search

plus3it / ash-linux-formula

Automated System Hardening (ash-linux) is a Salt formula to apply SCAP benchmarks to Linux systems
Other
17 stars 14 forks source link

[BUG] When remediating/validating with "stig" profile, Default firewalld Zone for Incoming Packets not properly set #285

Open ferricoxide opened 4 years ago

ferricoxide commented 4 years ago

Describe the bug

After running relevant formula-content, DefaultZone value in /etc/firewalld/firewalld.conf still set to public

Note: may be consequence of #247

To Reproduce Steps to reproduce the behavior:

  1. Launch fresh spel AMI (etc.)
  2. Run watchmaker using "stig" profile for remediation
  3. Reboot system
  4. Run oscap utility using "stig" profile for scan
  5. Validate reported error is legitimate (execute grep DefaultZone /etc/firewalld/firewalld.conf)

Expected behavior Running oscap utility using "stig" profile for scan should not produce error for named-test; executing grep DefaultZone /etc/firewalld/firewalld.conf should return drop

Fix Suggestions

Add a post-oscap remediation to prevent finding. No RHEL STIG ID has been yet assigned. Add handler to ash-linux-formula/ash-linux/el7/Miscellaneous/ content-directory.

ferricoxide commented 4 years ago

When either ash-linux.el7.stig or ash-linux,el7.VendorSTIG are invoked, ash-linux.el7.Miscellaneous.firewalld_safeties gets invoked. The firewalld_safeties state was written to ensure that 22/tcp access would be preserved if the "Drop" policy was selected, but, looks like actual selection isn't being done, anywhere: need to add a policy-selector state and make the desired state site-selectable (since switching to Drop, across the board, will break any sites' scanners that rely on ping-sweeps to identify scan-targets).