Skip to content

Commit

Permalink
Don't test each rule, match on whole array.
Browse files Browse the repository at this point in the history 
Signed-off-by: Bryan Endres <69473505+bryaend@users.noreply.github.com>
  • Loading branch information
@bryaend
bryaend committed Mar 15, 2023
1 parent e1dc70a commit 5aa19fd
Showing 1 changed file with 18 additions and 72 deletions.
90 changes: 18 additions & 72 deletions controls/3_5_firewall_configuration.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,28 +51,11 @@

rules = ip6tables.retrieve_rules

describe.one do
rules.each do |rule|
describe rule do
it { should match(/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/) }
end
end
end

describe.one do
rules.each do |rule|
describe rule do
it { should match(/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/) }
end
end
end

describe.one do
rules.each do |rule|
describe rule do
it { should match(/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/) }
end
end
describe "Check for IPv6 local loopback rules" do
subject { rules.join("\n") }
it { should match(/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/) }
it { should match(/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/) }
it { should match(/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/) }
end

only_if { ipv6.zero? }
Expand All @@ -89,20 +72,10 @@
rules = ip6tables.retrieve_rules

%w(tcp udp icmp).each do |proto|
describe.one do
rules.each do |rule|
describe rule do
it { should match(/(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/) }
end
end
end

describe.one do
rules.each do |rule|
describe rule do
it { should match(/(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/) }
end
end
describe "Check for IPv6 rules on established and new outbound connections" do
subject { rules.join("\n") }
it { should match(/(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/) }
it { should match(/(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/) }
end
end

Expand Down Expand Up @@ -152,28 +125,11 @@

rules = iptables.retrieve_rules

describe.one do
rules.each do |rule|
describe rule do
it { should match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/ }
end
end
end

describe.one do
rules.each do |rule|
describe rule do
it { should match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/ }
end
end
end

describe.one do
rules.each do |rule|
describe rule do
it { should match %r{(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0/8)(?=.*-j DROP)} }
end
end
describe "Check for local loopback rules" do
subject { rules.join("\n") }
it { should match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/ }
it { should match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/ }
it { should match %r{(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0/8)(?=.*-j DROP)} }
end
end

Expand All @@ -188,20 +144,10 @@
rules = iptables.retrieve_rules

%w(tcp udp icmp).each do |proto|
describe.one do
rules.each do |rule|
describe rule do
it { should match /(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/ }
end
end
end

describe.one do
rules.each do |rule|
describe rule do
it { should match /(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/ }
end
end
describe "Check for rules on established and new outbound connections" do
subject { rules.join("\n") }
it { should match /(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/ }
it { should match /(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/ }
end
end
end
Expand Down

0 comments on commit 5aa19fd

Please sign in to comment.