class Inspec::Resources::FirewallD

Attributes

params[R]

Public Class Methods

new() click to toggle source
# File lib/inspec/resources/firewalld.rb, line 38
def initialize
  @params = parse_active_zones(active_zones)
end

Public Instance Methods

default_zone() click to toggle source
# File lib/inspec/resources/firewalld.rb, line 60
def default_zone
  # return: word associated with the name of the default zone
  # example: 'public'
  firewalld_command("--get-default-zone")
end
has_port_enabled_in_zone?(query_port, query_zone = default_zone) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 82
def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
  firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == "yes"
end
has_rule_enabled?(rule, query_zone = default_zone) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 86
def has_rule_enabled?(rule, query_zone = default_zone)
  rule = "rule #{rule}" unless rule.start_with?("rule")
  firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
end
has_service_enabled_in_zone?(query_service, query_zone = default_zone) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 66
def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
  firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == "yes"
end
has_zone?(query_zone) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 46
def has_zone?(query_zone)
  return false unless installed?

  result = firewalld_command("--get-zones").split(" ")
  result.include?(query_zone)
end
installed?() click to toggle source
# File lib/inspec/resources/firewalld.rb, line 42
def installed?
  inspec.command("firewall-cmd").exist?
end
running?() click to toggle source
# File lib/inspec/resources/firewalld.rb, line 53
def running?
  return false unless installed?

  result = firewalld_command("--state")
  result =~ /^running/ ? true : false
end
service_ports_enabled_in_zone(query_service, query_zone = default_zone) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 70
def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
  # return: String of ports open
  # example: ['22/tcp', '4722/tcp']
  firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(" ")
end
service_protocols_enabled_in_zone(query_service, query_zone = default_zone) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 76
def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
  # return: String of protocoals open
  # example: ['icmp', 'ipv4', 'igmp']
  firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(" ")
end
to_s() click to toggle source
# File lib/inspec/resources/firewalld.rb, line 91
def to_s
  "Firewall Rules"
end

Private Instance Methods

active_zones() click to toggle source
# File lib/inspec/resources/firewalld.rb, line 97
def active_zones
  # return syntax:
  #   [default-zone-name]
  #       interfaces: [open interfases]
  #
  # example:
  #   public
  #       interfaces: enp0s3
  firewalld_command("--get-active-zones")
end
firewalld_command(command) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 138
def firewalld_command(command)
  command = "firewall-cmd #{command}"
  result = inspec.command(command)
  if result.stderr != ""
    return "Error on command #{command}: #{result.stderr}"
  end

  result.stdout.strip
end
parse_active_zones(content) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 108
def parse_active_zones(content)
  # Split by every second line, which contains the zone and the interfaces.
  content = content.split(/\n/).each_slice(2).map { |slice| slice.join("\n") }
  content.map do |line|
    parse_line(line)
  end.compact
end
parse_line(line) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 116
def parse_line(line)
  zone = line.split("\n")[0]
  {
    "zone" => zone,
    "interfaces" => line.split(":")[1].split(" "),
    "services" => services_bound(zone),
    "sources" => sources_bound(zone),
  }
end
services_bound(query_zone) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 132
def services_bound(query_zone)
  # result: a list of services bound to a zone.
  # example: ['ssh', 'dhcpv6-client']
  firewalld_command("--zone=#{query_zone} --list-services").split(" ")
end
sources_bound(query_zone) click to toggle source
# File lib/inspec/resources/firewalld.rb, line 126
def sources_bound(query_zone)
  # result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
  # example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
  firewalld_command("--zone=#{query_zone} --list-sources").split(" ")
end