Firewall technology related rules per service and package change logic according to interactive profile variable #11818
Conversation
teacup-on-rockingchair
added
Ansible
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
jan-cerny
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/test all |
|
/packit build |
teacup-on-rockingchair
force-pushed
the
firewall_by_profile_variable
branch
from
6188277 to
fc100a9
Compare
|
should we change this pr to work across different vendors? |
For the moment it is not necessary for Oracle Linux |
teacup-on-rockingchair
force-pushed
the
firewall_by_profile_variable
branch
from
fc100a9 to
87ba124
Compare
… is set to be iptables
…set to be iptables
…s set to be nftables or iptables
…y is set to be nftables or iptables
… set to be firewalld
…y is set to be firewalld
Given variable should actually mark the state in which package should not be removed because it is needed by the setup
Thanks to @Mab879 for raising the flag I missed that during rebase
|
I removed myself as assignee as, unfortunately, I won't be able to review/test it again for the next few weeks. |
teacup-on-rockingchair
force-pushed
the
firewall_by_profile_variable
branch
from
504b19e to
1e36548
Compare
teacup-on-rockingchair
force-pushed
the
firewall_by_profile_variable
branch
from
1e36548 to
6ae92ca
Compare
.../guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Matthew Burket <m@tthewburket.com>
Co-authored-by: Matthew Burket <m@tthewburket.com>
Co-authored-by: Matthew Burket <m@tthewburket.com>
Thanks to @Mab879 for the support
|
Code Climate has analyzed commit 8f0fdfe and detected 6 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Waving the Automatus Tests as they pass locally.
Waving the Code Climate issues as I don't think they are worth solving.
Overriding CODEOWNERS since @teacup-on-rockingchair cannot merge his own PRs.
Thanks @teacup-on-rockingchair working on this for all this time.
| {{{ bash_instantiate_variables(VARIABLE) }}} | ||
|
|
||
| {{% if OPERATION == "pattern match" %}} | ||
| if [[ "{{{ VALUE }}}" =~ ${{{ VARIABLE }}} ]]; then |
There was a problem hiding this comment.
@teacup-on-rockingchair I think the operation here should be flipped.
The implementation searches for VARIABLE regex inside VALUE, instead of searching for VALUE regex in VARIABLE.
If VALUE=firewalld|nftables, then it will match when VARIABLE is set to any substring of VALUE, or an empty string, or regex special characters like ..
This change modifies the firewall package/service rules to use the templates `..._guard_var` introduced in ComplianceAsCode#11818 to selectively install the firewall that is chosen by the var_network_filtering_service It also fixes the platform applicability on Ubuntu 24.04 since it both required firewalld and required that conflicting services be disabled when installing packages. This interfered with the logic introduced in the new templates and could result in a package/service not be installed/enabled. For example, if the user selected 'nftables' as their firewall using the new template and variable, the rule package_nftables_installed would still be marked as not applicable because the ufw service is enabled by default on some installations. The proposed solution removes the applicability check and installs the package depending only on the choice of var_network_filtering_service, irrespective of the status of the ufw service.
The variable is used to select the desired timesync service (systemd-timesync vs chrony) in package/service install/enable rules when using _guard_var templates. Analogous to var_network_filtering_service introduced in ComplianceAsCode#11818
The variable is used to select the desired timesync service (systemd-timesync vs chrony) in package/service install/enable rules when using _guard_var templates. Analogous to var_network_filtering_service introduced in ComplianceAsCode#11818
Description:
Rationale:
Review Hints:
scap-workbenchor similar tool, or define a new alternative profile to the original one (CIS is currently the one having conflicting rules ) , or via command line arguments of theoscaptool, if that is the weapon of choice to run checks and remediations.