Define a complete security baseline and monitor the baseline's rules. The definition of the baseline should be done in Hiera. The purpose of the module is to give the ability to setup a complete security baseline which not necessarily have to stick to industry security guides like the CIS benchmarks.
If the rule
cis_security_hardening::rules::firewalld_install::enforce: true exists Puppet will firewalld and it's dependents iptables, nftables and a few other packages. The next statement then removes iptables and nftables which also removes firewalld!!!
The configuration and start up of Firewalld then fails. I think the above code can just be removed and cleaned up.
Firewalld is a frontend for iptables or nftables. nftables being the default in RHEL8 and iptables in RHEL7. I'm also not sure disabling the nftables/iptables service as they provide the firewall capabilities not firewalld which is a front end for which ever service you use.
If the rule cis_security_hardening::rules::firewalld_install::enforce: true exists Puppet will firewalld and it's dependents iptables, nftables and a few other packages. The next statement then removes iptables and nftables which also removes firewalld!!!
$pkgs_remove = $facts['operatingsystem'].downcase() ? { 'sles' => ['nftables'], default => ['nftables', 'iptables-services'], }The configuration and start up of Firewalld then fails. I think the above code can just be removed and cleaned up.
Firewalld is a frontend for iptables or nftables. nftables being the default in RHEL8 and iptables in RHEL7. I'm also not sure disabling the nftables/iptables service as they provide the firewall capabilities not firewalld which is a front end for which ever service you use.