rule firewalld_sshd_port_enabled fails to remediate with imagebuilder

[vojtapolasek]

Description of problem:

When remediating the rule during image generation, it throws the following error:

Remediating rule 134/151: 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled'
Running in chroot, ignoring request: is-active
Running in chroot, ignoring request: is-active
Error: DBUS_ERROR: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory
Error: Could not create NMClient object: Could not connect: No such file or directory.
Running in chroot, ignoring request: restart
Error: DBUS_ERROR: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory
Error: DBUS_ERROR: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory

I think it might be similar to #11564

SCAP Security Guide Version:

master as of 9c496b1662d0690af13bbb32856b979e6b6f9a65

Operating System Version:

RHEL 8

Steps to Reproduce:

to be added

Actual Results:

The error message appears and the rule is not remediated, i.e. it fails in the final scan.

Expected Results:

The rule is remediated correctly.

Additional Information/Debugging Steps:

[mildas]

As we have waiver now, the issue does not show in daily productization anymore. Thus, removing productization-issue label, but leaving it opened as it's still relevant.

[vojtapolasek]

The issue still manifests, it was not fixed. It is still waived.

[evgenyz]

The rule no longer tries to use DBus serivce(s):

Remediating rule 369/495: 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled'
Not applicable in offline mode. Remediation aborted!

[evgenyz]

The rule is not remediated, but for Image Builder (osbuild) it is actually redundant as osbuild makes sure that ssh is accessible if the service is installed and active.

[comps]

I would like to reopen this. The issue is not missing remediation (which makes sense to be done via osbuild), but the fact that the rule fails in the first place.

I can't easily tell if the failure is caused by firewalld not running and OVAL expecting it to, or by something else, but if it cannot be fixed, it should probably be notapplicable for offline scans (like in image-builder, maybe soon in podman, etc.).

Re-adding productization-issue as this is continuously failing (and being waived) by our productization testing.

[evgenyz]

So, when exactly it fails? During the image build process? Or in a VM based on that image that is being assessed?

[comps]

That's correct, for both Anaconda (OAA) and osbuild generated images, the rule fails during a scan on the booted system. So whatever is being remediated in other environments is not the RHEL default according to whatever the scan checks for (despite sshd indeed being allowed by default in RHEL).

Attaching results.xml from both those scans, in case that helps in the investigation, because the HTML report doesn't seem very helpful. anaconda-results-arf.xml.gz osbuild-results-arf.xml.gz

[evgenyz]

Preliminary triage results:

The OVAL test imposes unnecessary configuration on both NetwordManager and firewalld:

• It expects all /etc/NetworkManager/system-connections/*.nmconnection to have zone= defined, which is not necessary as undefined zone equals the default one (so all connections have implicit zone=default)
• It expects that default package-provided zones (/usr/lib/firewalld/zones/*) will be overridden in /etc/firewalld/zones/*, which is not needed as ssh could already be allowed in default/fallback zones in /usr/lib...

All these problems only expose themselves when remediation is not executed.