Use the firewalld Chef InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system.
A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
This resource is distributed along with Chef InSpec itself. You can use it automatically.
This resource first became available in v1.40.0 of InSpec.
describe firewalld do
it { should be_running }
its('default_zone') { should eq 'public' }
it { should have_service_enabled_in_zone('ssh', 'public') }
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
end
Use the where clause to test open interfaces, sources, and services that are in active zones.
describe firewalld.where { zone == 'public' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
its('services') { should cmp ['ssh', 'icmp'] }
end
interfacesThe interfaces property is used in conjunction with the where class to display open interfaces in an active zone.
describe firewalld.where { zone == 'public' } do
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
end
sourcesThe sources property is used in conjunction with the where class to display open sources in an active zone.
describe firewalld.where { zone == 'public' } do
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
end
servicesThe services property is used in conjunction with the where class to display open services in an active zone.
describe firewalld.where { zone == 'public' } do
its('services') { should cmp ['ssh', 'icmp'] }
end
default_zoneThe default_zone property displays the default active zone to be used.
its('default_zone') { should eq 'public' }
For a full list of available matchers, please visit our matchers page.
be_installedThe be_installed matcher tests if the firewalld service is installed:
it { should be_installed }
be_runningThe be_running matcher tests if the firewalld service is running:
it { should be_running }
have_zonehave_zone returns true or false if the zone is set on firewalld. It does not mean the zone is active.
it { should have_zone('public') }
have_service_enabled_in_zonehave_service_enabled_in_zone returns true or false if the service is allowed in the specified zone.
it { should have_service_enabled_in_zone('ssh', 'public') }
have_port_enabled_in_zonehave_port_enabled_in_zone returns true or false if the port is allowed in the specified zone.
it { should have_port_enabled_in_zone('22/tcp', 'public') }
have_rule_enabledhave_rule_enabled returns true or false if the rich-rule has been specified in the zone.
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
It is not necessary to add the “rule” string, and you can start with the optional flags that are used in firewalld and end with the action
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/firewalld/