search

ansible-lockdown / RHEL7-CIS

Ansible role for Red Hat 7 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
472 stars 303 forks source link

`RHEL7-CIS : 3.5.1.5 | AUDIT | Ensure default zone is set` fails although firewalld is up #329

Closed mcascone closed 7 months ago

mcascone commented 7 months ago

Describe the Issue The playbook fails when testing firewalld, which it shouldn't, because it's running.

Expected Behavior The firewalld test doesn't fail, even if the configuration is not correct.

Actual Behavior

RHEL7-CIS : 3.5.1.4 | PATCH | Ensure firewalld service is enabled and running] *******************************************************
changed: [target.ip.address]

RHEL7-CIS : 3.5.1.5 | AUDIT | Ensure default zone is set] ****************************************************************************
fatal: [target.ip.address]: FAILED! => {"changed": false, "cmd": ["firewall-cmd", "--get-default-zone"], "delta": "0:00:00.190092", "end": "2024-01-24 20:27:59.889292", "msg": "non-zero return code", "rc": 252, "start": "2024-01-24 20:27:59.699200", "stderr": "FirewallD is not running", "stderr_lines": ["FirewallD is not running"], "stdout": "", "stdout_lines": []}

PLAY RECAP **************************************************************************************************************************************************************************************
target.ip.address            : ok=94   changed=47   unreachable=0    failed=1    skipped=87   rescued=0    ignored=0   

❯ ssh my_user@target.ip.address
[my_user@target.ip.address ~]$ sudo firewall-cmd --get-default-zone
public
[my_user@target.ip.address ~]$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2024-01-24 19:42:32 UTC; 47min ago
     Docs: man:firewalld(1)
 Main PID: 543 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─543 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Control(s) Affected What controls are being affected by the issue

Environment (please complete the following information):

uk-bolly commented 7 months ago

hi @mcascone

Thank you for taking the time to raise this issue. Reading through the steps, it appears to be changing the enabled/running state in 3.5.1.4. If you run the commands on a clean build manually in that order are you seeing the same response?

e.g.

As you have pointed out this doesn't make sense if it starts it the step before. We also use centos to test our code before working on rhel, on a clean build and dont see this issue.

many thanks

uk-bolly

mcascone commented 7 months ago

This one is on me; my vms were coming out of provisioning without firewalld installed. Why that would be the case is another issue, but when I install it and then run the audit, it works.