diff --git a/ee/tables/execparsers/socketfilterfw/parser.go b/ee/tables/execparsers/socketfilterfw/parser.go index f31aa6ee65..eafe67a6c1 100755 --- a/ee/tables/execparsers/socketfilterfw/parser.go +++ b/ee/tables/execparsers/socketfilterfw/parser.go @@ -4,12 +4,10 @@ import ( "bufio" "io" "regexp" - "strconv" "strings" ) var lineRegex = regexp.MustCompile("(state|block|built-in|downloaded|stealth|log mode|log option)(?:.*\\s)([0-9a-z]+)") -var disabledStateRegex = regexp.MustCompile("(0|off|disabled)") // socketfilterfw returns lines for each `get` argument supplied. // The output data is in the same order as the supplied arguments. @@ -30,8 +28,6 @@ func socketfilterfwParse(reader io.Reader) (any, error) { } var key string - value := sanitizeState(matches[2]) - switch matches[1] { case "state": key = "global_state_enabled" @@ -47,14 +43,15 @@ func socketfilterfwParse(reader io.Reader) (any, error) { key = "logging_enabled" case "log option": key = "logging_option" - // The logging option value differs from the booleans. - // Can be one of `throttled`, `brief`, or `detail`. - value = matches[2] default: continue } - row[key] = value + // Don't allow overwrites. + _, ok := row[key] + if !ok { + row[key] = sanitizeState(matches[2]) + } } // There should only be one row of data for application firewall, @@ -68,10 +65,20 @@ func socketfilterfwParse(reader io.Reader) (any, error) { // sanitizeState takes in a state like string and returns // the correct boolean to create a consistent state value. -// -// When the "block all" firewall option is enabled, it doesn't -// include a state like string, which is why we search for -// a disabled state, and return the reversed value of that match. func sanitizeState(state string) string { - return strconv.FormatBool(!disabledStateRegex.MatchString(state)) + switch state { + case "0", "off", "disabled": + return "0" + // When the "block all" firewall option is enabled, it doesn't + // include a state like string, which is why we match on + // the string value of "connections" for that mode. + case "1", "on", "enabled", "connections": + return "1" + case "throttled", "brief", "detail": + // The "logging option" value differs from the booleans. + // Can be one of `throttled`, `brief`, or `detail`. + return state + default: + return "" + } } diff --git a/ee/tables/execparsers/socketfilterfw/parser_test.go b/ee/tables/execparsers/socketfilterfw/parser_test.go index 8fbf07862a..fa1e5aa590 100644 --- a/ee/tables/execparsers/socketfilterfw/parser_test.go +++ b/ee/tables/execparsers/socketfilterfw/parser_test.go @@ -30,17 +30,17 @@ func TestParse(t *testing.T) { input: empty, }, { - name: "data", - input: data, + name: "data", + input: data, expected: []map[string]string{ { - "global_state_enabled": "true", - "block_all_enabled": "false", - "allow_built-in_signed_enabled": "true", - "allow_downloaded_signed_enabled": "true", - "stealth_enabled": "false", - "logging_enabled": "true", - "logging_option": "throttled", + "global_state_enabled": "1", + "block_all_enabled": "0", + "allow_built-in_signed_enabled": "1", + "allow_downloaded_signed_enabled": "1", + "stealth_enabled": "0", + "logging_enabled": "1", + "logging_option": "throttled", }, }, }, @@ -49,13 +49,13 @@ func TestParse(t *testing.T) { input: malformed, expected: []map[string]string{ { - "global_state_enabled": "false", - "block_all_enabled": "true", - "allow_built-in_signed_enabled": "false", - "allow_downloaded_signed_enabled": "true", - "stealth_enabled": "false", - "logging_enabled": "true", - "logging_option": "throttled", + "global_state_enabled": "0", + "block_all_enabled": "1", + "allow_built-in_signed_enabled": "0", + "allow_downloaded_signed_enabled": "1", + "stealth_enabled": "0", + "logging_enabled": "1", + "logging_option": "throttled", }, }, }, diff --git a/ee/tables/execparsers/socketfilterfw/test-data/malformed.txt b/ee/tables/execparsers/socketfilterfw/test-data/malformed.txt index 09f4211105..ed36818c94 100644 --- a/ee/tables/execparsers/socketfilterfw/test-data/malformed.txt +++ b/ee/tables/execparsers/socketfilterfw/test-data/malformed.txt @@ -3,7 +3,13 @@ Firewall is blocking all non-essential incoming connections.x^CFS. %#UO Automatically allow built-in signed software DISABLED. - +Total number of apps = 6 +replicatord (state: 1) +Pop Helper.app (state: 1) +Google Chrome (state: 1) +rtadvd (state: 1) +com.docker.backend (state: 1) +sshd-keygen-wrapper (state: 1) Automatically allow downloaded signed software ENABLED. Firewall stealth mode is off