Firewall technology related rules per service and package change logic according to interactive profile variable

linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml

@@ -47,10 +47,20 @@ fixtext: |-
 
     {{{ package_install("firewalld") }}}
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: package_installed_guard_var
+    vars:
+        pkgname: firewalld
+        variable: var_network_filtering_service
+        value: firewalld
+{{%- else %}}
 template:
     name: package_installed
     vars:
         pkgname: firewalld
+{{%- endif %}}
+
 
 srg_requirement:
     {{{ full_name }}} must have the firewalld package installed.

linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml

@@ -54,7 +54,17 @@ fixtext: |-
 
 srg_requirement: '{{{ srg_requirement_service_enabled("firewalld") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_enabled_guard_var
+    vars:
+        packagename: firewalld
+        servicename: firewalld
+        variable: var_network_filtering_service
+        value: firewalld
+{{%- else %}}
 template:
     name: service_enabled
     vars:
         servicename: firewalld
+{{%- endif %}}

linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml

@@ -27,7 +27,16 @@ references:
 
 fixtext: '{{{ fixtext_package_removed("firewalld") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: package_removed_guard_var
+    vars:
+        pkgname: firewalld
+        variable: var_network_filtering_service
+        value: firewalld
+{{%- else %}}
 template:
     name: package_removed
     vars:
         pkgname: firewalld
+{{%- endif %}}

linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml

@@ -12,7 +12,7 @@ description: |-
     {{{ describe_service_disable(service="firewalld") }}}
 
 rationale: |-
-    Running Firewalld along other service with the same functionality may lead to conflict 
+    Running Firewalld along other service with the same functionality may lead to conflict
     and unexpected results.
 
 severity: medium
@@ -36,8 +36,18 @@ fixtext: '{{{ fixtext_service_disabled("firewalld") }}}'
 
 srg_requirement: '{{{ srg_requirement_service_disabled("firewalld") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_disabled_guard_var
+    vars:
+        packagename: firewalld
+        servicename: firewalld
+        variable: var_network_filtering_service
+        value: firewalld
+{{%- else %}}
 template:
     name: service_disabled
     vars:
         servicename: firewalld
         packagename: firewalld
+{{%- endif %}}

linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml

@@ -34,8 +34,18 @@ ocil: |-
     <br /><br />
     {{{ ocil_service_enabled(service="ip6tables") }}}
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_enabled_guard_var
+    vars:
+        packagename: iptables
+        servicename: iptables
+        variable: var_network_filtering_service
+        value: iptables
+{{%- else %}}
 template:
     name: service_enabled
     vars:
         servicename: ip6tables
         packagename: iptables-ipv6
+{{%- endif %}}

linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml

@@ -29,12 +29,22 @@ references:
     nist: AC-4,CM-7(b),CA-3(5),SC-7(21),CM-6(a)
     nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
 
-platform: system_with_kernel and package[iptables] and service_disabled[firewalld]
+platform: machine and package[iptables] and service_disabled[firewalld]
 
 ocil: |-
     {{{ ocil_service_enabled(service="iptables") }}}
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_enabled_guard_var
+    vars:
+        packagename: ip6tables
+        servicename: iptables-ipv6
+        variable: var_network_filtering_service
+        value: iptables
+{{%- else %}}
 template:
     name: service_enabled
     vars:
         servicename: iptables
+{{%- endif %}}

linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml

@@ -34,7 +34,16 @@ ocil_clause: 'the package is not installed'
 
 ocil: '{{{ ocil_package(package="iptables") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: package_installed_guard_var
+    vars:
+        pkgname: iptables
+        variable: var_network_filtering_service
+        value: iptables
+{{%- else %}}
 template:
     name: package_installed
     vars:
         pkgname: iptables
+{{%- endif %}}

linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml

@@ -25,7 +25,17 @@ references:
 
 fixtext: '{{{ fixtext_package_removed("nftables") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: package_removed_guard_var
+    vars:
+        pkgname: nftables
+        variable: var_network_filtering_service
+        value: firewalld|nftables
+        operation: pattern match
+{{%- else %}}
 template:
     name: package_removed
     vars:
         pkgname: nftables
+{{%- endif %}}

linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml

@@ -36,8 +36,18 @@ fixtext: '{{{ fixtext_service_disabled("nftables") }}}'
 
 platform: system_with_kernel and package[nftables] and package[firewalld]
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_disabled_guard_var
+    vars:
+        packagename: nftables
+        servicename: nftables
+        variable: var_network_filtering_service
+        value: nftables
+{{%- else %}}
 template:
     name: service_disabled
     vars:
         servicename: nftables
         packagename: nftables
+{{%- endif %}}

linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml

@@ -32,9 +32,21 @@ ocil: |-
 fixtext: |-
     {{{ fixtext_service_enabled("nftables") }}}
 
-platform: system_with_kernel and package[nftables] and service_disabled[firewalld]
 
+platform: machine and package[nftables] and service_disabled[firewalld]
+
+
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_enabled_guard_var
+    vars:
+        packagename: nftables
+        servicename: nftables
+        variable: var_network_filtering_service
+        value: nftables
+{{%- else %}}
 template:
     name: service_enabled
     vars:
         servicename: nftables
+{{%- endif %}}

linux_os/guide/system/network/var_network_filtering_service.var

@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'Network filtering service'
+
+description: |-
+   Network filtering service: iptables, nftables, firewalld or ufw
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    iptables: iptables
+    nftables: nftables
+    firewalld: firewalld
+    ufw: ufw
+    default: firewalld

products/sle12/profiles/default.profile

@@ -12,6 +12,7 @@ description: |-
     is to keep a rule in the product's XCCDF Benchmark.
 
 selections:
+    - var_network_filtering_service=iptables
     - accounts_user_dot_user_ownership
     - service_timesyncd_enabled
     - gnome_gdm_disable_xdmcp

products/sle15/profiles/cis.profile

@@ -21,6 +21,7 @@ description: |-
 
 selections:
     - cis_sle15:all:l2_server
+    - var_network_filtering_service=firewalld
 # Exclude from CIS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_configure_restrictions'

products/sle15/profiles/default.profile

@@ -12,6 +12,7 @@ description: |-
     is to keep a rule in the product's XCCDF Benchmark.
 
 selections:
+    - var_network_filtering_service=firewalld
     - accounts_user_dot_user_ownership
     - service_timesyncd_enabled
     - gnome_gdm_disable_xdmcp

shared/macros/10-oval.jinja

@@ -1702,3 +1702,32 @@ Generates an OVAL check that checks a particular field in the "/etc/shadow" file
   {{%- endif %}}
 {{%- endif %}}
 {{%- endmacro -%}}
+
+{{#
+  Macro to check if external variable is set to value
+  :param variable: Name of the external variable to check
+  :type variable: str
+  :param value: Value of the external variable
+  :type value: str
+  :param test_id: Suffix of the Ids in test, obj, and state elements
+  :type test_id: str
+  :param operation: Value operation
+  :type operation: str
+#}}
+{{%- macro oval_test_external_variable_value(variable,value,test_id='',operation='equals') -%}}
+  <ind:variable_test id="{{{ test_id }}}"
+  comment="Check external {{{ variable }}} is set to {{{ value }}}" check="all" version="1">
+    <ind:object object_ref="obj_{{{ test_id }}}"/>
+    <ind:state state_ref="ste_{{{ test_id }}}" />
+  </ind:variable_test>
+
+  <ind:variable_object id="obj_{{{ test_id }}}" version="1">
+    <ind:var_ref>{{{ variable }}}</ind:var_ref>
+  </ind:variable_object>
+  <ind:variable_state id="ste_{{{ test_id }}}" version="1">
+    <ind:value operation="{{{ operation }}}" datatype="string">{{{ value }}}</ind:value>
+  </ind:variable_state>
+
+  <external_variable comment="External variable {{{ variable }}}" datatype="string" id="{{{ variable }}}" version="1" />
+
+{{%- endmacro -%}}

shared/templates/package_installed_guard_var/ansible.template

@@ -0,0 +1,17 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables(VARIABLE) }}}
+
+- name: Ensure {{{ PKGNAME }}} is installed
+  package:
+    name: "{{{ PKGNAME }}}"
+    state: present
+{{% if OPERATION == "pattern match" %}}
+  when: {{{ VARIABLE }}} is regex("{{{ VALUE }}}")
+{{% else %}}
+  when: {{{ VARIABLE }}} == "{{{ VALUE }}}"
+{{% endif %}}

shared/templates/package_installed_guard_var/bash.template

@@ -0,0 +1,17 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+{{{ bash_instantiate_variables(VARIABLE) }}}
+
+{{% if OPERATION == "pattern match" %}}
+  if [[ "{{{ VALUE }}}" =~ ${{{ VARIABLE }}} ]]; then
+    {{{ bash_package_install(package=PKGNAME) }}}
+  fi
+{{% else %}}
+  if [ ${{{ VARIABLE }}} == {{{ VALUE }}} ]; then
+    {{{ bash_package_install(package=PKGNAME) }}}
+  fi
+{{% endif %}}

shared/templates/package_installed_guard_var/oval.template

@@ -0,0 +1,26 @@
+<def-group>
+  {{%- set variable_value_test_id = _RULE_ID + "_test_variable_" + VARIABLE -%}}
+  {{% if OPERATION is defined %}}
+    {{%- set variable_value_op = OPERATION -%}}
+  {{% else %}}
+    {{%- set variable_value_op = "equals" -%}}
+  {{% endif %}}
+  <definition class="compliance" id="{{{ _RULE_ID }}}"
+  version="1">
+    {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_sle"]) }}}
+    <criteria operator="OR" comment="package {{{ PKGNAME }}} is installed or not needed">
+      <criteria comment="{{{ PKGNAME }}} is not needed" operator="AND">
+        <criterion comment="variable {{{ VARIABLE }}} is set to {{{ VALUE }}}"
+        test_ref="{{{ variable_value_test_id }}}" negate="true"/>
+      </criteria>
+      <criteria comment="package {{{ PKGNAME }}} is installed and needed" operator="AND">
+        <criterion comment="package {{{ PKGNAME }}} is installed"
+        test_ref="test_package_{{{ PKGNAME }}}_installed" />
+        <criterion comment="variable {{{ VARIABLE }}} is set to {{{ VALUE }}}"
+        test_ref="{{{ variable_value_test_id }}}" />
+      </criteria>
+    </criteria>
+  </definition>
+{{{ oval_test_external_variable_value(variable=VARIABLE, value=VALUE, test_id=variable_value_test_id, operation=variable_value_op) }}}
+{{{ oval_test_package_installed(package=PKGNAME, evr=EVR, test_id="test_package_"+PKGNAME+"_installed") }}}
+</def-group>

shared/templates/package_installed_guard_var/template.py

@@ -0,0 +1,12 @@
+import re
+
+
+def preprocess(data, lang):
+    if "evr" in data:
+        evr = data["evr"]
+        if evr and not re.match(r'\d:\d[\d\w+.]*-\d[\d\w+.]*', evr, 0):
+            raise RuntimeError(
+                "ERROR: input violation: evr key should be in "
+                "epoch:version-release format, but package {0} has set "
+                "evr to {1}".format(data["pkgname"], evr))
+    return data

shared/templates/package_installed_guard_var/template.yml

@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval

shared/templates/package_removed_guard_var/ansible.template

@@ -0,0 +1,18 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables(VARIABLE) }}}
+
+- name: Ensure {{{ PKGNAME }}} is removed
+  package:
+    name: "{{{ PKGNAME }}}"
+    state: absent
+  when: {{{ VARIABLE }}} != "{{{ VALUE }}}"
+{{% if OPERATION == "pattern match" %}}
+  when: {{{ VARIABLE }}} is not regex("{{{ VALUE }}}")
+{{% else %}}
+  when: {{{ VARIABLE }}} != "{{{ VALUE }}}"
+{{% endif %}}