search

dev-sec / cis-dil-benchmark

CIS Distribution Independent Linux Benchmark - InSpec Profile
Apache License 2.0
149 stars 92 forks source link

Don't test each rule, match on whole array. #145

Open bryaend opened 1 year ago

bryaend commented 1 year ago

Fixes #144

Updated the logic to run a match against the entire array instead of checking each existing rule one-by-one. This results in much clearer output on failures

Check for IPv6 local loopback rules
is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/0.02722s
  Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }

    expected "-P INPUT DROP\n-P FORWARD DROP\n-P OUTPUT DROP\n-N ufw6-after-forward\n-N ufw6-after-input\n-N ufw6-...ufw6-user-limit -j REJECT --reject-with icmp6-port-unreachable\n-A ufw6-user-limit-accept -j ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
    Diff:
    @@ -1,139 +1,277 @@
    -/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
    +-P INPUT DROP
    +-P FORWARD DROP
    +-P OUTPUT DROP
    +-N ufw6-after-forward
    +-N ufw6-after-input
    +-N ufw6-after-logging-forward
    +-N ufw6-after-logging-input
    +-N ufw6-after-logging-output
    +-N ufw6-after-output
    +-N ufw6-before-forward
    +-N ufw6-before-input
    +-N ufw6-before-logging-forward
    +-N ufw6-before-logging-input
    +-N ufw6-before-logging-output
    +-N ufw6-before-output
    +-N ufw6-logging-allow
    +-N ufw6-logging-deny
    +-N ufw6-reject-forward
    +-N ufw6-reject-input
    +-N ufw6-reject-output
    +-N ufw6-skip-to-policy-forward
    +-N ufw6-skip-to-policy-input
    +-N ufw6-skip-to-policy-output
    +-N ufw6-track-forward
    +-N ufw6-track-input
    +-N ufw6-track-output
    +-N ufw6-user-forward
    +-N ufw6-user-input
    +-N ufw6-user-limit
    +-N ufw6-user-limit-accept
    +-N ufw6-user-logging-forward
    +-N ufw6-user-logging-input
    +-N ufw6-user-logging-output
    +-N ufw6-user-output
    +-A INPUT -j ufw6-before-logging-input
    +-A INPUT -j ufw6-before-input
    +-A INPUT -j ufw6-after-input
    +-A INPUT -j ufw6-after-logging-input
    +-A INPUT -j ufw6-reject-input
    +-A INPUT -j ufw6-track-input
    +-A FORWARD -j ufw6-before-logging-forward
    +-A FORWARD -j ufw6-before-forward
    +-A FORWARD -j ufw6-after-forward
    +-A FORWARD -j ufw6-after-logging-forward
    +-A FORWARD -j ufw6-reject-forward
    +-A FORWARD -j ufw6-track-forward
    +-A OUTPUT -j ufw6-before-logging-output
    +-A OUTPUT -j ufw6-before-output
    +-A OUTPUT -j ufw6-after-output
    +-A OUTPUT -j ufw6-after-logging-output
    +-A OUTPUT -j ufw6-reject-output
    +-A OUTPUT -j ufw6-track-output
    +-A ufw6-after-input -p udp -m udp --dport 137 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p udp -m udp --dport 138 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p tcp -m tcp --dport 139 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p tcp -m tcp --dport 445 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p udp -m udp --dport 546 -j ufw6-skip-to-policy-input
    +-A ufw6-after-input -p udp -m udp --dport 547 -j ufw6-skip-to-policy-input
    +-A ufw6-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    +-A ufw6-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    +-A ufw6-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    +-A ufw6-before-forward -m rt --rt-type 0 -j DROP
    +-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    +-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    +-A ufw6-before-forward -j ufw6-user-forward
    +-A ufw6-before-input -i lo -j ACCEPT
    +-A ufw6-before-input -m rt --rt-type 0 -j DROP
    +-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    +-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
    +-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j ACCEPT
    +-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j ACCEPT
    +-A ufw6-before-input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT
    +-A ufw6-before-input -d ff02::fb/128 -p udp -m udp --dport 5353 -j ACCEPT
    +-A ufw6-before-input -d ff02::f/128 -p udp -m udp --dport 1900 -j ACCEPT
    +-A ufw6-before-input -j ufw6-user-input
    +-A ufw6-before-output -o lo -j ACCEPT
    +-A ufw6-before-output -m rt --rt-type 0 -j DROP
    +-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT
    +-A ufw6-before-output -j ufw6-user-output
    +-A ufw6-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    +-A ufw6-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    +-A ufw6-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    +-A ufw6-skip-to-policy-forward -j DROP
    +-A ufw6-skip-to-policy-input -j DROP
    +-A ufw6-skip-to-policy-output -j DROP
    +-A ufw6-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
    +-A ufw6-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    +-A ufw6-user-limit -j REJECT --reject-with icmp6-port-unreachable
    +-A ufw6-user-limit-accept -j ACCEPT
  # cis-dil-benchmark/controls/3_5_firewall_configuration.rb:56:in `block (3 levels) in load_with_context'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner_rspec.rb:97:in `run'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner.rb:193:in `run_tests'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner.rb:164:in `run'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/cli.rb:366:in `exec'
  # /var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
  # /var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
  # /var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
  # /var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'
  # /var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/base_cli.rb:35:in `start'
cis-dil-benchmark/controls/3_5_firewall_configuration.rb:56:in `block (3 levels) in load_with_context'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner_rspec.rb:97:in `run'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner.rb:193:in `run_tests'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/runner.rb:164:in `run'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/cli.rb:366:in `exec'
/var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
/var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
/var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
/var/lib/gems/2.7.0/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'
/var/lib/gems/2.7.0/gems/inspec-core-5.21.29/lib/inspec/base_cli.rb:35:in `start'
54  describe "Check for IPv6 local loopback rules" do
55    subject { rules.join("\n") }
56    it { should match(/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/) }
57    it { should match(/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/) }
58    it { should match(/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/) }