Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add remediation for RHEL-08-040090 #427

Merged
merged 3 commits into from
Aug 1, 2023
Merged

Add remediation for RHEL-08-040090 #427

merged 3 commits into from
Aug 1, 2023

Conversation

ferricoxide
Copy link
Member

It appears that the OSCAP content already takes care of this, but this will still show up on some hardening-scans. Adding this state to make it easier to point auditors to a block of code that easily tells them, "yes, watchmaker is setting this, appropriately"

Closes #422

@ferricoxide ferricoxide requested a review from a team July 3, 2023 16:21
@ferricoxide
Add remediation for RHEL-08-040090
0920137 
It _appears_ that the OSCAP content already takes care of this, but this
will still show up on _some_ hardening-scans. Adding this state to make
it easier to point to code that, "yes, watchmaker _is_ setting this,
appropriately"

Closes plus3it#422
lorengordon
lorengordon reviewed Jul 10, 2023
View reviewed changes
Copy link
Member

@lorengordon lorengordon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious about the choice of onchanges...? Seems the states ought to be safe to use just requires, due to unless for module.run and firewalld.present already being stateful?

@ferricoxide
Copy link
Member Author

Modifications to firewalld can happen to either the running (in memory) or on-disk changes. The two conditionals are meant to account for both:

  • the onchanges detects that the on-disk has been changed
  • the unless detects the in-memory (i.e., "active") configuration-status

Basically, tried to implement a "update the running configuration IFF there was a change on disk and the current running-configuration is not the target state."

@ferricoxide ferricoxide requested review from lorengordon and a team July 13, 2023 13:25
@ferricoxide
Change to softer dependency-assertion method
b978db7 
Probably don't strictly *need* a dependency-path for this one, but going
to leave it here until it proves problematic
lorengordon
lorengordon previously approved these changes Jul 20, 2023
View reviewed changes
@lorengordon lorengordon dismissed their stale review July 20, 2023 21:38

tests not passing

@ferricoxide
Copy link
Member Author

ferricoxide commented Jul 21, 2023
edited
Loading

Yeah. I saw the failure:


----------
          ID: Set Minimum Ports
    Function: firewalld.present
        Name: drop
      Result: False
     Comment: State 'firewalld.present' was not found in SLS 'ash-linux.el8.STIGbyID.cat2.RHEL-08-040090'
              Reason: 'firewalld' __virtual__ returned False: firewall-cmd is not available, firewalld is probably not installed.

But was tied up with other task to figure out why it didn't like that. I mean, firewalld.present looks to be a valid module?

I'll get to it next week.

@ferricoxide
Copy link
Member Author

Ah. Ok. Not so much:

State 'firewalld.present' was not found in SLS 'ash-linux.el8.STIGbyID.cat2.RHEL-08-040090'

As:

Reason: 'firewalld' virtual returned False: firewall-cmd is not available, firewalld is probably not installed.

Guessing the VM-setup for the testing-container is missing the setup tasks that were in the EL7-based testing-containers.

@ferricoxide
Try to get past missing-subsystem error
4b24e0a 
Also: dependency-assertion is 'require' not 'requires'
@ferricoxide
Copy link
Member Author

Looks like firewalld was in the EL7-specific test-setup file but not EL8's. Since it needs to be in both – and will likely need to be in any future ELx platforms we need to support, I cut it from the EL7-specific test-setup and moved it to the common setup file.

@ferricoxide ferricoxide merged commit 36744fa into plus3it:master Aug 1, 2023
10 checks passed
@ferricoxide ferricoxide deleted the Issue_422 branch August 21, 2023 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lorengordon lorengordon lorengordon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ENHANCEMENT] Add handler for EL8 V-230504
2 participants
@ferricoxide @lorengordon