content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Check NM profiles use interace's altnames

Open yuumasato opened this issue 2 years ago • 4 comments

Description:

  • Improve remediation so that it checks the NM profiles by altnames.

Rationale:

  • The NM profiles can be named after an interface's altname rather than its device name.

  • Fixes #9495

yuumasato avatar Sep 21 '22 11:09 yuumasato

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

openshift-ci[bot] avatar Sep 21 '22 11:09 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar Sep 21 '22 11:09 github-actions[bot]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
+++ xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
@@ -10,6 +10,7 @@
 
 
 
+ 
 
 
 # This assumes that firewalld_sshd_zone is one of the pre-defined zones
@@ -21,23 +22,31 @@
 <service name="ssh"/>' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"
 fi
 
+available_nmconfig_profiles=()
 # Check if any eth interface is bounded to the zone with SSH service enabled
 nic_bound=false
-readarray -t eth_interface_list < <(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
-for interface in "${eth_interface_list[@]}"; do
+readarray -t dev_interface_list < <(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
+for interface in "${dev_interface_list[@]}"; do
+ if [ -f /etc/sysconfig/network-scripts/ifcfg-${interface} ]; then
+ available_nmconfig_profiles+=("$interface")
+ fi
 if grep -qi "ZONE=$firewalld_sshd_zone" "/etc/sysconfig/network-scripts/ifcfg-${interface}"; then
 nic_bound=true
 break;
 fi
 done
 
+
+
+ip link show
+ls /etc/NetworkManager/system-connections/
+
 if [ $nic_bound = false ];then
- # Add first NIC to SSH enabled zone
- interface="${eth_interface_list[0]}"
+ # Add first Network profile to SSH enabled zone
+ interface="${available_nmconfig_profiles[0]}"
 
 if ! firewall-cmd --state -q; then
- 
- # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+ # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
 # Otherwise, regular sed command will do.
 sed_command=('sed' '-i')
 if test -L "/etc/sysconfig/network-scripts/ifcfg-${interface}"; then
@@ -46,7 +55,7 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
- stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ZONE=")
+ stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^{{{ zone_param }}}=")
 
 # shellcheck disable=SC2059
 printf -v formatted_output "%s=%s" "$stripped_key" "$firewalld_sshd_zone"
@@ -54,21 +63,20 @@
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
- if LC_ALL=C grep -q -m 1 -i -e "^ZONE=\\>" "/etc/sysconfig/network-scripts/ifcfg-${interface}"; then
+ if LC_ALL=C grep -q -m 1 -i -e "^{{{ zone_param }}}=\\>" "/etc/sysconfig/network-scripts/ifcfg-${interface}"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^ZONE=\\>.*/$escaped_formatted_output/gi" "/etc/sysconfig/network-scripts/ifcfg-${interface}"
+ "${sed_command[@]}" "s/^{{{ zone_param }}}=\\>.*/$escaped_formatted_output/gi" "/etc/sysconfig/network-scripts/ifcfg-${interface}"
 else
 # \n is precaution for case where file ends without trailing newline
 cce="CCE-80820-4"
 printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysconfig/network-scripts/ifcfg-${interface}" >> "/etc/sysconfig/network-scripts/ifcfg-${interface}"
 printf '%s\n' "$formatted_output" >> "/etc/sysconfig/network-scripts/ifcfg-${interface}"
 fi
- 
 else
 # If firewalld service is running, we need to do this step with firewall-cmd
 # Otherwise firewalld will communicate with NetworkManage and will revert assigned zone
 # of NetworkManager managed interfaces upon reload
- firewall-cmd --permanent --zone="$firewalld_sshd_zone" --add-interface="${eth_interface_list[0]}"
+ firewall-cmd --permanent --zone="$firewalld_sshd_zone" --add-interface="$interface"
 firewall-cmd --reload
 fi
 fi

github-actions[bot] avatar Sep 21 '22 11:09 github-actions[bot]

Code Climate has analyzed commit eff80097 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 40.5% (0.0% change).

View more on Code Climate.

codeclimate[bot] avatar Sep 21 '22 16:09 codeclimate[bot]