Firewall technology related rules per service and package change logic according to interactive profile variable #11818
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
teacup-on-rockingchair
added
Ansible
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( rpm --quiet -q iptables && rpm --quiet -q kernel ); then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q iptables ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'iptables.service'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -30,8 +30,8 @@
masked: false
when:
- '"iptables" in ansible_facts.packages'
- when: ( "iptables" in ansible_facts.packages and "kernel" in ansible_facts.packages
- )
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "iptables" in ansible_facts.packages )
tags:
- CCE-85961-1
- NIST-800-53-AC-4
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled'
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -1,3 +1,3 @@
+oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-package_iptables:def:1
oval:ssg-service_disabled_firewalld:def:1
-oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nftables_enabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_enabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( rpm --quiet -q nftables && rpm --quiet -q kernel ); then
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q nftables ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'nftables.service'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nftables_enabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_enabled
@@ -25,8 +25,8 @@
masked: false
when:
- '"nftables" in ansible_facts.packages'
- when: ( "nftables" in ansible_facts.packages and "kernel" in ansible_facts.packages
- )
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "nftables" in ansible_facts.packages )
tags:
- CCE-86725-9
- enable_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled'
--- xccdf_org.ssgproject.content_rule_service_nftables_enabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_enabled
@@ -1,3 +1,3 @@
+oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-package_nftables:def:1
oval:ssg-service_disabled_firewalld:def:1
-oval:ssg-system_with_kernel:def:1 |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
jan-cerny
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/test all |
|
/packit build |
teacup-on-rockingchair
force-pushed
the
firewall_by_profile_variable
branch
from
6188277 to
fc100a9
Compare
|
should we change this pr to work across different vendors? |
For the moment it is not necessary for Oracle Linux |
teacup-on-rockingchair
force-pushed
the
firewall_by_profile_variable
branch
from
fc100a9 to
87ba124
Compare
|
ping |
teacup-on-rockingchair
force-pushed
the
firewall_by_profile_variable
branch
from
87ba124 to
f2480f3
Compare
… by ext varaiable The idea is the oval checks and remediation to check provided external variable, and thus honour if really to check/install/remove certain package or service
…et to be nftables
…set to be firewalld or iptables
…echnology is set to be firewalld or iptables
… is set to be iptables
…set to be iptables
…s set to be nftables or iptables
…y is set to be nftables or iptables
… set to be firewalld
…y is set to be firewalld
Given variable should actually mark the state in which package should not be removed because it is needed by the setup
teacup-on-rockingchair
force-pushed
the
firewall_by_profile_variable
branch
from
f2480f3 to
504b19e
Compare
|
Code Climate has analyzed commit 504b19e and detected 6 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Review Hints:
scap-workbenchor similar tool, or define a new alternative profile to the original one (CIS is currently the one having conflicting rules ) , or via command line arguments of theoscaptool, if that is the weapon of choice to run checks and remediations.