saltstack-formulas/firewalld-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #46 from myii/test/manage-map.jinja-verification

Browse Source 
test(map): verify `map.jinja` dump using `_mapdata` state
This commit is contained in:
Imran Iqbal 2020-12-27 15:32:49 +00:00 committed by GitHub
commit 0def96f632
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 2226 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CODEOWNERS
View File

@ -10,7 +10,6 @@
# SECTION: Owner(s) for specific directories # SECTION: Owner(s) for specific directories
# FILE PATTERN OWNER(S) # FILE PATTERN OWNER(S)
/test/ @myii
# SECTION: Owner(s) for files/directories related to `semantic-release` # SECTION: Owner(s) for files/directories related to `semantic-release`
# FILE PATTERN OWNER(S) # FILE PATTERN OWNER(S)
@ -20,8 +19,11 @@
/docs/AUTHORS.rst @saltstack-formulas/ssf /docs/AUTHORS.rst @saltstack-formulas/ssf
/docs/CHANGELOG.rst @saltstack-formulas/ssf /docs/CHANGELOG.rst @saltstack-formulas/ssf
/docs/TOFS_pattern.rst @saltstack-formulas/ssf /docs/TOFS_pattern.rst @saltstack-formulas/ssf
/*/_mapdata/ @saltstack-formulas/ssf
/*/libsaltcli.jinja @saltstack-formulas/ssf /*/libsaltcli.jinja @saltstack-formulas/ssf
/*/libtofs.jinja @saltstack-formulas/ssf /*/libtofs.jinja @saltstack-formulas/ssf
/test/integration/**/_mapdata_spec.rb @saltstack-formulas/ssf
/test/integration/**/libraries/system.rb @saltstack-formulas/ssf
/test/integration/**/inspec.yml @saltstack-formulas/ssf /test/integration/**/inspec.yml @saltstack-formulas/ssf
/test/integration/**/README.md @saltstack-formulas/ssf /test/integration/**/README.md @saltstack-formulas/ssf
/.gitignore @saltstack-formulas/ssf /.gitignore @saltstack-formulas/ssf

13
firewalld/_mapdata/_mapdata.jinja Normal file
View File

@ -0,0 +1,13 @@
# yamllint disable rule:indentation rule:line-length
# {{ grains.get("osfinger", grains.os) }}
---
{#- use salt.slsutil.serialize to avoid encoding errors on some platforms #}
{{ salt["slsutil.serialize"](
"yaml",
map,
default_flow_style=False,
allow_unicode=True,
)
| regex_replace("^\s+'$", "'", multiline=True)
| trim
}}

24
firewalld/_mapdata/init.sls Normal file
View File

@ -0,0 +1,24 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
---
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split("/")[0] %}
{%- from tplroot ~ "/map.jinja" import firewalld with context %}
{%- set _mapdata = {
"values": {
"firewalld": firewalld,
}
} %}
{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}
{%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %}
{%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %}
{{ tplroot }}-mapdata-dump:
file.managed:
- name: {{ output_file }}
- source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja
- template: jinja
- context:
map: {{ _mapdata | yaml }}

16
firewalld/yaml_dump/init.sls
View File

@ -1,16 +0,0 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
---
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import firewalld as map with context %}
{%- set output_file = '/tmp/salt_yaml_dump.yaml' %}
yaml-dump-{{ tplroot }}:
file.managed:
- name: {{ output_file }}
- source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja
- template: jinja
- context:
map: {{ map | yaml }}

4
firewalld/yaml_dump/yaml_dump.jinja
View File

@ -1,4 +0,0 @@
# yamllint disable rule:indentation rule:line-length
# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }}
---
{{ map|yaml(False)|trim }}

2
kitchen.yml
View File

@ -156,7 +156,7 @@ suites:
state_top: state_top:
base: base:
'*': '*':
- firewalld.yaml_dump - firewalld._mapdata
- firewalld - firewalld
pillars: pillars:
top.sls: top.sls:

47
test/integration/default/controls/_mapdata_spec.rb Normal file
View File

@ -0,0 +1,47 @@
# frozen_string_literal: true
require 'yaml'
control '`map.jinja` YAML dump' do
title 'should match the comparison file'
### Method
# The steps below for each file appear convoluted but they are both required
# and similar in nature:
# 1. The earliest method was to simply compare the files textually but this often
# led to false positives due to inconsistencies (e.g. spacing, ordering)
# 2. The next method was to load the files back into YAML structures and then
# compare but InSpec provided block diffs this way, unusable by end users
# 3. The final step was to dump the YAML structures back into a string to use
# for the comparison; this both worked and provided human-friendly diffs
### Comparison file for the specific platform
### Static, adjusted as part of code contributions, as map data is changed
# Strip the `platform[:finger]` version number down to the "OS major release"
platform_finger = system.platform[:finger].split('.').first.to_s
# Use that to set the path to the file (relative to the InSpec suite directory)
mapdata_file_path = "_mapdata/#{platform_finger}.yaml"
# Load the mapdata from profile, into a YAML structure
# https://docs.chef.io/inspec/profiles/#profile-files
mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path))
# Dump the YAML back into a string for comparison
mapdata_file_dump = YAML.dump(mapdata_file_yaml)
### Output file produced by running the `_mapdata` state
### Dynamic, generated during Kitchen's `converge` phase
# Derive the location of the dumped mapdata (differs for Windows)
output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp'
# Use that to set the path to the file (absolute path, i.e. within the container)
output_file_path = "#{output_dir}/salt_mapdata_dump.yaml"
# Load the output into a YAML structure using InSpec's `yaml` resource
# https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29
output_file_yaml = yaml(output_file_path).params
# Dump the YAML back into a string for comparison
output_file_dump = YAML.dump(output_file_yaml)
describe 'File content' do
it 'should match profile map data exactly' do
expect(output_file_dump).to eq(mapdata_file_dump)
end
end
end

151
test/integration/default/controls/yaml_dump_spec.rb → test/integration/default/files/_mapdata/amazonlinux-1.yaml
View File

@ -1,10 +1,8 @@
# frozen_string_literal: true # yamllint disable rule:indentation rule:line-length
# Amazon Linux AMI-2018
control 'firewalld `map.jinja` YAML dump' do ---
title 'should contain the lines' values:
firewalld:
yaml_dump = "---\n"
yaml_dump += <<~YAML_DUMP.chomp
AllowZoneDrifting: 'no' AllowZoneDrifting: 'no'
AutomaticHelpers: system AutomaticHelpers: system
FirewallBackend: nftables FirewallBackend: nftables
@ -23,72 +21,66 @@ control 'firewalld `map.jinja` YAML dump' do
MYCHAIN: MYCHAIN:
ipv: ipv4 ipv: ipv4
table: raw table: raw
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: '0'
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
passthrough: passthrough:
MYPASSTHROUGH: MYPASSTHROUGH:
ipv: ipv4
args: -t raw -A MYCHAIN -j DROP args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true enabled: true
ipset: ipset:
manage: true manage: true
pkg: ipset pkg: ipset
ipsets: ipsets:
fail2ban-ssh: fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset description: fail2ban-ssh ipset
type: hash:ip entries:
- 10.0.0.1
options: options:
hashsize:
- 1024
maxelem: maxelem:
- 65536 - 65536
timeout: timeout:
- 300 - 300
hashsize: short: fail2ban-ssh
- 1024
entries:
- 10.0.0.1
fail2ban-ssh-ipv6:
short: fail2ban-ssh-ipv6
description: fail2ban-ssh-ipv6 ipset
type: hash:ip type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options: options:
family: family:
- inet6 - inet6
hashsize:
- 1024
maxelem: maxelem:
- 65536 - 65536
timeout: timeout:
- 300 - 300
hashsize: short: fail2ban-ssh-ipv6
- 1024 type: hash:ip
entries:
- 2a01::1
package: firewalld package: firewalld
service: firewalld service: firewalld
services: services:
sshcustom: salt-minion:
short: sshcustom description: salt-minion
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
into and executing commands on remote machines. It provides secure encrypted
communications. If you plan on accessing your machine remotely via SSH over
a firewalled interface, enable this option. You need the openssh-server package
installed for this option to be useful.
ports: ports:
tcp: tcp:
- 3232 - '8000'
- 5252 short: salt-minion
modules: sshcustom:
- some_module_to_load description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
protocols: logging into and executing commands on remote machines. It provides secure
- igmp encrypted communications. If you plan on accessing your machine remotely
source_ports: via SSH over a firewalled interface, enable this option. You need the openssh-server
tcp: package installed for this option to be useful.
- 21
destinations: destinations:
ipv4: ipv4:
- 224.0.0.251 - 224.0.0.251
@ -96,42 +88,31 @@ control 'firewalld `map.jinja` YAML dump' do
ipv6: ipv6:
- ff02::fb - ff02::fb
- ff02::fc - ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom: zabbixcustom:
short: Zabbixcustom
description: zabbix custom rule description: zabbix custom rule
ports: ports:
tcp: tcp:
- '10051' - '10051'
salt-minion: short: Zabbixcustom
short: salt-minion
description: salt-minion
ports:
tcp:
- '8000'
zones: zones:
public: public:
short: Public description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on on networks to not harm your computer. Only selected incoming connections
networks to not harm your computer. Only selected incoming connections are accepted. are accepted.
services:
- http
- https
- ssh
- salt-minion
other_services: other_services:
- zabbixcustom - zabbixcustom
protocols:
- igmp
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports: ports:
- comment: zabbix-agent - comment: zabbix-agent
port: 10050 port: 10050
@ -142,6 +123,24 @@ control 'firewalld `map.jinja` YAML dump' do
- comment: vsftpd - comment: vsftpd
port: 21 port: 21
protocol: tcp protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports: source_ports:
- comment: something - comment: something
port: 2222 port: 2222
@ -150,7 +149,6 @@ control 'firewalld `map.jinja` YAML dump' do
port: 4444 port: 4444
protocol: tcp protocol: tcp
rich_public: rich_public:
short: rich_public
description: Example description: Example
rich_rules: rich_rules:
ssh-csg: ssh-csg:
@ -160,9 +158,4 @@ control 'firewalld `map.jinja` YAML dump' do
- other-ipset - other-ipset
services: services:
- ssh - ssh
YAML_DUMP short: rich_public
describe file('/tmp/salt_yaml_dump.yaml') do
its('content') { should include yaml_dump }
end
end

161
test/integration/default/files/_mapdata/amazonlinux-2.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Amazon Linux-2
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/arch-base-latest.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Arch
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/centos-7.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# CentOS Linux-7
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/centos-8.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# CentOS Linux-8
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/debian-10.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Debian-10
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/debian-9.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Debian-9
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/fedora-31.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Fedora-31
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/fedora-32.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Fedora-32
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/opensuse-15.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Leap-15
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/ubuntu-16.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Ubuntu-16.04
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/ubuntu-18.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Ubuntu-18.04
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

161
test/integration/default/files/_mapdata/ubuntu-20.yaml Normal file
View File

@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Ubuntu-20.04
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

3
test/integration/default/inspec.yml
View File

@ -6,6 +6,9 @@ title: firewalld formula
maintainer: SaltStack Formulas maintainer: SaltStack Formulas
license: Apache-2.0 license: Apache-2.0
summary: Verify that the firewalld formula is setup and configured correctly summary: Verify that the firewalld formula is setup and configured correctly
depends:
- name: share
path: test/integration/share
supports: supports:
- platform-name: debian - platform-name: debian
- platform-name: ubuntu - platform-name: ubuntu

21
test/integration/share/README.md Normal file
View File

@ -0,0 +1,21 @@
# InSpec Profile: `share`
This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
Its goal is to share the libraries between all profiles.
## Libraries
### `system`
The `system` library provides easy access to system dependent information:
- `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective
- `system.platform[:family]` provide a family name for Arch and Gentoo
- `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows`
- `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows:
- `Arch` is always `base-latest`
- `Amazon Linux` release `2018` is resolved as `1`
- `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`)
- `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version
- `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example)

21
test/integration/share/inspec.yml Normal file
View File

@ -0,0 +1,21 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
name: share
title: InSpec shared resources
maintainer: SaltStack Formulas
license: Apache-2.0
summary: shared resources
supports:
- platform-name: debian
- platform-name: ubuntu
- platform-name: centos
- platform-name: fedora
- platform-name: opensuse
- platform-name: suse
- platform-name: freebsd
- platform-name: amazon
- platform-name: oracle
- platform-name: arch
- platform-name: gentoo
- platform: windows

89
test/integration/share/libraries/system.rb Normal file
View File

@ -0,0 +1,89 @@
# frozen_string_literal: true
# system.rb -- InSpec resources for system values
# Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
# Copyright (C) 2020 Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
class SystemResource < Inspec.resource(1)
name 'system'
attr_reader :platform
def initialize
super
@platform = build_platform
end
private
def build_platform
{
family: build_platform_family,
name: build_platform_name,
release: build_platform_release,
finger: build_platform_finger
}
end
def build_platform_family
case inspec.platform[:name]
when 'arch', 'gentoo'
inspec.platform[:name]
else
inspec.platform[:family]
end
end
def build_platform_name
case inspec.platform[:name]
when 'amazon', 'oracle'
"#{inspec.platform[:name]}linux"
when 'windows_8.1_pro', 'windows_server_2019_datacenter'
'windows'
else
inspec.platform[:name]
end
end
# rubocop:disable Metrics/MethodLength
def build_platform_release
case inspec.platform[:name]
when 'amazon'
# `2018` relase is named `1` in kitchen.yaml
inspec.platform[:release].gsub(/2018.*/, '1')
when 'arch'
'base-latest'
when 'gentoo'
"#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}"
when 'windows_8.1_pro'
'8.1'
when 'windows_server_2019_datacenter'
'2019-server'
else
inspec.platform[:release]
end
end
# rubocop:enable Metrics/MethodLength
def derive_gentoo_init_system
case inspec.command('systemctl').exist?
when true
'sysd'
else
'sysv'
end
end
def build_platform_finger
"#{build_platform_name}-#{build_finger_release}"
end
def build_finger_release
case inspec.platform[:name]
when 'ubuntu'
build_platform_release.split('.').slice(0, 2).join('.')
else
build_platform_release.split('.')[0]
end
end
end