Update firewalld rules for bootable containers #12626
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
+++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
@@ -8,7 +8,7 @@
ipv4_rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
ipv6_rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
-if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
+if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv4_rule}"
firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv6_rule}"
elif systemctl is-active firewalld; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
+++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
@@ -5,7 +5,7 @@
yum install -y "firewalld"
fi
-if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
+if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
firewall-offline-cmd --zone=trusted --add-interface=lo
elif systemctl is-active firewalld; then
firewall-cmd --permanent --zone=trusted --add-interface=lo |
There was a problem hiding this comment.
I have built a CS 9 bootable container image with the cis profile using the content with this PR and then I booted a VM from the container image using podman-bootc. Both rules firewalld_loopback_traffic_restricted and firewalld_loopback_traffic_trusted are PASS in the after-boot scan.
We can see that the firewall output contains the expected configuration:
[admin@ibm-p8-kvm-03-guest-02 ~]$ sudo firewall-cmd --zone trusted --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: lo
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" source address="::1" destination NOT address="::1" drop
rule family="ipv4" source address="127.0.0.1" destination NOT address="127.0.0.1" drop
...ork/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/bash/shared.sh
Outdated
Show resolved
Hide resolved
matusmarhefka
force-pushed
the
bootc_firewalld
branch
from
104888d to
af81fc2
Compare
|
Code Climate has analyzed commit af81fc2 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
The rules
firewalld_loopback_traffic_restricted,firewalld_loopback_traffic_trustedandconfigure_firewalld_rate_limitinghave been updated for bootable containers (only their remediations needed an update).