Rules `firewalld_loopback_traffic_restricted` and `firewalld_loopback_traffic_trusted` do not support offline remediation

[evgenyz]

Description of problem:

Bash remediation of the rule does not support offline mode (namely: Image Builder)

    firewalld service is not active. Remediation aborted!
    This remediation could not be applied because it depends on firewalld service running.
    The service is not started by this remediation in order to prevent connection issues.

But, instead of just doing nothing, it also does exit 1, which breaks the script-based remediation flow.

On top of that, Image Builder blueprint to some degree support firewall configuration, so it would make sense to try and add a blueprint remediation if possible. Nope, Blueprint won't help us here.

SCAP Security Guide Version:

master

Operating System Version:

RHEL 9.4

Steps to Reproduce:

1. Try to harden an IB image using CIS profile.
2. Image is not properly remediated as bash script aborts in the middle.

Actual Results:

Remediation bails in the middle of the process. Firewall settings for IB images are not fixed.

Expected Results:

Remediation snippet does not break remediation flow. Firewall settings for IB images are fixed using Blueprint remediation.

Additional Information/Debugging Steps:

https://www.osbuild.org/guides/image-builder-on-premises/blueprint-reference.html#firewall

[jrusz]

I've noticed the same issue with firewalld_loopback_traffic_trusted rule

[evgenyz]

UPD: Blueprint firewall customization won't help in this case, it is good only for enabling ports/services.