tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-24 22:34:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improved test FIRE-4512 so that it also triggers if no more than 10 rules are found

Browse Source
This commit is contained in:
mboelen 2015-12-02 16:55:41 +01:00
parent 0144c99533
commit 4ab96e4f39
1 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
include/tests_firewalls
View File

@ -90,21 +90,22 @@
################################################################################# #################################################################################
# #
# Test : FIRE-4512 # Test : FIRE-4512
# Description : Check iptables for empty ruleset # Description : Check iptables for empty ruleset (should have at least 10 or more rules)
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check iptables for empty ruleset" Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '` FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '`
if [ "${FIND}" = "0" ]; then if [ ! "${FIND}" = "" ]; then
# Firewall is active, but clearly needs configuration
FIREWALL_ACTIVE=1 FIREWALL_ACTIVE=1
logtext "Result: iptables ruleset is empty" if [ ${FIND} -le 10 ]; then
Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED # Firewall is active, but clearly needs configuration
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active" logtext "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
ReportSuggestion ${TEST_NO} "Disable iptables kernel module if not used or make sure rules are being used" Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
else ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
logtext "Result: one or more rules are available" else
Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN logtext "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN
fi
fi fi
fi fi
# #