search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

Rule `firewalld_sshd_port_enabled` does not support offline remediation #11318

Closed evgenyz closed 9 months ago

evgenyz commented 11 months ago

Description of problem:

Bash remediation of the rule does not support offline mode (namely: Image Builder).

This issue is similar to #11275, but unlike rules mentioned there this one can be fixed by using IB Blueprint remediation.

SCAP Security Guide Version:

master

Operating System Version:

RHEL9.4

Steps to Reproduce:

  1. Try to harden an IB image using CIS profile.
  2. Image is not properly remediated as bash script aborts in the middle.

Actual Results:

Remediation bails in the middle of the process. Firewall settings for IB images are not fixed.

Expected Results:

Remediation snippet does not break remediation flow. Firewall settings for IB images are fixed using Blueprint remediation.

Additional Information/Debugging Steps:

https://www.osbuild.org/guides/image-builder-on-premises/blueprint-reference.html#firewall

evgenyz commented 9 months ago

If we enable sshd service in the image the port should be enabled as well. Also, it is not clear ATM in which situation it'd be necessary to explicitly configure firewalld. I'm removing BLOCKER for now.

evgenyz commented 9 months ago

The problem with exit in Bash has been fixed.

evgenyz commented 9 months ago

Actually, I'll just close it.