content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Building `pci-dss` via Image Builder fails on non-existent `firewalld.service`

Open comps opened this issue 1 year ago • 2 comments

Description of problem:

It seems that while doing https://github.com/ComplianceAsCode/content/commit/812649903b61fa9bc8b086c48915a908a0229965 the author forgot to add package_*_installed in addition to services being enabled.

This was rectified for nftables in https://github.com/ComplianceAsCode/content/commit/812649903b61fa9bc8b086c48915a908a0229965 (though what sense an installed-but-disabled service makes, I don't know), but a package for firewalld is still missing.

This is an issue for Image Builder (OSBuild), which doesn't include it by default, unlike Anaconda, so building fails with

Stage: org.osbuild.systemd
Output:
Failed to open file "/sys/fs/selinux/checkreqprot": Read-only file system
Failed to enable unit, unit firewalld.service does not exist.
Traceback (most recent call last):
  File "/run/osbuild/bin/org.osbuild.systemd", line 96, in <module>
    r = main(args["tree"], args["options"])
  File "/run/osbuild/bin/org.osbuild.systemd", line 72, in main
    subprocess.run(["systemctl", "--root", tree, "enable", service], check=True)
  File "/usr/lib64/python3.9/subprocess.py", line 528, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['systemctl', '--root', '/run/osbuild/tree', 'enable', 'firewalld']' returned non-zero exit status 1.

Because service_firewalld_enabled results in oscap generating a Blueprint with

[customizations.services]
enabled = ["firewalld", ... ]

and OSBuild then just runs systemctl, which fails.

(At least this is my best guess, it's possible that the root cause of firewalld.service missing is different.)

SCAP Security Guide Version:

master @ 17ea37391378eb5304c465b893b5ecb079f1e70c

Operating System Version:

RHEL-9, RHEL-8

comps avatar Feb 09 '24 01:02 comps

Adding this entry to the blueprint solves the issue for me:

[[packages]]
name = "firewalld"
version = "*"

ljavorsk avatar Feb 09 '24 09:02 ljavorsk

Adding this entry to the blueprint solves the issue for me:

[[packages]]
name = "firewalld"
version = "*"

That's not the right way to fix the issue. Edit: To be precise, this is the right way, in the end, but it won't be correct to add this Blueprint remediation to the service_firewalld_enabled rule. We need to add package_firewalld_installed rule to the profile instead.

See: https://github.com/ComplianceAsCode/content/issues/11340.

evgenyz avatar Feb 13 '24 23:02 evgenyz

Fixed by https://github.com/ComplianceAsCode/content/pull/11660

marcusburghardt avatar Mar 07 '24 08:03 marcusburghardt