Rule firewalld_sshd_port_enabled fails after kickstart installation

[jan-cerny]

Description of problem:

Rule firewalld_sshd_port_enabled fails after kickstart installation of RHEL 9.4 with STIG profile and various other profiles.

First problem is that the rule doesn't have a kickstart remediation. This can be easily fixed by creating the kickstart remediation with the following file contents:

# platform = multi_platform_all
# reboot = false
# complexity = low
# strategy = configure
# disruption = low

firewall enable ssh

However, adding the kickstart remediation won't make the rule passing. I have experimentally verified that it won't.

The core problem is that the rule checks that all network interfaces have a zone set to public. The Bash remediation should set that. But, during the installation, the environment is probably different or the Bash remediation isn't executed because it checks if the services are run.

if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
...
if systemctl is-active NetworkManager && systemctl is-active firewalld; then

SCAP Security Guide Version:

current upstream master branch as of 2024-08-07 as of HEAD 42c82069d1b0a632560f6b11f6ecb08f7f6d2743

Operating System Version:

RHEL 9.4

Steps to Reproduce:

1. build rhel9
2. generate kickstart using oscap xccdf generate fix --fix-type kickstart (using openscap-1.4.0)
3. use the generated kickstart for operating system installation of RHEL 9.4
4. on the installed machine run oscap xccdf eval --profile stig --results-arf arf.xml /usr/share/xml/scap/ssg-rhel9-ds.xml.

Actual Results:

firewalld_sshd_port_enabled: fail

Expected Results:

firewalld_sshd_port_enabled: pass

Additional Information/Debugging Steps:

The remediation report contains this output of the remediation:

Running in chroot, ignoring command 'is-active'
Running in chroot, ignoring command 'is-active'
FirewallD is not running
Running in chroot, ignoring command 'restart'
FirewallD is not running
FirewallD is not running