Firewall check updates (#414)

* Check if CSF is running * Check for APF presence
2017-07-10 16:23:32 +03:00 · 2017-07-10 16:23:32 +03:00 · 3b66a22f39
parent 3a6fa0bb6b
commit 3b66a22f39
2 changed files with 44 additions and 0 deletions
--- a/db/tests.db
+++ b/db/tests.db
@ -135,6 +135,7 @@ FIRE-4538:test:security:firewalls:Linux:Check nftables basic configuration:
 FIRE-4540:test:security:firewalls:Linux:Test for empty nftables configuration:
 FIRE-4586:test:security:firewalls::Check firewall logging:
 FIRE-4590:test:security:firewalls::Check firewall status:
+FIRE-4594:test:security:firewalls::Check for APF presence:
 HOME-9302:test:security:homedirs::Create list with home directories:
 HOME-9310:test:security:homedirs::Checking for suspicious shell history files:
 HOME-9350:test:security:homedirs::Collecting information from home directories:
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@ -321,6 +321,13 @@
            else
                Display --indent 4 --text "- Check if CSF testing mode is disabled" --result "${STATUS_WARNING}" --color RED
            fi
+
+            LogText "Test: check if CSF is running"
+            if [ ! -f /etc/csf/csf.disable ]; then
+                Display --indent 4 --text "- Check if CSF is running" --result "${STATUS_OK}" --color GREEN
+            else
+                Display --indent 4 --text "- Check if CSF is running" --result "${STATUS_WARNING}" --color RED
+            fi
        else
            LogText "Result: ${FILE} does NOT exist"
        fi
@ -512,6 +519,42 @@
    fi
 #
 #################################################################################
+#
+    # Test        : FIRE-4594
+    # Description : Check for APF (Advanced Policy Firewall)
+    Register --test-no FIRE-4592 --weight L --network NO --category security --description "Check for APF presence"
+    if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FILE="/etc/apf/conf.apf"
+        LogText "Test: check ${FILE}"
+        if [ -f ${FILE} ]; then
+            LogText "Result: ${FILE} exists"
+            FIREWALL_ACTIVE=1
+            FIREWALL_SOFTWARE="apf"
+            Report "firewall_software[]=apf"
+            Display --indent 2 --text "- Checking APF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
+
+            LogText "Test: check if APF testing mode is disabled"
+            FIND=$(${GREPBINARY} -P "^DEVEL_MODE(\s|=)" ${FILE} | ${CUTBINARY} -d= -f2 | ${XARGSBINARY})
+            if [ "${FIND}" = "0" ]; then
+                Display --indent 4 --text "- Check if APF testing mode is disabled" --result "${STATUS_OK}" --color GREEN
+            else
+                Display --indent 4 --text "- Check if APF testing mode is disabled" --result "${STATUS_WARNING}" --color RED
+            fi
+
+            LogText "Test: check if APF is running"
+            FIND=$(${IPTABLESBINARY} -L -n | ${GREPBINARY} -iom1 sanity | ${WCBINARY} -l)
+            if [ "${FIND}" = "1" ]; then
+                Display --indent 4 --text "- Check if APF is running" --result "${STATUS_OK}" --color GREEN
+            else
+                Display --indent 4 --text "- Check if APF is running" --result "${STATUS_WARNING}" --color RED
+            fi
+        else
+            LogText "Result: ${FILE} does NOT exist"
+        fi
+    fi
+#
+#################################################################################
 #

 # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.