Don't test each rule, match on whole array.

bryaend · bryaend · commit 5aa19fd8ca59 · 2023-03-15T02:42:55.000Z
Signed-off-by: Bryan Endres &lt;69473505+bryaend@users.noreply.github.com&gt;
diff --git a/controls/3_5_firewall_configuration.rb b/controls/3_5_firewall_configuration.rb
@@ -51,28 +51,11 @@
 
   rules = ip6tables.retrieve_rules
 
-  describe.one do
-    rules.each do |rule|
-      describe rule do
-        it { should match(/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/) }
-      end
-    end
-  end
-
-  describe.one do
-    rules.each do |rule|
-      describe rule do
-        it { should match(/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/) }
-      end
-    end
-  end
-
-  describe.one do
-    rules.each do |rule|
-      describe rule do
-        it { should match(/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/) }
-      end
-    end
+  describe "Check for IPv6 local loopback rules" do
+    subject { rules.join("\n") }
+    it { should match(/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/) }
+    it { should match(/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/) }
+    it { should match(/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/) }
   end
 
   only_if { ipv6.zero? }
@@ -89,20 +72,10 @@
   rules = ip6tables.retrieve_rules
 
   %w(tcp udp icmp).each do |proto|
-    describe.one do
-      rules.each do |rule|
-        describe rule do
-          it { should match(/(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/) }
-        end
-      end
-    end
-
-    describe.one do
-      rules.each do |rule|
-        describe rule do
-          it { should match(/(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/) }
-        end
-      end
+    describe "Check for IPv6 rules on established and new outbound connections" do
+      subject { rules.join("\n") }
+      it { should match(/(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/) }
+      it { should match(/(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/) }
     end
   end
 
@@ -152,28 +125,11 @@
 
   rules = iptables.retrieve_rules
 
-  describe.one do
-    rules.each do |rule|
-      describe rule do
-        it { should match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/ }
-      end
-    end
-  end
-
-  describe.one do
-    rules.each do |rule|
-      describe rule do
-        it { should match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/ }
-      end
-    end
-  end
-
-  describe.one do
-    rules.each do |rule|
-      describe rule do
-        it { should match %r{(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0/8)(?=.*-j DROP)} }
-      end
-    end
+  describe "Check for local loopback rules" do
+    subject { rules.join("\n") }
+    it { should match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/ }
+    it { should match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/ }
+    it { should match %r{(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0/8)(?=.*-j DROP)} }
   end
 end
 
@@ -188,20 +144,10 @@
   rules = iptables.retrieve_rules
 
   %w(tcp udp icmp).each do |proto|
-    describe.one do
-      rules.each do |rule|
-        describe rule do
-          it { should match /(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/ }
-        end
-      end
-    end
-
-    describe.one do
-      rules.each do |rule|
-        describe rule do
-          it { should match /(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/ }
-        end
-      end
+    describe "Check for rules on established and new outbound connections" do
+      subject { rules.join("\n") }
+      it { should match /(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/ }
+      it { should match /(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/ }
     end
   end
 end
