feat(cloud): add firewallStatus to Linux health reports#47
Conversation
Detect the active firewall tool on Linux (ufw, firewalld, nftables, iptables) and report its state under securityPosture.firewallStatus in the health report payload. The field is null on Windows/macOS. Also fixes OS release detection on Linux where systeminformation could return the kernel version instead of the distro version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d1df75d8a8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…iptables DROP policy Address three review findings in collectLinuxFirewallStatus(): - Replace `which` + bare command names with `findBinary()` using absolute paths (/usr/sbin, /usr/bin, /sbin), matching the pattern used by the existing collectFirewallStatus() and other checks - Detect nftables activity from `nft list ruleset` output (presence of tables) instead of relying on systemctl is-active nftables, which misses hosts where rules are loaded by boot scripts or cloud-init - Treat a non-ACCEPT iptables INPUT policy (e.g. DROP) as active even when no explicit rules are present Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1ab0ba2f20
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
… chains Address three review findings: - ufw/firewalld: only return early when the front-end is actively enforcing. When inactive, fall through to probe nftables/iptables backends that may be filtering traffic (Docker, k8s, cloud-init). - nftables active detection: check for `type filter hook input` chains instead of any table presence. NAT-only or dormant tables do not mean inbound traffic is being filtered. - nftables port parsing: split ruleset into per-chain blocks and only collect allowed ports from input-hooked filter chains, excluding output/forward/nat rules. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4a3af09c40
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
… iptables - nftables port parsing now matches both tcp and udp dport rules, so UDP services (DNS/53, NTP/123, WireGuard/51820) are reported - nftables branch only returns early when it found active input filter chains; otherwise falls through to the iptables probe so hosts that ship nft but enforce via iptables-legacy are detected Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6750511df7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- iptables: recognize multiport matcher format ("multiport dports
80,443,8080") in addition to dpt:/dpts: forms
- firewalld: use --list-all-zones to capture interfaces/sources
bound to non-default zones, falling back to --list-all
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 57a277f001
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| rawRules = stdout.slice(0, RAW_RULES_MAX) | ||
|
|
||
| // Parse "ports:" line — e.g. "ports: 8080/tcp 9090/udp" | ||
| const portsLine = stdout.match(/^\s*ports:\s*(.+)/m) |
There was a problem hiding this comment.
Parse every firewalld zone before deriving allowed ports
Because --list-all-zones emits a separate ports:/services: stanza for each zone, the single stdout.match(...) here only captures the first occurrence. On multi-zone hosts—the exact case this branch is trying to support—any later active zone is ignored, so allowedPorts can miss the ports that are actually exposed.
Useful? React with 👍 / 👎.
| const allowedPorts: number[] = [] | ||
|
|
||
| try { | ||
| const { stdout } = await execFileAsync(nftPath, ['list', 'ruleset'], { timeout: CMD_TIMEOUT }) |
There was a problem hiding this comment.
Invoke nft with
-nn before extracting dports
I checked nft's upstream help text, which says -n must be specified twice to show Internet services numerically. Running nft list ruleset without -nn means common rules are printed as names like tcp dport ssh accept or udp dport domain accept, but the regexes below only match digits, so allowedPorts will be empty on many standard nftables configurations.
Useful? React with 👍 / 👎.
Summary
securityPosture.firewallStatusto the health report payload on Linux, reporting the active firewall tool (ufw,firewalld,nftables,iptables, ornone), whether it's enforcing rules, allowed inbound ports (best-effort), and raw rule output (truncated to 3 KB)whichnullon Windows/macOS (consistent with other server-only fields likefail2ban,auditd, etc.)systeminformationcould return the kernel version instead of the distro versionChanged files
cloud-agent-types.ts— addedfirewallStatustype tosecurityPostureplatform/types.ts— addedcollectLinuxFirewallStatus()toPlatformSecurityinterfaceplatform/linux/security.ts— full detection + parsing implementation (~160 lines)platform/win32/security.ts,platform/darwin/security.ts—return nullstubscloud-agent.ts— wired intocollectSecurityPosture(), added to default report objectTest plan
firewallStatus.tool === "ufw",active === true, andallowedPortsincludes expected ports (e.g. 22, 80, 443)ssh→ 22)tool === "none"andactive === falsefirewallStatus(value isnull)🤖 Generated with Claude Code