firewalld on Centos8/RHEL8

dsglaser / cis-security

Playbooks to implement Center for Internet Security (CIS) controls for RHEL (7-9), RHEL Clones, Ubuntu (18.04-22.04), and Microsoft Windows (10, Server 2019)

Other

90 stars 63 forks source link

firewalld on Centos8/RHEL8 #31

Closed blk974u closed 2 years ago

blk974u commented 3 years ago

First of all, thanks for the great work.

I checked out the Control 3.4.4.1(redhat-8-type.yml) for iptables and firewalld. with CIS CentOS Linux 8 Benchmark v1.0.0 - 10-31-2019

The CIS Benchmark has not mentioned to disable firewalld but use firewalld as a frontend for nftables, however, I found the redhat-8-type.yml disabled it. Instead, iptables-service is the one who need to be disabled/remove due to "3.4.2.6 Ensure iptables is not enabled (Scored)" in CIS Benchmark.

plaqdk commented 2 years ago

I just looked at the same code but I think you missed that firewalld is only disabled if the following is true: when: enable_firewall is defined and enable_firewall == "iptables"

it will only do this if variable is set to iptables

best regards

dsglaser commented 2 years ago

That is correct. Firewalld will only be disabled if enable_firewall == "iptables" since they shouldn't both be run at the same time.

Thanks!