search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

Update firewalld rules for bootable containers #12626

Open matusmarhefka opened 17 hours ago

matusmarhefka commented 17 hours ago

The rules firewalld_loopback_traffic_restricted, firewalld_loopback_traffic_trusted and configure_firewalld_rate_limiting have been updated for bootable containers (only their remediations needed an update).

github-actions[bot] commented 17 hours ago

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] commented 17 hours ago

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff ```diff bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted' differs. --- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted +++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted @@ -8,7 +8,7 @@ ipv4_rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop' ipv6_rule='rule family=ipv6 source address="::1" destination not address="::1" drop' -if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then +if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv4_rule}" firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv6_rule}" elif systemctl is-active firewalld; then bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted' differs. --- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted +++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted @@ -5,7 +5,7 @@ yum install -y "firewalld" fi -if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then +if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then firewall-offline-cmd --zone=trusted --add-interface=lo elif systemctl is-active firewalld; then firewall-cmd --permanent --zone=trusted --add-interface=lo ```
codeclimate[bot] commented 17 hours ago

Code Climate has analyzed commit 104888d3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.