Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't test each rule, match on whole array. #145

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

bryaend
Copy link

@bryaend bryaend commented Mar 15, 2023

Fixes #144

Updated the logic to run a match against the entire array instead of checking each existing rule one-by-one. This results in much clearer output on failures

Check for IPv6 local loopback rules
is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/0.02722s
  Failure/Error: �[0m�[1;34;4mDEFAULT_FAILURE_NOTIFIER�[0m = lambda { |failure, _opts| raise failure }

    expected "-P INPUT DROP\n-P FORWARD DROP\n-P OUTPUT DROP\n-N ufw6-after-forward\n-N ufw6-after-input\n-N ufw6-...ufw6-user-limit -j REJECT --reject-with icmp6-port-unreachable\n-A ufw6-user-limit-accept -j ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
    Diff:
    @@ -1,139 +1,277 @@
    -/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
    +-P INPUT DROP
    +-P FORWARD DROP
    +-P OUTPUT DROP
    +-N ufw6-after-forward
    +-N ufw6-after-input
    +-N ufw6-after-logging-forward
    +-N ufw6-after-logging-input
    +-N ufw6-after-logging-output
    +-N ufw6-after-output
    +-N ufw6-before-forward
    +-N ufw6-before-input
    +-N ufw6-before-logging-forward
    +-N ufw6-before-logging-input
    +-N ufw6-before-logging-output
    +-N ufw6-before-output
    +-N ufw6-logging-allow
    +-N ufw6-logging-deny
    +-N ufw6-reject-forward
    +-N ufw6-reject-input
    +-N ufw6-reject-output
    +-N ufw6-skip-to-policy-forward
    +-N ufw6-skip-to-policy-input
    +-N ufw6-skip-to-policy-output
    +-N ufw6-track-forward
    +-N ufw6-track-input
    +-N ufw6-track-output
    +-N ufw6-user-forward
    +-N ufw6-user-input
    +-N ufw6-user-limit
    +-N ufw6-user-limit-accept
    +-N ufw6-user-logging-forward
    +-N ufw6-user-logging-input
    +-N ufw6-user-logging-output
    +-N ufw6-user-output
    +-A INPUT -j ufw6-before-logging-input
    +-A INPUT -j ufw6-before-input
    +-A INPUT -j ufw6-after-input
    +-A INPUT -j ufw6-after-logging-input
    +-A INPUT -j ufw6-reject-input
    +-A INPUT -j ufw6-track-input
    +-A FORWARD -j ufw6-before-logging-forward
    +-A FORWARD -j ufw6-before-forward
    +-A FORWARD -j ufw6-after-forward
    +-A FORWARD -j ufw6-after-logging-forward
    +-A FORWARD -j ufw6-reject-forward
    +-A FORWARD -j ufw6-track-forward
    +-A OUTPUT -j ufw6-before-logging-output
    +-A OUTPUT -j ufw6-before-output
    +-A OUTPUT -j ufw6-after-output
    +-A OUTPUT -j ufw6-after-logging-output
    +-A OUTPUT -j ufw6-reject-output
    +-A OUTPUT -j ufw6-track-output
    +-A ufw6-after-input -p udp -m udp --dport 137 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p udp -m udp --dport 138 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p tcp -m tcp --dport 139 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p tcp -m tcp --dport 445 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p udp -m udp --dport 546 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p udp -m udp --dport 547 -j ufw6-skip-to-policy-input
    +-A ufw6-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    +-A ufw6-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    +-A ufw6-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    +-A ufw6-before-forward -m rt --rt-type 0 -j DROP
    +-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    +-A ufw6-before-forward -j ufw6-user-forward
    +-A ufw6-before-input -i lo -j ACCEPT
    +-A ufw6-before-input -m rt --rt-type 0 -j DROP
    +-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    +-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
    +-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT
    +-A ufw6-before-input -d ff02::fb/128 -p udp -m udp --dport 5353 -j ACCEPT
    +-A ufw6-before-input -d ff02::f/128 -p udp -m udp --dport 1900 -j ACCEPT
    +-A ufw6-before-input -j ufw6-user-input
    +-A ufw6-before-output -o lo -j ACCEPT
    +-A ufw6-before-output -m rt --rt-type 0 -j DROP
    +-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-output -j ufw6-user-output
    +-A ufw6-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    +-A ufw6-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    +-A ufw6-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    +-A ufw6-skip-to-policy-forward -j DROP
    +-A ufw6-skip-to-policy-input -j DROP
    +-A ufw6-skip-to-policy-output -j DROP
    +-A ufw6-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
    +-A ufw6-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    +-A ufw6-user-limit -j REJECT --reject-with icmp6-port-unreachable
    +-A ufw6-user-limit-accept -j ACCEPT
  # cis-dil-benchmark/controls/3_5_firewall_configuration.rb:56:in `block (3 levels) in load_with_context'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner_rspec.rb:97:in `run'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner.rb:193:in `run_tests'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner.rb:164:in `run'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/cli.rb:366:in `exec'
  # /var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
  # /var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
  # /var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
  # /var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/base_cli.rb:35:in `start'
cis-dil-benchmark/controls/3_5_firewall_configuration.rb:56:in `block (3 levels) in load_with_context'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner_rspec.rb:97:in `run'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner.rb:193:in `run_tests'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner.rb:164:in `run'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/cli.rb:366:in `exec'
/var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
/var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
/var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
/var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/base_cli.rb:35:in `start'
54  describe "Check for IPv6 local loopback rules" do
55    subject { rules.join("\n") }
56    it { should match(/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/) }
57    it { should match(/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/) }
58    it { should match(/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/) }

Signed-off-by: Bryan Endres <69473505+bryaend@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

False Positives when checking all rules
1 participant