Merge pull request #10740 from teacup-on-rockingchair/add_firewall_pa…

…ckage_variables Add platform package variables for firewalld and iptables
ComplianceAsCode · Jun 26, 2023 · 0fbcf6b · 0fbcf6b
2 parents deda11e + 7172933
commit 0fbcf6b
Show file tree

Hide file tree

Showing 18 changed files with 35 additions and 3 deletions.
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld-backend/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld-backend/rule.yml
@@ -13,6 +13,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[firewalld]
+
 identifiers:
     cce@rhel8: CCE-86506-3
     cce@rhel9: CCE-86507-1

diff --git a/.../system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/.../system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
@@ -14,6 +14,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[firewalld]
+
 identifiers:
     cce@rhcos4: CCE-82554-7
     cce@rhel7: CCE-80998-8

diff --git a/...stem/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml b/...stem/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml
@@ -18,6 +18,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[firewalld]
+
 identifiers:
     cce@sle15: CCE-92472-0
 

diff --git a/...ystem/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/...ystem/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
@@ -20,6 +20,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[firewalld]
+
 identifiers:
     cce@rhel7: CCE-27349-0
     cce@rhel8: CCE-80890-7

diff --git a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml
@@ -15,6 +15,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[firewalld]
+
 identifiers:
     cce@rhel7: CCE-86109-6
     cce@rhel8: CCE-86111-2

diff --git a/...e/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml b/...e/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml
@@ -21,6 +21,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[firewalld]
+
 identifiers:
     cce@sle15: CCE-92552-9
 

diff --git a/linux_os/guide/system/network/network-iptables/ensure_iptables_are_flushed/rule.yml b/linux_os/guide/system/network/network-iptables/ensure_iptables_are_flushed/rule.yml
@@ -14,6 +14,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[iptables]
+
 identifiers:
     cce@sle15: CCE-92523-0
 

diff --git a/...de/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml b/...de/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
@@ -11,6 +11,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[iptables]
+
 identifiers:
     cce@rhel8: CCE-85955-3
     cce@rhel9: CCE-85960-3

diff --git a/...ide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml b/...ide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
@@ -11,6 +11,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[iptables]
+
 identifiers:
     cce@rhel8: CCE-85961-1
     cce@rhel9: CCE-85962-9

diff --git a/...e/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/rule.yml b/...e/system/network/network-iptables/iptables_activation/set_ip6tables_default_rule/rule.yml
@@ -20,7 +20,7 @@ rationale: |-
 
 severity: medium
 
-platform: not package[nftables] and not package[ufw]
+platform: not package[nftables] and not package[ufw] and package[iptables]
 
 identifiers:
     cce@rhel7: CCE-86718-4

diff --git a/...de/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/...de/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
 
 severity: medium
 
-platform: not package[nftables] and not package[ufw]
+platform: not package[nftables] and not package[ufw] and package[iptables]
 
 identifiers:
     cce@sle12: CCE-92215-3

diff --git a/...s/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/...s/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
 
 severity: medium
 
-platform: not package[nftables] and not package[ufw]
+platform: not package[nftables] and not package[ufw] and package[iptables]
 
 identifiers:
     cce@sle12: CCE-92214-6

diff --git a/...x_os/guide/system/network/network-iptables/package_iptables-persistent_installed/rule.yml b/...x_os/guide/system/network/network-iptables/package_iptables-persistent_installed/rule.yml
@@ -13,6 +13,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[iptables]
+
 references:
     cis@ubuntu2004: 3.5.3.1.1
     cis@ubuntu2204: 3.5.3.1.1

diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-persistent_removed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-persistent_removed/rule.yml
@@ -13,6 +13,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[iptables]
+
 references:
     cis@ubuntu2004: 3.5.1.2
     cis@ubuntu2204: 3.5.1.2

diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-services_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-services_installed/rule.yml
@@ -15,6 +15,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[iptables]
+
 identifiers:
     cce@rhel8: CCE-85982-7
 

diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml
@@ -16,6 +16,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[iptables]
+
 identifiers:
     cce@rhel7: CCE-86678-0
     cce@rhel8: CCE-86679-8

diff --git a/linux_os/guide/system/network/network_implement_access_control/rule.yml b/linux_os/guide/system/network/network_implement_access_control/rule.yml
@@ -60,6 +60,8 @@ rationale: |-
 
 severity: medium
 
+platform: package[firewalld]
+
 references:
     disa: CCI-000366
     nist: CM-6 b,CM-6.1(iv)

diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
@@ -12,12 +12,16 @@ args:
     {{% endif %}}
   chrony:
     pkgname: chrony
+  firewalld:
+    pkgname: firewalld
   gdm:
     {{% if pkg_system == "rpm" %}}
     pkgname: gdm
     {{% else %}}
     pkgname: gdm3
     {{% endif %}}
+  iptables:
+    pkgname: iptables
   libuser:
     pkgname: libuser
   net-snmp: