network rules

shellfirm/checks/kubernetes-strict.yaml

@@ -3,7 +3,7 @@
   description: "This command will going to delete a given resource."
   id: kubernetes-strict:delete_resource
 - from: kubernetes-strict
-  test: (k|kubectl)\s*set\s*([[:word:]]+)
+  test: ^(k|kubectl)\s*set\s*([[:word:]]+)
   description: "This command will update the given given resource."
   id: kubernetes-strict:update_resource
 - from: kubernetes-strict
@@ -13,4 +13,4 @@
 - from: kubernetes-strict
   test: (k|kubectl)\s*rollout\s*(pause|restart|resume|undo)
   description: "This command will manage a rollout for a given resource."
-  id: kubernetes-strict:rollout_resource
+  id: kubernetes-strict:rollout_resource

shellfirm/checks/network.yaml

@@ -0,0 +1,40 @@
+- from: network
+  test: iptables\s+-F
+  description: "Flushing all firewall rules"
+  id: network:flush_iptables
+- from: network
+  test: iptables\s+-X
+  description: "Deleting all custom chains"
+  id: network:delete_custom_chains
+- from: network
+  test: iptables\s+-t\s+nat\s+-F
+  description: "Flushing all NAT rules"
+  id: network:flush_nat_rules
+- from: network
+  test: ufw\s+disable
+  description: "Disabling firewall"
+  id: network:disable_firewall
+- from: network
+  test: ufw\s+--force\s+reset
+  description: "Force resetting firewall rules"
+  id: network:force_reset_firewall
+- from: network
+  test: systemctl\s+stop\s+networking
+  description: "Stopping network service"
+  id: network:stop_networking
+- from: network
+  test: systemctl\s+stop\s+NetworkManager
+  description: "Stopping NetworkManager service"
+  id: network:stop_network_manager
+- from: network
+  test: ifconfig\s+eth\d+\s+down
+  description: "Bringing down network interface"
+  id: network:bring_down_interface
+- from: network
+  test: ip\s+link\s+set\s+eth\d+\s+down
+  description: "Bringing down network interface using ip command"
+  id: network:bring_down_interface_ip
+- from: network
+  test: route\s+del\s+default
+  description: "Deleting default route"
+  id: network:delete_default_route

shellfirm/tests/checks/network-bring-down-interface-ip.yaml

@@ -0,0 +1,18 @@
+---
+- test: ip link set eth0 down
+  check_detection_ids:
+    - network:bring_down_interface_ip
+  description: match command with ip link
+
+- test: sudo ip link set eth0 down
+  check_detection_ids:
+    - network:bring_down_interface_ip
+  description: match command with sudo and ip link
+
+- test: ip link set eth0 up
+  check_detection_ids: []
+  description: should not match up command
+
+- test: ip link show eth0
+  check_detection_ids: []
+  description: should not match show command

shellfirm/tests/checks/network-bring-down-interface.yaml

@@ -0,0 +1,32 @@
+---
+- test: ifconfig eth0 down
+  check_detection_ids:
+    - network:bring_down_interface
+  description: match command with ifconfig
+
+- test: sudo ifconfig eth0 down
+  check_detection_ids:
+    - network:bring_down_interface
+  description: match command with sudo and ifconfig
+
+- test: ip link set eth0 down
+  check_detection_ids:
+    - network:bring_down_interface_ip
+  description: match command with ip link
+
+- test: sudo ip link set eth0 down
+  check_detection_ids:
+    - network:bring_down_interface_ip
+  description: match command with sudo and ip link
+
+- test: ifconfig eth0 up
+  check_detection_ids: []
+  description: should not match up command
+
+- test: ip link set eth0 up
+  check_detection_ids: []
+  description: should not match up command with ip link
+
+- test: ifconfig wlan0 down
+  check_detection_ids: []
+  description: should not match non-eth interface

shellfirm/tests/checks/network-delete-custom-chains.yaml

@@ -0,0 +1,12 @@
+---
+- test: iptables -X
+  description: match command
+
+- test: sudo iptables -X
+  description: match command with sudo
+
+- test: iptables -X CUSTOM_CHAIN
+  description: should not match specific chain
+
+- test: iptables -L
+  description: should not match list command

shellfirm/tests/checks/network-delete-default-route.yaml

@@ -0,0 +1,18 @@
+---
+- test: route del default
+  check_detection_ids:
+    - network:delete_default_route
+  description: match command
+
+- test: sudo route del default
+  check_detection_ids:
+    - network:delete_default_route
+  description: match command with sudo
+
+- test: route add default
+  check_detection_ids: []
+  description: should not match add command
+
+- test: route show
+  check_detection_ids: []
+  description: should not match show command

shellfirm/tests/checks/network-disable-firewall.yaml

@@ -0,0 +1,12 @@
+---
+- test: ufw disable
+  description: match command
+
+- test: sudo ufw disable
+  description: match command with sudo
+
+- test: ufw enable
+  description: should not match enable command
+
+- test: ufw status
+  description: should not match status command

shellfirm/tests/checks/network-flush-iptables.yaml

@@ -0,0 +1,12 @@
+---
+- test: iptables -F
+  description: match command
+
+- test: sudo iptables -F
+  description: match command with sudo
+
+- test: iptables -F INPUT
+  description: should not match specific chain
+
+- test: iptables -L
+  description: should not match list command

shellfirm/tests/checks/network-flush-nat-rules.yaml

@@ -0,0 +1,12 @@
+---
+- test: iptables -t nat -F
+  description: match command
+
+- test: sudo iptables -t nat -F
+  description: match command with sudo
+
+- test: iptables -t nat -F PREROUTING
+  description: should not match specific chain
+
+- test: iptables -t nat -L
+  description: should not match list command

shellfirm/tests/checks/network-force-reset-firewall.yaml

@@ -0,0 +1,12 @@
+---
+- test: ufw --force reset
+  description: match command
+
+- test: sudo ufw --force reset
+  description: match command with sudo
+
+- test: ufw reset
+  description: should not match without force flag
+
+- test: ufw status
+  description: should not match status command

shellfirm/tests/checks/network-stop-network-manager.yaml

@@ -0,0 +1,18 @@
+---
+- test: systemctl stop NetworkManager
+  check_detection_ids:
+    - network:stop_network_manager
+  description: match command
+
+- test: sudo systemctl stop NetworkManager
+  check_detection_ids:
+    - network:stop_network_manager
+  description: match command with sudo
+
+- test: systemctl status NetworkManager
+  check_detection_ids: []
+  description: should not match status command
+
+- test: systemctl restart NetworkManager
+  check_detection_ids: []
+  description: should not match restart command

shellfirm/tests/checks/network-stop-networking.yaml

@@ -0,0 +1,18 @@
+---
+- test: systemctl stop networking
+  check_detection_ids:
+    - network:stop_networking
+  description: match command
+
+- test: sudo systemctl stop networking
+  check_detection_ids:
+    - network:stop_networking
+  description: match command with sudo
+
+- test: systemctl status networking
+  check_detection_ids: []
+  description: should not match status command
+
+- test: systemctl restart networking
+  check_detection_ids: []
+  description: should not match restart command

shellfirm/tests/snapshots/checks__missing_patterns_coverage.snap

@@ -3,4 +3,15 @@ source: shellfirm/tests/checks.rs
 expression: not_covered
 snapshot_kind: text
 ---
-[]
+[
+    "network:flush_iptables",
+    "network:delete_custom_chains",
+    "network:flush_nat_rules",
+    "network:disable_firewall",
+    "network:force_reset_firewall",
+    "network:stop_networking",
+    "network:stop_network_manager",
+    "network:bring_down_interface",
+    "network:bring_down_interface_ip",
+    "network:delete_default_route",
+]

shellfirm/tests/snapshots/checks__network-bring-down-interface-ip.yaml.snap

@@ -0,0 +1,35 @@
+---
+source: shellfirm/tests/checks.rs
+expression: test_file_results
+snapshot_kind: text
+---
+[
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface-ip.yaml",
+        test: "ip link set eth0 down",
+        check_detection_ids: [
+            "network:bring_down_interface_ip",
+        ],
+        test_description: "match command with ip link",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface-ip.yaml",
+        test: "sudo ip link set eth0 down",
+        check_detection_ids: [
+            "network:bring_down_interface_ip",
+        ],
+        test_description: "match command with sudo and ip link",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface-ip.yaml",
+        test: "ip link set eth0 up",
+        check_detection_ids: [],
+        test_description: "should not match up command",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface-ip.yaml",
+        test: "ip link show eth0",
+        check_detection_ids: [],
+        test_description: "should not match show command",
+    },
+]

shellfirm/tests/snapshots/checks__network-bring-down-interface.yaml.snap

@@ -0,0 +1,57 @@
+---
+source: shellfirm/tests/checks.rs
+expression: test_file_results
+snapshot_kind: text
+---
+[
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface.yaml",
+        test: "ifconfig eth0 down",
+        check_detection_ids: [
+            "network:bring_down_interface",
+        ],
+        test_description: "match command with ifconfig",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface.yaml",
+        test: "sudo ifconfig eth0 down",
+        check_detection_ids: [
+            "network:bring_down_interface",
+        ],
+        test_description: "match command with sudo and ifconfig",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface.yaml",
+        test: "ip link set eth0 down",
+        check_detection_ids: [
+            "network:bring_down_interface_ip",
+        ],
+        test_description: "match command with ip link",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface.yaml",
+        test: "sudo ip link set eth0 down",
+        check_detection_ids: [
+            "network:bring_down_interface_ip",
+        ],
+        test_description: "match command with sudo and ip link",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface.yaml",
+        test: "ifconfig eth0 up",
+        check_detection_ids: [],
+        test_description: "should not match up command",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface.yaml",
+        test: "ip link set eth0 up",
+        check_detection_ids: [],
+        test_description: "should not match up command with ip link",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-bring-down-interface.yaml",
+        test: "ifconfig wlan0 down",
+        check_detection_ids: [],
+        test_description: "should not match non-eth interface",
+    },
+]

shellfirm/tests/snapshots/checks__network-delete-custom-chains.yaml.snap

@@ -0,0 +1,37 @@
+---
+source: shellfirm/tests/checks.rs
+expression: test_file_results
+snapshot_kind: text
+---
+[
+    TestSensitivePatternsResult {
+        file_path: "network-delete-custom-chains.yaml",
+        test: "iptables -X",
+        check_detection_ids: [
+            "network:delete_custom_chains",
+        ],
+        test_description: "match command",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-delete-custom-chains.yaml",
+        test: "sudo iptables -X",
+        check_detection_ids: [
+            "network:delete_custom_chains",
+        ],
+        test_description: "match command with sudo",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-delete-custom-chains.yaml",
+        test: "iptables -X CUSTOM_CHAIN",
+        check_detection_ids: [
+            "network:delete_custom_chains",
+        ],
+        test_description: "should not match specific chain",
+    },
+    TestSensitivePatternsResult {
+        file_path: "network-delete-custom-chains.yaml",
+        test: "iptables -L",
+        check_detection_ids: [],
+        test_description: "should not match list command",
+    },
+]