Inspec Iptables Auditor Resource Problem


#1

I’m using test-kitchen, inspec, and vagrant for my test suite, and it appears that inspec can’t seem to see one iptables rule.

I’ve created a wrapper cookbook for ‘iptables’ and have a couple of iptables rules defined under /template/default. The one I’m having problems with is the rule pertaining ssh. I have this defined ‘-A FWR -p tcp -i eth0 --dport 22 -j ACCEPT’. On the spec file, I have this line: it { should have_rule(’-A FWR -i eth0 -p tcp --dport 22 -j ACCEPT’)}
However, the test fails:
(1 failed)
expected Iptables table: filter chain: FWR to have rule “-A FWR -i eth0 -p tcp --dport 22 -j ACCEPT”

Logged in to the virtual machine and run sudo iptables -S, this is the output:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FWR
-A INPUT -j FWR
-A FWR -i lo -j ACCEPT
-A FWR -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FWR -p icmp -j ACCEPT
-A FWR -j DROP

It’s a CentOS:6.7 machine.

On my workstation, I’m using Chef DK 0.15.16

chef -v
Chef Development Kit Version: 0.15.16
chef-client version: 12.11.18
delivery version: master (444effdf9c81908795e88157f01cd667a6c43b5f)
berks version: 4.3.5
kitchen version: 1.10.0


#2

Got it to pass, it seems I lack the ‘-m tcp’ part which iptables automatically places if not defined.