74 lines
2.2 KiB
Ruby
74 lines
2.2 KiB
Ruby
|
# frozen_string_literal: true
|
||
|
|
||
|
control 'zones/public.xml configuration' do
|
||
|
title 'should match desired lines'
|
||
|
|
||
|
describe file('/etc/firewalld/zones/public.xml') do
|
||
|
it { should be_file }
|
||
|
it { should be_owned_by 'root' }
|
||
|
it { should be_grouped_into 'root' }
|
||
|
its('mode') { should cmp '0644' }
|
||
|
its('content') do
|
||
|
should include <<~ZONE_XML
|
||
|
<zone>
|
||
|
<short>Public</short>
|
||
|
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
|
||
|
<service name="zabbixcustom" />
|
||
|
<service name="http" />
|
||
|
<service name="https" />
|
||
|
<service name="ssh" />
|
||
|
<service name="salt-minion" />
|
||
|
<!-- zabbix-agent -->
|
||
|
<port port="10050" protocol="tcp" />
|
||
|
<!-- bacula-client -->
|
||
|
<port port="9102" protocol="tcp" />
|
||
|
<!-- vsftpd -->
|
||
|
<port port="21" protocol="tcp" />
|
||
|
<protocol value="igmp" />
|
||
|
<!-- something -->
|
||
|
<source-port port="2222" protocol="tcp" />
|
||
|
<!-- something_else -->
|
||
|
<source-port port="4444" protocol="tcp" />
|
||
|
<rule family="ipv4">
|
||
|
<source address="8.8.8.8/24" />
|
||
|
<accept/>
|
||
|
</rule>
|
||
|
<rule family="ipv4">
|
||
|
<source ipset="fail2ban-ssh" />
|
||
|
<reject type="icmp-port-unreachable" />
|
||
|
</rule>
|
||
|
</zone>
|
||
|
ZONE_XML
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
control 'zones/rich_public.xml configuration' do
|
||
|
title 'should match desired lines'
|
||
|
|
||
|
describe file('/etc/firewalld/zones/rich_public.xml') do
|
||
|
it { should be_file }
|
||
|
it { should be_owned_by 'root' }
|
||
|
it { should be_grouped_into 'root' }
|
||
|
its('mode') { should cmp '0644' }
|
||
|
its('content') do
|
||
|
should include <<~ZONE_XML
|
||
|
<zone>
|
||
|
<short>rich_public</short>
|
||
|
<description>Example</description>
|
||
|
<rule>
|
||
|
<source ipset="fail2ban-ssh" />
|
||
|
<service name="ssh" />
|
||
|
<accept/>
|
||
|
</rule>
|
||
|
<rule>
|
||
|
<source ipset="other-ipset" />
|
||
|
<service name="ssh" />
|
||
|
<accept/>
|
||
|
</rule>
|
||
|
</zone>
|
||
|
ZONE_XML
|
||
|
end
|
||
|
end
|
||
|
end
|