Open ferricoxide opened 4 years ago
When either ash-linux.el7.stig
or ash-linux,el7.VendorSTIG
are invoked, ash-linux.el7.Miscellaneous.firewalld_safeties
gets invoked. The firewalld_safeties
state was written to ensure that 22/tcp access would be preserved if the "Drop" policy was selected, but, looks like actual selection isn't being done, anywhere: need to add a policy-selector state and make the desired state site-selectable (since switching to Drop
, across the board, will break any sites' scanners that rely on ping-sweeps to identify scan-targets).
Describe the bug
After running relevant formula-content,
DefaultZone
value in/etc/firewalld/firewalld.conf
still set topublic
Note: may be consequence of #247
To Reproduce Steps to reproduce the behavior:
oscap
utility using "stig" profile for scangrep DefaultZone /etc/firewalld/firewalld.conf
)Expected behavior Running
oscap
utility using "stig" profile for scan should not produce error for named-test; executinggrep DefaultZone /etc/firewalld/firewalld.conf
should returndrop
Fix Suggestions
Add a post-
oscap
remediation to prevent finding. No RHEL STIG ID has been yet assigned. Add handler toash-linux-formula/ash-linux/el7/Miscellaneous/
content-directory.