries = centResource.where { zone == 'public' }
|
|
_(entries.interfaces).must_equal [['enp0s3', 'eno2']]
|
|
end
|
|
|
|
it 'detects services in an active zone' do
|
|
entries = centResource.where { zone == 'public' }
|
|
_(entries.services).must_equal [['ssh', 'icmp']]
|
|
end
|
|
|
|
it 'detects multiple active zones' do
|
|
entries = centResource.where { zone == 'public' }
|
|
_(entries.interfaces).must_equal [['enp0s3', 'eno2']]
|
|
entries = centResource.where { zone == 'default' }
|
|
_(entries.interfaces).must_equal [['enp0s3']]
|
|
end
|
|
|
|
it 'detects sources in an active zone' do
|
|
entries = centResource.where { zone == 'public' }
|
|
_(entries.sources).must_equal [['192.168.1.0/24', '192.168.1.2']]
|
|
end
|
|
|
|
it 'verify firewalld detects a whether or not a service is allowed in a zone' do
|
|
_(centResource.has_service_enabled_in_zone?('ssh', 'public')).must_equal true
|
|
end
|
|
|
|
it 'verify firewalld detects ports enabled for a service in a zone' do
|
|
_(centResource.service_ports_enabled_in_zone('ssh', 'public')).must_equal ['22/tcp']
|
|
end
|
|
|
|
it 'verify firewalld detects protocols enabled for a service in a zone' do
|
|
_(centResource.service_protocols_enabled_in_zone('ssh', 'public')).must_equal ['icmp']
|
|
end
|
|
|
|
it 'verify firewalld detects a whether or not a service is allowed in a zone' do
|
|
_(centResource.has_port_enabled_in_zone?('22/udp', 'public')).must_equal true
|
|
end
|
|
|
|
it 'verify firewalld detects a whether or not a rule is enabled in a zone included rule text' do
|
|
_(centResource.has_rule_enabled?('rule family=ipv4 source address=192.168.0.14 accept', 'public')).must_equal true
|
|
end
|
|
|
|
it 'verify firewalld detects a whether or not a rule is enabled in a zone exluding rule text' do
|
|
_(centResource.has_rule_enabled?('family=ipv4 source address=192.168.0.14 accept', 'public')).must_equal true
|
|
end
|
|
end
|