RHEL-08-040090 approach breaks existing firewalls (but fix is a simple file copy + 2 simple regexes) #267
Assignees
Labels
bug
Something isn't working
Comments
uk-bolly
added a commit
that referenced
this issue
Apr 11, 2024
Signed-off-by: Mark Bolwell <[email protected]>
|
hi @BJSmithIEEE Thank you for raising this issue and providing potential solutions. The reason it was originally written in such a way is to ensure only those services/ports that you want enabled are enabled for the firewall are in the new zone. Having said that i can see where this maybe of some use to some.
I hope this enables you to do what you need as well and not breaking existing functionality for others. This is currently in the April_24 branch - awaiting some feedback before merge to devel Many thanks uk-bolly |
Merged
uk-bolly
added a commit
that referenced
this issue
Apr 30, 2024
* ruleid updates for v1r12 refer changelog Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * updated PRELIM in title Signed-off-by: Mark Bolwell <[email protected]> * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell <[email protected]> * fix typo Signed-off-by: Mark Bolwell <[email protected]> * Oraclelinux updated thanks to @BillSkiCO Signed-off-by: Mark Bolwell <[email protected]> * updated task 20030 thanks to @BillSkiCO Signed-off-by: Mark Bolwell <[email protected]> * updated 40321 thanks to @whitehat237 Signed-off-by: Mark Bolwell <[email protected]> * updated after feedback from #245 Signed-off-by: Mark Bolwell <[email protected]> * added issue #248 fix Signed-off-by: Mark Bolwell <[email protected]> * Added fix for #254 Signed-off-by: Mark Bolwell <[email protected]> * fix syntax Signed-off-by: Mark Bolwell <[email protected]> * Squashed commit of the following: commit 14d7da6a3335dea85d73044cac45f851d45e721f Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:52:45 2024 +0000 updated Signed-off-by: Mark Bolwell <[email protected]> commit e6b8a7c2008da9cf11075265801723c597284d6e Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:52:05 2024 +0000 lint and variable improvements Signed-off-by: Mark Bolwell <[email protected]> commit 79948fb314df745bc37f94dffcdf6ec818d945bc Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:51:32 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell <[email protected]> commit 4742d58286387ffdbf569c2094d34290c8f2f90a Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:50:46 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell <[email protected]> commit 33348bc1d3a0537d0cdbcfc70c10286875d97261 Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:50:25 2024 +0000 changed ordering and added logic Signed-off-by: Mark Bolwell <[email protected]> commit 6c2d07987d379575c6ecf766e528da19ba5ffae0 Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:50:12 2024 +0000 removed as mnot required Signed-off-by: Mark Bolwell <[email protected]> commit 1d775c698c9270f707dddbd955d096bfaa978dae Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:50:04 2024 +0000 updated Signed-off-by: Mark Bolwell <[email protected]> commit 562d7604e5263ed4d5cd97cdd2a46ea4a1c3f58f Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:49:57 2024 +0000 updated precommit Signed-off-by: Mark Bolwell <[email protected]> commit bb46131304f00cfe9c9b7b62dda9150ab5d19643 Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 12:04:15 2024 +0000 Added ability for audit_only Signed-off-by: Mark Bolwell <[email protected]> Signed-off-by: Mark Bolwell <[email protected]> * fix typo line 020030 Signed-off-by: Mark Bolwell <[email protected]> * updated due to galaxy_ng changes Signed-off-by: Mark Bolwell <[email protected]> * Revert "fixed gnutls as per issue 196 thansk to @jmalpede" This reverts commit 63c4c84. Signed-off-by: William Panlener <[email protected]> * Update main.yml Removing stale var rhel8stig_sshd_compression Signed-off-by: William Golembieski <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](gitleaks/gitleaks@v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.20.2 → v6.22.1](ansible/ansible-lint@v6.20.2...v6.22.1) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](gitleaks/gitleaks@v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.1 → v24.2.0](ansible/ansible-lint@v6.22.1...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1) * updated Readme credits Signed-off-by: Mark Bolwell <[email protected]> * updated credits Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1) * Updated RHEL-08-020050 to loop over stdout_lines. Fixes issue #261. Signed-off-by: Phenix66 <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0) * addressing #251 Signed-off-by: Mark Bolwell <[email protected]> * fix issue #263 Signed-off-by: Mark Bolwell <[email protected]> * Address issues #242 Signed-off-by: Mark Bolwell <[email protected]> * housekeeping lint Signed-off-by: Mark Bolwell <[email protected]> * Meet fix text of V-244546 Signed-off-by: Eric Lehmann <[email protected]> * issue #267 Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](ansible/ansible-lint@v24.2.1...v24.2.2) * fixed error in conditional rhel-08-020022 Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Mark Bolwell <[email protected]> Signed-off-by: William Panlener <[email protected]> Signed-off-by: William Golembieski <[email protected]> Signed-off-by: uk-bolly <[email protected]> Signed-off-by: Phenix66 <[email protected]> Signed-off-by: Eric Lehmann <[email protected]> Co-authored-by: William Panlener <[email protected]> Co-authored-by: William Golembieski <[email protected]> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Phenix66 <[email protected]> Co-authored-by: Eric Lehmann <[email protected]>
|
I also realized no interface is assigned. We ran into that as well. We wrote a shell script to handle all this, including identifying the interface. Unfortunately it's on an airgap network, or I'd post it here. :) |
uk-bolly
added a commit
that referenced
this issue
May 24, 2024
Signed-off-by: Mark Bolwell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Issue
RHEL-08-040090 implements (
tasks/fix-cat2.yml) a new firewall zone with a target ofDROPper STIG. But the existing fails to respect any and all existing rules on the default public zone, breaking existng firewalls, and requiring manual configuration. This is wholly unnecessary (see Possible Solution).Expected Behavior
Preserve existing configuration in the new firewall zone/target with minimal effort.
Actual Behavior
Disgard all existing firewall configuration, and only a few services in a manually populated variable (
rhel8stig_white_list_services).Control(s) Affected
Finding V-230504
Version RHEL-08-040090
Additional Notes
Environments will be pre-configured with the Public zone. This should be leveraged via the following ...
Possible Solution
Propose this simple but effective solution to preserve the existing firewall.
In addition to checking if the new firewall zone is created (name in
rhel8stig_custom_firewall_zone) and has a target ofDROP, if it does not exist ...public(/etc/firewalld/zones/public.xml) as the new firewall zone{{ rhel8stig_custom_firewall_zone }}(/etc/firewalld/zones/{{ rhel8stig_custom_firewall_zone }}.xml)./^\s*<zone>\s*$/<zone target=DROP>//^\s*<short>\s*Public\*<\/short>/<short>{{ rhel8stig_custom_firewall_zone }}<\/short>/Reload firewall, then add any missing white listed services (list in
rhel8stig_white_list_services), if not already enabled. Again this is such a simple solution that absolutely preserves all the configured services on the Public zonre.The text was updated successfully, but these errors were encountered: