From 4ab96e4f39081b8e8f14f8332ccd27125a2f2cbb Mon Sep 17 00:00:00 2001
From: mboelen <michael@cisofy.com>
Date: Wed, 2 Dec 2015 16:55:41 +0100
Subject: [PATCH] Improved test FIRE-4512 so that it also triggers if no more
 than 10 rules are found

---
 include/tests_firewalls | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/include/tests_firewalls b/include/tests_firewalls
index 302fd733..da933cb0 100644
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@@ -90,21 +90,22 @@
 #################################################################################
 #
     # Test        : FIRE-4512
-    # Description : Check iptables for empty ruleset
+    # Description : Check iptables for empty ruleset (should have at least 10 or more rules)
     if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check iptables for empty ruleset"
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${IPTABLESBINARY} --list --numeric | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '`
-        if [ "${FIND}" = "0" ]; then
-            # Firewall is active, but clearly needs configuration
+        FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '`
+        if [ ! "${FIND}" = "" ]; then
             FIREWALL_ACTIVE=1
-            logtext "Result: iptables ruleset is empty"
-            Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
-            ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
-            ReportSuggestion ${TEST_NO} "Disable iptables kernel module if not used or make sure rules are being used"
-          else
-            logtext "Result: one or more rules are available"
-            Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN
+            if [ ${FIND} -le 10 ]; then
+                # Firewall is active, but clearly needs configuration
+                logtext "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
+                Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
+                ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
+              else
+                logtext "Result: one or more rules are available (${FIND} rules)"
+                Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN
+            fi
         fi
     fi
 #