You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Run watchmaker using "stig" profile for remediation
Reboot system
Run oscap utility using "stig" profile for scan
Validate reported error is legitimate (execute grep DefaultZone /etc/firewalld/firewalld.conf)
Expected behavior
Running oscap utility using "stig" profile for scan should not produce error for named-test; executing grep DefaultZone /etc/firewalld/firewalld.conf should return drop
Fix Suggestions
Add a post-oscap remediation to prevent finding. No RHEL STIG ID has been yet assigned. Add handler to ash-linux-formula/ash-linux/el7/Miscellaneous/ content-directory.
The text was updated successfully, but these errors were encountered:
When either ash-linux.el7.stig or ash-linux,el7.VendorSTIG are invoked, ash-linux.el7.Miscellaneous.firewalld_safeties gets invoked. The firewalld_safeties state was written to ensure that 22/tcp access would be preserved if the "Drop" policy was selected, but, looks like actual selection isn't being done, anywhere: need to add a policy-selector state and make the desired state site-selectable (since switching to Drop, across the board, will break any sites' scanners that rely on ping-sweeps to identify scan-targets).
Describe the bug
After running relevant formula-content,
DefaultZone
value in/etc/firewalld/firewalld.conf
still set topublic
Note: may be consequence of #247
To Reproduce
Steps to reproduce the behavior:
oscap
utility using "stig" profile for scangrep DefaultZone /etc/firewalld/firewalld.conf
)Expected behavior
Running
oscap
utility using "stig" profile for scan should not produce error for named-test; executinggrep DefaultZone /etc/firewalld/firewalld.conf
should returndrop
Fix Suggestions
Add a post-
oscap
remediation to prevent finding. No RHEL STIG ID has been yet assigned. Add handler toash-linux-formula/ash-linux/el7/Miscellaneous/
content-directory.The text was updated successfully, but these errors were encountered: