RHEL8-STIG
RHEL8-STIG copied to clipboard
ansible-lockdown
RHEL-08-040090 : Firewall must employ deny-all | Missing Configuration
Describe the Issue
The current implementation of RHEL-08-040090 does not implement the drop target for the firewall zone when created, meaning after running this control, the finding is still present.
Expected Behavior
RHEL-08-040090 should set the newly created firewall zone's target to drop instead of leaving it as default.
Actual Behavior
RHEL-08-040090 implementation does not provide a target argument, meaning it gets left as default.
Control(s) Affected
RHEL-08-040090
Possible Solution
It seems that Ansible 2.9 does not have the latest version of the ansible.posix collection, meaning this is not possible to do by just adding the target: DROP line. A manual command would be required, such as sudo firewall-cmd --permanent --zone=ZONE_NAME --set-target=DROP.
Looks like the variable of the firewall zone rule that gets declared here: https://github.com/ansible-lockdown/RHEL8-STIG/blob/f062cac55b2fbd49ccf6a1e8b3b2404a5036bcf3/defaults/main.yml#L843
As for 'target' being default and not drop, I see this being updated in multiple ways. The way I would attempt to do this is by:
- Define default zone, in this case drop.
rhel8stig_default_firewall_zone: drop - Remove "new_fw_zone" from
rhel8stig_custom_firewall_zone: "new_fw_zone"leaving it undefined. If something other than drop is needed then define here. - Create custom firewall jinja2 template, with zone = drop. This of course will only be applied if rhel8stig_custom_firewall_zone: "new_fw_zone" is defined.
Basically allow for custom defined 'drop' zone, but apply default if custom is not defined.
rhel8stig_white_list_services already exists for defining services that would need to be in the firewall... the only headache would be that all possible settings for a firewall would need to be available via variables for the template so that they don't get overwritten if the STIG is run again... which is essentially re-inventing what the firewalld module should be doing.
Is there a reason why ensuring the minimum configuration exists (via the currently applied steps) couldn't just be done by adding another command to this section:
https://github.com/ansible-lockdown/RHEL8-STIG/blob/f062cac55b2fbd49ccf6a1e8b3b2404a5036bcf3/tasks/fix-cat2.yml#L5923
Since there are already manual calls to firewall-cmd, why not another to run firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP?
HI @Rwarcards762 and @matthew-willis
Thank you for all the issues and PRs that you have provided. It is discussions and feedback like this that can only help us to improve they have helped immensely. We have now added all of your open issues and PRs into the Oct_updates branch(There is a new release out which we need to work upon but need to get these resolved first). I will reply to each issue/PR in turn. If you are not already on discord feel free to hop on and further the discussions there.
Many thanks once again
uk-bolly
@uk-bolly -- Regarding 11a7750 : This is definitely the preferred method to do this, but do note that this method will cause the script to crash if running Ansible 2.9 (the "RHEL Stable" version) as target was not available in that release. See docs.
Not sure if this is a concern or not, just figured I would mention it. :)
That is an amazing catch thank you. That will cause issues especially with the stig. I will add a work around if it is 2.9 Thanks
uk-bolly
This issue is fixed in release 2.6.0, thank you for opening the issue!
-George
