inspec/lib/resources/firewalld.rb

# encoding: utf-8
# author: Matthew

module Inspec::Resources
  class FirewallD < Inspec.resource(1)
    ###
    #  This recourse assumes that the file sudo vim /etc/polkit-1/rules.d/49-nopasswd_global.rules has been
    #  set to allow users in group "wheel" to perform any commands without authentication.
    ###

    name 'firewalld'
    desc 'Use the firewalld resource to check and see if firewalld is configured to grand or deny access to specific hosts or services'
    example "
      describe firewalld do
        it { should be_running }
        its('default_zone') { should eq 'public' }
        it { should have_service_enabled_in_zone('ssh', 'public') }
        it { should have_rule_enabled('rule family=ipv4 source address=192.168.0.14 accept', 'public') }
      end

      describe firewalld.where { zone == 'public' } do
        its('interfaces') { should cmp ['enp0s3', 'eno2'] }
        its('sources') { should cmp ['ssh', 'icmp'] }
        its('services') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
      end
    "

    attr_reader :params

    filter = FilterTable.create
    filter.add_accessor(:where)
          .add_accessor(:entries)
          .add(:zone,       field: 'zone')
          .add(:interfaces, field: 'interfaces')
          .add(:sources,    field: 'sources')
          .add(:services,   field: 'services')

    filter.connect(self, :params)

    def initialize
      return skip_resource 'The `etc_hosts_deny` resource is not supported on your OS.' unless inspec.os.linux?
      @params = parse_active_zones(active_zones)
    end

    def installed?
      inspec.command('firewall-cmd').exist?
    end

    def has_zone?(query_zone)
      return false unless installed?
      result = firewalld_command('--get-zones').split(' ')
      result.include?(query_zone)
    end

    def running?
      return false unless installed?
      result = firewalld_command('--state')
      result =~ /^running/ ? true : false
    end

    def default_zone
      # return: word associated with the name of the default zone
      # example: 'public'
      firewalld_command('--get-default-zone')
    end

    def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
      firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == 'yes'
    end

    def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
      # return: String of ports open
      # example: ['22/tcp', '4722/tcp']
      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(' ')
    end

    def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
      # return: String of protocoals open
      # example: ['icmp', 'ipv4', 'igmp']
      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(' ')
    end

    def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
      firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == 'yes'
    end

    def has_rule_enabled?(rule, query_zone = default_zone)
      rule = 'rule ' + rule
      firewalld_command("--zone=#{query_zone} --query-rich-rule=#{rule}") == 'yes'
    end

    private

    def active_zones
      # return syntax:
      #   [default-zone-name]
      #       interfaces: [open interfases]
      #
      # example:
      #   public
      #       interfaces: enp0s3
      firewalld_command('--get-active-zones')
    end

    def parse_active_zones(content)
      # Split by every second line, which contains the zone and the interfaces.
      content = content.split(/\n/).each_slice(2).map { |slice| slice.join("\n") }
      content.map do |line|
        parse_line(line)
      end.compact
    end

    def parse_line(line)
      zone = line.split("\n")[0]
      {
        'zone' => zone,
        'interfaces' => line.split(':')[1].split(' '),
        'services' =>   services_bound(zone),
        'sources' =>    sources_bound(zone),
      }
    end

    def sources_bound(query_zone)
      # result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
      # example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
      firewalld_command("--zone=#{query_zone} --list-sources").split(' ')
    end

    def services_bound(query_zone)
      # result: a list of services bound to a zone.
      # example: ['ssh', 'dhcpv6-client']
      firewalld_command("--zone=#{query_zone} --list-services").split(' ')
    end

    def firewalld_command(command)
      command = "firewall-cmd #{command}"
      result = inspec.command(command)
      if result.stderr != ''
        return "Error on command #{command}: #{result.stderr}"
      end
      result.stdout.strip
    end
  end
end