Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] When remediating/validating with "stig" profile, Default firewalld Zone for Incoming Packets not properly set #285

Open
ferricoxide opened this issue Feb 5, 2020 · 1 comment

Comments

@ferricoxide
Copy link
Member

ferricoxide commented Feb 5, 2020

Describe the bug

After running relevant formula-content, DefaultZone value in /etc/firewalld/firewalld.conf still set to public

Note: may be consequence of #247

To Reproduce
Steps to reproduce the behavior:

  1. Launch fresh spel AMI (etc.)
  2. Run watchmaker using "stig" profile for remediation
  3. Reboot system
  4. Run oscap utility using "stig" profile for scan
  5. Validate reported error is legitimate (execute grep DefaultZone /etc/firewalld/firewalld.conf)

Expected behavior
Running oscap utility using "stig" profile for scan should not produce error for named-test; executing grep DefaultZone /etc/firewalld/firewalld.conf should return drop

Fix Suggestions

Add a post-oscap remediation to prevent finding. No RHEL STIG ID has been yet assigned. Add handler to ash-linux-formula/ash-linux/el7/Miscellaneous/ content-directory.

@ferricoxide
Copy link
Member Author

When either ash-linux.el7.stig or ash-linux,el7.VendorSTIG are invoked, ash-linux.el7.Miscellaneous.firewalld_safeties gets invoked. The firewalld_safeties state was written to ensure that 22/tcp access would be preserved if the "Drop" policy was selected, but, looks like actual selection isn't being done, anywhere: need to add a policy-selector state and make the desired state site-selectable (since switching to Drop, across the board, will break any sites' scanners that rely on ping-sweeps to identify scan-targets).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant