firewall_audit 0.1.0

Cross-platform firewall audit tool and library (YAML/JSON rules, CSV/HTML/JSON export)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

# Examples of YAML audit rules


## 1. Allow SSH from anywhere (simple AND group)

```yaml
- id: allow-ssh-from-anywhere
  description: Permits SSH from anywhere
  criteria:
    and:
      - field: name
        operator: contains
        value: "SSH"
      - field: local_ports
        operator: matches
        value: 22
      - field: protocol
        operator: equals
        value: "TCP"
      - field: remote_addresses
        operator: contains
        value: "0.0.0.0/0"
      - field: action
        operator: equals
        value: "ALLOW"
  severity: high
```

## 2. Detect rules with missing description (field: description, is_null)
```yaml
- id: missing-description
  description: Detect any rule without a description
  criteria:
    and:
      - field: description
        operator: is_null
  severity: medium
```

## 3. Detect rules for HTTP or HTTPS open to the world (OR group)

```yaml
- id: open-web-to-anywhere
  description: Detect rules that allow HTTP or HTTPS from any source
  criteria:
    or:
      - and:
          - field: local_ports
            operator: matches
            value: 80
          - field: protocol
            operator: equals
            value: "TCP"
          - field: action
            operator: equals
            value: "Allow"
          - field: remote_addresses
            operator: contains
            value: "0.0.0.0/0"
      - and:
          - field: local_ports
            operator: matches
            value: 443
          - field: protocol
            operator: equals
            value: "TCP"
          - field: action
            operator: equals
            value: "Allow"
          - field: remote_addresses
            operator: contains
            value: "0.0.0.0/0"
  severity: high
```

## 4. Detect rules that allow any port except DNS (NOT group)
```yaml
- id: allow-any-except-dns
  description: Detect rules that allow any port except DNS (53)
  criteria:
    and:
      - field: action
        operator: equals
        value: "Allow"
      - not:
          field: local_ports
          operator: matches
          value: 53
  severity: low
```

## 5. Detect rules for a specific OS (field: os)

```yaml
- id: windows-rule-without-description
  description: Detect any rule without a description (Windows only)
  criteria:
    and:
      - field: description
        operator: is_null
  severity: medium
  os: ["windows"]
```

## 6. Detect rules missing both application and service (multiple fields, AND)
```yaml
- id: missing-app-and-service
  description: Detect rules not tied to an application or service
  criteria:
    and:
      - field: application_name
        operator: is_null
      - field: service_name
        operator: is_null
  severity: medium
```

# Examples of JSON audit rules


```json
[
  {
    "id": "open-web-to-anywhere",
    "description": "Detect rules that allow HTTP or HTTPS from any source",
    "criteria": {
      "or": [
        {
          "and": [
            {"field": "local_ports", "operator": "matches", "value": 80},
            {"field": "protocol", "operator": "equals", "value": "TCP"},
            {"field": "action", "operator": "equals", "value": "Allow"},
            {"field": "remote_addresses", "operator": "contains", "value": "0.0.0.0/0"}
          ]
        },
        {
          "and": [
            {"field": "local_ports", "operator": "matches", "value": 443},
            {"field": "protocol", "operator": "equals", "value": "TCP"},
            {"field": "action", "operator": "equals", "value": "Allow"},
            {"field": "remote_addresses", "operator": "contains", "value": "0.0.0.0/0"}
          ]
        }
      ]
    },
    "severity": "high"
  },
  {
    "id": "missing-app-and-service",
    "description": "Detect rules not tied to an application or service",
    "criteria": {
      "and": [
        {"field": "application_name", "operator": "is_null"},
        {"field": "service_name", "operator": "is_null"}
      ]
    },
    "severity": "medium"
  }
]
```