content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Firewall technology related rules per service and package change logic according to interactive profile variable

Open teacup-on-rockingchair opened this issue 1 year ago • 10 comments

Description:

  • Make sure that behaviour of rules about nftables,iptables and firewalld are mutually exclusive and the default behaviour of the checks and remediations is based on external interactive variable, that is part of the profile definition

Rationale:

  • Add oval macro to check external variable vs expected value
  • Add variable to set default firewall technology used
  • Set relevant values for SLE platforms
  • Templates for pkg installed/removed and svc enabled/disabled, guarded by ext varaiable
  • The idea is the oval checks and remediation to check provided external variable, and thus honour if really to check/install/remove certain package or service
  • Enable nftable service on SLE only if active firewall technology is set to be nftables
  • Disable nftable service on SLE only if active firewall technology is set to be firewalld or iptables
  • Removing nftable package on SLE makes sense only if active firewall technology is set to be firewalld or iptables
  • Installing iptables package on SLE only if active firewall technology is set to be iptables
  • Enable iptables service on SLE only if active firewall technology is set to be iptables
  • Disable firewalld service on SLE only if active firewall technology is set to be nftables or iptables
  • Removing package on SLE makes sense only if active firewall technology is set to be nftables or iptables
  • Enable firewalld service on SLE only if active firewall technology is set to be firewalld
  • Installing firewalld package on SLE only if active firewall technology is set to be firewalld

Review Hints:

  • For now the proposed change is applied to SLE platforms only, and if proves to be a good approach can distribute to other platforms also
  • The use case would be that the user will have in its profile defined default firewall technology, one of iptables,nftables,ufw, firewalld ,and if the system has been modified a non-default option for that, one can use scap-workbench or similar tool, or define a new alternative profile to the original one (CIS is currently the one having conflicting rules ) , or via command line arguments of the oscap tool, if that is the weapon of choice to run checks and remediations.

teacup-on-rockingchair avatar Apr 14 '24 04:04 teacup-on-rockingchair

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

openshift-ci[bot] avatar Apr 14 '24 04:04 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar Apr 14 '24 04:04 github-actions[bot]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled'
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -1,3 +1,2 @@
 oval:ssg-installed_env_is_a_machine:def:1
 oval:ssg-package_iptables:def:1
-oval:ssg-service_disabled_firewalld:def:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled'
--- xccdf_org.ssgproject.content_rule_service_nftables_enabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_enabled
@@ -1,3 +1,2 @@
 oval:ssg-installed_env_is_a_machine:def:1
 oval:ssg-package_nftables:def:1
-oval:ssg-service_disabled_firewalld:def:1

github-actions[bot] avatar Apr 14 '24 04:04 github-actions[bot]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:11818 This image was built from commit: f2480f3d911d9b1545833b11adf0b2a8adae1fb1

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11818

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11818 make deploy-local

github-actions[bot] avatar Apr 14 '24 04:04 github-actions[bot]

/test all

teacup-on-rockingchair avatar Apr 28 '24 09:04 teacup-on-rockingchair

/packit build

marcusburghardt avatar May 02 '24 07:05 marcusburghardt

should we change this pr to work across different vendors? @marcusburghardt @Mab879 @Xeicker

dodys avatar May 10 '24 11:05 dodys

should we change this pr to work across different vendors? @marcusburghardt @Mab879 @Xeicker

For the moment it is not necessary for Oracle Linux

Xeicker avatar May 16 '24 16:05 Xeicker

ping

jan-cerny avatar Aug 02 '24 05:08 jan-cerny

Code Climate has analyzed commit f2480f3d and detected 6 issues on this pull request.

Here's the issue category breakdown:

Category Count
Duplication 6

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

qlty-cloud-legacy[bot] avatar Oct 07 '24 11:10 qlty-cloud-legacy[bot]