Update firewalld_sshd_port_enabled for bootable containers

[matusmarhefka]

Remediation of the rule firewalld_sshd_port_enabled has been updated to work in the bootable container build environment. By default, NetworkManager interfaces are created only once container image is booted so we do not have information about what interfaces will be created during container build time. Therefore, we will rely on NetworkManager to automatically assign interfaces to the default firewalld zone. For more details see: https://firewalld.org/documentation/man-pages/firewalld.zone.html https://firewalld.org/documentation/zone/connections-interfaces-and-sources.html This means that the remediation, when running in bootable container build environment, only works if zone defined in the firewalld_sshd_zone variable equals to the default zone of firewalld. Otherwise, the remediation is aborted.

OVAL check of the rule has also been slightly updated as once container is booted the bootc system doesn't contain any NetworkManager keyfiles under /etc/NetworkManager/system-connections and this made the OVAL test test_firewalld_sshd_port_enabled_all_nics_in_zones to fail because it expected at least one keyfile in the directory.

The test only_zones_configured.fail.sh was incorrectly expecting failure result while in reality this is a pass test scenario. NetworkManager automatically assigns the default firewalld zone (public) to interfaces which don't define any zone - and the test configures firewalld to allow ssh access for each zone (including the default one).

[github-actions[bot]]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions[bot]]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

```diff bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs. --- xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled +++ xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled @@ -10,39 +10,63 @@ firewalld_sshd_zone='' -if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then - # TODO: NM (nmcli) now has --offline mode support, and it could operate without NM service. - # See: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1183 - # The feature is not quite straighforward (and probably incomplete), though. - echo "Not applicable in offline mode. Remediation aborted!" +if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then + # By default, NetworkManager interfaces are created only once + # container image is booted so we do not have information about + # what interfaces will be created during container build time. + # Therefore, we will rely on NetworkManager to automatically assign + # interfaces to the default firewalld zone. For more details see: + # https://firewalld.org/documentation/man-pages/firewalld.zone.html + # https://firewalld.org/documentation/zone/connections-interfaces-and-sources.html + # That also means this remediation only works if zone defined in + # the firewalld_sshd_zone variable equals to the default zone of firewalld. + default_zone=$(firewall-offline-cmd --get-default-zone) + if [ "$firewalld_sshd_zone" != "$default_zone" ]; then + echo "Firewalld default zone ($default_zone) and pre-set zone for sshd ($firewalld_sshd_zone) differ. Remediation aborted!" >&2 + exit 1 + fi + + # Make sure default zone is set in all existing NetworkManager keyfiles. + while IFS= read -r -d '' file; do + sed "s|^\s*zone=.*$|zone=$firewalld_sshd_zone|g" "$file" + done < <(find /etc/NetworkManager/system-connections -maxdepth 1 -name "*.nmconnection" -print0) + + firewall-offline-cmd --zone="$firewalld_sshd_zone" --add-service=ssh else - if systemctl is-active NetworkManager && systemctl is-active firewalld; then - # First make sure the SSH service is enabled in run-time for the proper zone. - # This is to avoid connection issues when new interfaces are addeded to this zone. - firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh + if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then + # TODO: NM (nmcli) now has --offline mode support, and it could operate without NM service. + # See: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1183 + # The feature is not quite straighforward (and probably incomplete), though. + echo "Not applicable in offline mode. Remediation aborted!" + else + if systemctl is-active NetworkManager && systemctl is-active firewalld; then + # First make sure the SSH service is enabled in run-time for the proper zone. + # This is to avoid connection issues when new interfaces are addeded to this zone. + firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh - # This will collect all NetworkManager connections names - readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - for connection in "${nm_connections[@]}"; do - current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') - if [ $current_zone = "--" ]; then - nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone - fi - done - systemctl restart NetworkManager + # This will collect all NetworkManager connections names + readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + for connection in "${nm_connections[@]}"; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone + fi + done + systemctl restart NetworkManager - # Active zones are zones with at least one interface assigned to it. - # It is possible that traffic is coming by any active interface and consequently any - # active zone. So, this make sure all active zones are permanently allowing SSH service. - readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v "^ " | cut -d " " -f 1) - for zone in "${firewalld_active_zones[@]}"; do - firewall-cmd --permanent --zone="$zone" --add-service=ssh - done - firewall-cmd --reload - else - echo "The firewalld or NetworkManager service is not active. Remediation aborted!" + # Active zones are zones with at least one interface assigned to it. + # It is possible that traffic is coming by any active interface and consequently any + # active zone. So, this make sure all active zones are permanently allowing SSH service. + readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v "^ " | cut -d " " -f 1) + for zone in "${firewalld_active_zones[@]}"; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh + done + firewall-cmd --reload + else + echo "The firewalld or NetworkManager service is not active. Remediation aborted!" + fi fi fi ```

[codeclimate[bot]]

Code Climate has analyzed commit c937fae5 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

[jan-cerny]

Test scenarios pass when using a VM back end:

jcerny@fedora:~/work/git/scap-security-guide (pr/12608)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --datastream build/ssg-rhel9-ds.xml firewalld_sshd_port_enabled
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-11-14-1643/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
INFO - Script customized_zone_configured.pass.sh using profile (all) OK
INFO - Script customized_zone_without_ssh.fail.sh using profile (all) OK
INFO - Script new_zone_configured.pass.sh using profile (all) OK
INFO - Script new_zone_without_ssh.fail.sh using profile (all) OK
INFO - Script only_nics_configured.fail.sh using profile (all) OK
INFO - Script zones_and_nics_configured.pass.sh using profile (all) OK
INFO - Script zones_and_nics_ok_no_custom_files.pass.sh using profile (all) OK
INFO - Script zones_and_nics_ok_port_changed.pass.sh using profile (all) OK
INFO - Script only_zones_configured.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12608)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --datastream build/ssg-rhel9-ds.xml --remediate-using ansible firewalld_sshd_port_enabled
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-11-14-1647/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
INFO - Script customized_zone_configured.pass.sh using profile (all) OK
INFO - Script customized_zone_without_ssh.fail.sh using profile (all) OK
INFO - Script new_zone_configured.pass.sh using profile (all) OK
INFO - Script new_zone_without_ssh.fail.sh using profile (all) OK
INFO - Script only_nics_configured.fail.sh using profile (all) OK
INFO - Script zones_and_nics_configured.pass.sh using profile (all) OK
INFO - Script zones_and_nics_ok_no_custom_files.pass.sh using profile (all) OK
INFO - Script zones_and_nics_ok_port_changed.pass.sh using profile (all) OK
INFO - Script only_zones_configured.pass.sh using profile (all) OK