-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firewall technology related rules per service and package change logic according to interactive profile variable #11818
base: master
Are you sure you want to change the base?
Conversation
Skipping CI for Draft Pull Request. |
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( rpm --quiet -q iptables && rpm --quiet -q kernel ); then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q iptables ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'iptables.service'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -30,8 +30,8 @@
masked: false
when:
- '"iptables" in ansible_facts.packages'
- when: ( "iptables" in ansible_facts.packages and "kernel" in ansible_facts.packages
- )
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "iptables" in ansible_facts.packages )
tags:
- CCE-85961-1
- NIST-800-53-AC-4
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled'
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -1,3 +1,3 @@
+oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-package_iptables:def:1
oval:ssg-service_disabled_firewalld:def:1
-oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nftables_enabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_enabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( rpm --quiet -q nftables && rpm --quiet -q kernel ); then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q nftables ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'nftables.service'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nftables_enabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_enabled
@@ -25,8 +25,8 @@
masked: false
when:
- '"nftables" in ansible_facts.packages'
- when: ( "nftables" in ansible_facts.packages and "kernel" in ansible_facts.packages
- )
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "nftables" in ansible_facts.packages )
tags:
- CCE-86725-9
- enable_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled'
--- xccdf_org.ssgproject.content_rule_service_nftables_enabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_enabled
@@ -1,3 +1,3 @@
+oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-package_nftables:def:1
oval:ssg-service_disabled_firewalld:def:1
-oval:ssg-system_with_kernel:def:1 |
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
/test all |
/packit build |
6188277
to
fc100a9
Compare
should we change this pr to work across different vendors? |
For the moment it is not necessary for Oracle Linux |
fc100a9
to
87ba124
Compare
ping |
87ba124
to
f2480f3
Compare
… by ext varaiable The idea is the oval checks and remediation to check provided external variable, and thus honour if really to check/install/remove certain package or service
…et to be nftables
…set to be firewalld or iptables
…echnology is set to be firewalld or iptables
… is set to be iptables
…set to be iptables
…s set to be nftables or iptables
…y is set to be nftables or iptables
… set to be firewalld
…y is set to be firewalld
Given variable should actually mark the state in which package should not be removed because it is needed by the setup
f2480f3
to
504b19e
Compare
Code Climate has analyzed commit 504b19e and detected 6 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
I removed myself as assignee as, unfortunately, I won't be able to review/test it again for the next few weeks. |
Description:
Rationale:
Review Hints:
scap-workbench
or similar tool, or define a new alternative profile to the original one (CIS is currently the one having conflicting rules ) , or via command line arguments of theoscap
tool, if that is the weapon of choice to run checks and remediations.