|
 |
f6303c |
From 2f0f9914e94e2aaf614b530548d94354a8bcab2d Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Thu, 13 Oct 2022 18:59:06 +0200
|
|
|
f6303c |
Subject: [PATCH 01/14] Improve rule descriptions for
|
|
|
f6303c |
firewalld_sshd_port_enabled
|
|
|
f6303c |
|
|
|
f6303c |
It was also included the platform section since the scope of this rule
|
|
|
f6303c |
is only applicable to machines and not to containers.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../firewalld_sshd_port_enabled/rule.yml | 24 ++++++++++++++-----
|
|
|
f6303c |
1 file changed, 18 insertions(+), 6 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
index 77ba9d3cca4..9b96faf222d 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
@@ -5,14 +5,14 @@ prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
|
|
f6303c |
title: 'Enable SSH Server firewalld Firewall Exception'
|
|
|
f6303c |
|
|
|
f6303c |
description: |-
|
|
|
f6303c |
- By default, inbound connections to SSH's port are allowed. If
|
|
|
f6303c |
- the SSH server is being used but denied by the firewall, this exception should
|
|
|
f6303c |
- be added to the firewall configuration.
|
|
|
f6303c |
+ If the SSH server is in use, inbound connections to SSH's port should be allowed to permit
|
|
|
f6303c |
+ remote access through SSH. In more restrictive firewalld settings, the SSH port should be
|
|
|
f6303c |
+ added to the proper firewalld zone in order to allow SSH remote access.
|
|
|
f6303c |
|
|
|
f6303c |
{{{ describe_firewalld_allow(proto="tcp", service="ssh") }}}
|
|
|
f6303c |
|
|
|
f6303c |
rationale: |-
|
|
|
f6303c |
- If inbound SSH connections are expected, adding a firewall rule exception
|
|
|
f6303c |
+ If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone
|
|
|
f6303c |
will allow remote access through the SSH port.
|
|
|
f6303c |
|
|
|
f6303c |
severity: medium
|
|
|
f6303c |
@@ -28,11 +28,23 @@ references:
|
|
|
f6303c |
nist: AC-17(a),CM-6(b),CM-7(a),CM-7(b)
|
|
|
f6303c |
srg: SRG-OS-000096-GPOS-00050
|
|
|
f6303c |
|
|
|
f6303c |
-ocil_clause: 'sshd service is disabled by firewall'
|
|
|
f6303c |
+platform: machine
|
|
|
f6303c |
+
|
|
|
f6303c |
+ocil_clause: 'sshd service is not enabled in the proper firewalld zone'
|
|
|
f6303c |
+
|
|
|
f6303c |
ocil: |
|
|
|
f6303c |
{{{ ocil_firewalld_allow_access(port="22", proto="tcp", service="ssh") }}}
|
|
|
f6303c |
|
|
|
f6303c |
fixtext: |-
|
|
|
f6303c |
- Enable sshd in firewalld configuration.
|
|
|
f6303c |
+ Enable SSH service in firewalld configuration.
|
|
|
f6303c |
|
|
|
f6303c |
{{{ describe_firewalld_allow(proto="tcp", service="ssh") }}}
|
|
|
f6303c |
+
|
|
|
f6303c |
+warnings:
|
|
|
f6303c |
+ - general: |-
|
|
|
f6303c |
+ The remediation for this rule uses <tt>firewall-cmd</tt> and <tt>nmcli</tt> tools.
|
|
|
f6303c |
+ Therefore, it will only be executed if <tt>firewalld</tt> and <tt>NetworkManager</tt>
|
|
|
f6303c |
+ services are running. Otherwise, the remediation will be aborted and a informative message
|
|
|
f6303c |
+ will be shown in the remediation report.
|
|
|
f6303c |
+ These respective services will not be started in order to preserve any intentional change
|
|
|
f6303c |
+ in network components related to firewall and network interfaces.
|
|
|
f6303c |
|
|
|
f6303c |
From 4e76d01001398948de8d1b085964bbb1ea68626c Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Fri, 14 Oct 2022 09:02:08 +0200
|
|
|
f6303c |
Subject: [PATCH 02/14] Increase robustness of firewalld_sshd_port_enabled bash
|
|
|
f6303c |
remediation
|
|
|
f6303c |
|
|
|
f6303c |
The remediation was not capable to properly treat some special cases,
|
|
|
f6303c |
like a system with multiple interfaces. It wasn't also capable to safely
|
|
|
f6303c |
configure the correct interface since it was assuming the NetworkManager
|
|
|
f6303c |
connection file was prefixed with the network interface name. In
|
|
|
f6303c |
addition, it is not stable to manually change firewalld XML files while
|
|
|
f6303c |
a proper command is present. This commit makes the remediation reliable
|
|
|
f6303c |
and assertive by using firewall-cmd and nmcli commands.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../bash/shared.sh | 76 +++++++++----------
|
|
|
f6303c |
1 file changed, 37 insertions(+), 39 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
index a328bee5c8a..e1b4f0fbd20 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
@@ -5,49 +5,47 @@
|
|
|
f6303c |
# disruption = low
|
|
|
f6303c |
|
|
|
f6303c |
{{{ bash_package_install("firewalld") }}}
|
|
|
f6303c |
-
|
|
|
f6303c |
+{{{ bash_package_install("NetworkManager") }}}
|
|
|
f6303c |
{{{ bash_instantiate_variables("firewalld_sshd_zone") }}}
|
|
|
f6303c |
|
|
|
f6303c |
-{{% if product in ['rhel9'] %}}
|
|
|
f6303c |
- {{% set network_config_path = "/etc/NetworkManager/system-connections/${interface}.nmconnection" %}}
|
|
|
f6303c |
-{{% else %}}
|
|
|
f6303c |
- {{% set network_config_path = "/etc/sysconfig/network-scripts/ifcfg-${interface}" %}}
|
|
|
f6303c |
-{{% endif %}}
|
|
|
f6303c |
+if firewall-cmd --state -q; then
|
|
|
f6303c |
+ # First make sure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+ # This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+ firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
-# This assumes that firewalld_sshd_zone is one of the pre-defined zones
|
|
|
f6303c |
-if [ ! -f "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" ]; then
|
|
|
f6303c |
- cp "/usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml" "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"
|
|
|
f6303c |
-fi
|
|
|
f6303c |
-if ! grep -q 'service name="ssh"' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"; then
|
|
|
f6303c |
- sed -i '/<\/description>/a \
|
|
|
f6303c |
- <service name="ssh"/>' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"
|
|
|
f6303c |
-fi
|
|
|
f6303c |
+ if systemctl is-active NetworkManager; then
|
|
|
f6303c |
+ # This will collect all NetworkManager connections names
|
|
|
f6303c |
+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
|
|
|
f6303c |
-# Check if any eth interface is bounded to the zone with SSH service enabled
|
|
|
f6303c |
-nic_bound=false
|
|
|
f6303c |
-readarray -t eth_interface_list < <(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
|
|
|
f6303c |
-for interface in "${eth_interface_list[@]}"; do
|
|
|
f6303c |
- if grep -qi "ZONE=$firewalld_sshd_zone" "{{{ network_config_path }}}"; then
|
|
|
f6303c |
- nic_bound=true
|
|
|
f6303c |
- break;
|
|
|
f6303c |
- fi
|
|
|
f6303c |
-done
|
|
|
f6303c |
-
|
|
|
f6303c |
-if [ $nic_bound = false ];then
|
|
|
f6303c |
- # Add first NIC to SSH enabled zone
|
|
|
f6303c |
- interface="${eth_interface_list[0]}"
|
|
|
f6303c |
-
|
|
|
f6303c |
- if ! firewall-cmd --state -q; then
|
|
|
f6303c |
- {{% if product in ['rhel9'] %}}
|
|
|
f6303c |
- {{{ bash_replace_or_append(network_config_path, '^zone=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}}
|
|
|
f6303c |
- {{% else %}}
|
|
|
f6303c |
- {{{ bash_replace_or_append(network_config_path, '^ZONE=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}}
|
|
|
f6303c |
- {{% endif %}}
|
|
|
f6303c |
+ # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+ # This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+ for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+ done
|
|
|
f6303c |
+ systemctl restart NetworkManager
|
|
|
f6303c |
else
|
|
|
f6303c |
- # If firewalld service is running, we need to do this step with firewall-cmd
|
|
|
f6303c |
- # Otherwise firewalld will communicate with NetworkManage and will revert assigned zone
|
|
|
f6303c |
- # of NetworkManager managed interfaces upon reload
|
|
|
f6303c |
- firewall-cmd --permanent --zone="$firewalld_sshd_zone" --add-interface="${eth_interface_list[0]}"
|
|
|
f6303c |
- firewall-cmd --reload
|
|
|
f6303c |
+ echo "
|
|
|
f6303c |
+ NetworkManager service is not active. Remediation aborted!
|
|
|
f6303c |
+ This remediation could not be applied because it depends on NetworkManager service running.
|
|
|
f6303c |
+ The service is not started by this remediation in order to prevent connection issues."
|
|
|
f6303c |
+ exit 1
|
|
|
f6303c |
fi
|
|
|
f6303c |
+
|
|
|
f6303c |
+ # Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+ # It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+ # active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+ for zone in $firewalld_active_zones; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
+ done
|
|
|
f6303c |
+ firewall-cmd --reload
|
|
|
f6303c |
+else
|
|
|
f6303c |
+ echo "
|
|
|
f6303c |
+ firewalld service is not active. Remediation aborted!
|
|
|
f6303c |
+ This remediation could not be applied because it depends on firewalld service running.
|
|
|
f6303c |
+ The service is not started by this remediation in order to prevent connection issues."
|
|
|
f6303c |
+ exit 1
|
|
|
f6303c |
fi
|
|
|
f6303c |
|
|
|
f6303c |
From a1fe2e8c34f8dbbaf573e6d6fa37b8e4fc63ad09 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Wed, 19 Oct 2022 13:19:46 +0200
|
|
|
f6303c |
Subject: [PATCH 03/14] Include warning message regarging custom SSH port
|
|
|
f6303c |
|
|
|
f6303c |
---
|
|
|
f6303c |
.../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 7 +++++++
|
|
|
f6303c |
1 file changed, 7 insertions(+)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
index 9b96faf222d..d49a2af1d02 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
@@ -48,3 +48,10 @@ warnings:
|
|
|
f6303c |
will be shown in the remediation report.
|
|
|
f6303c |
These respective services will not be started in order to preserve any intentional change
|
|
|
f6303c |
in network components related to firewall and network interfaces.
|
|
|
f6303c |
+ - general: |-
|
|
|
f6303c |
+ This rule also checks if the SSH port was modified by the administrator and is reflecting
|
|
|
f6303c |
+ the expected port number. Although this is checked, fixing the custom ssh.xml file is not
|
|
|
f6303c |
+ in the scope of the remediation since there is no reliable way to manually change the
|
|
|
f6303c |
+ respective file. If the default SSH port is modified, it is on the administrator
|
|
|
f6303c |
+ responsibility to ensure the firewalld customizations in the service port level are
|
|
|
f6303c |
+ properly configured.
|
|
|
f6303c |
|
|
|
f6303c |
From b7c665bd163acb0595438223e4ebaa6a34e674a0 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Fri, 14 Oct 2022 15:03:33 +0200
|
|
|
f6303c |
Subject: [PATCH 04/14] Review test scenario scripts
|
|
|
f6303c |
|
|
|
f6303c |
---
|
|
|
f6303c |
.../tests/no_nic_in_ssh_zone.fail.sh | 7 +------
|
|
|
f6303c |
.../firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh | 4 ----
|
|
|
f6303c |
.../tests/ssh_zone_and_nic_mismatch.fail.sh | 4 ----
|
|
|
f6303c |
.../tests/ssh_zone_nic_bounded.pass.sh | 3 ---
|
|
|
f6303c |
4 files changed, 1 insertion(+), 17 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
|
|
|
f6303c |
index 7ed0c21ed1e..21d7c0eafc4 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
|
|
|
f6303c |
@@ -1,9 +1,5 @@
|
|
|
f6303c |
#!/bin/bash
|
|
|
f6303c |
# packages = firewalld
|
|
|
f6303c |
-#
|
|
|
f6303c |
-# remediation = none
|
|
|
f6303c |
-
|
|
|
f6303c |
-# ensure firewalld installed
|
|
|
f6303c |
|
|
|
f6303c |
# Make sure there is a zone with ssh service enabled
|
|
|
f6303c |
firewall-cmd --permanent --zone=work --add-service=ssh
|
|
|
f6303c |
@@ -11,8 +7,7 @@ firewall-cmd --permanent --zone=work --add-service=ssh
|
|
|
f6303c |
all_zones=$(firewall-cmd --get-zones)
|
|
|
f6303c |
eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
|
|
|
f6303c |
|
|
|
f6303c |
-# Make sure NICs are bounded to no zone
|
|
|
f6303c |
-# Note: Interfaces managed by NetworkManager will be assigned to the default firewalld zone
|
|
|
f6303c |
+# Make sure all NICs are not bounded to any zone
|
|
|
f6303c |
for zone in $all_zones; do
|
|
|
f6303c |
for interface in $eth_interfaces; do
|
|
|
f6303c |
firewall-cmd --permanent --zone=$zone --remove-interface=$interface
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
|
|
|
f6303c |
index 78918c9fee5..41fb83d9489 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
|
|
|
f6303c |
@@ -1,9 +1,5 @@
|
|
|
f6303c |
#!/bin/bash
|
|
|
f6303c |
# packages = firewalld
|
|
|
f6303c |
-#
|
|
|
f6303c |
-# remediation = none
|
|
|
f6303c |
-
|
|
|
f6303c |
-# ensure firewalld installed
|
|
|
f6303c |
|
|
|
f6303c |
all_zones=$(firewall-cmd --get-zones)
|
|
|
f6303c |
for zone in $all_zones;do
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
|
|
|
f6303c |
index fed30230588..ab05492f74d 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
|
|
|
f6303c |
@@ -1,9 +1,5 @@
|
|
|
f6303c |
#!/bin/bash
|
|
|
f6303c |
# packages = firewalld
|
|
|
f6303c |
-#
|
|
|
f6303c |
-# remediation = none
|
|
|
f6303c |
-
|
|
|
f6303c |
-# ensure firewalld installed
|
|
|
f6303c |
|
|
|
f6303c |
# Make sure there is only one zone with ssh service enabled
|
|
|
f6303c |
all_zones=$(firewall-cmd --get-zones)
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
|
|
|
f6303c |
index f426236466f..eabc38e7248 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
|
|
|
f6303c |
@@ -1,8 +1,5 @@
|
|
|
f6303c |
#!/bin/bash
|
|
|
f6303c |
# packages = firewalld
|
|
|
f6303c |
-#
|
|
|
f6303c |
-
|
|
|
f6303c |
-# ensure firewalld installed
|
|
|
f6303c |
|
|
|
f6303c |
firewall-cmd --permanent --zone=public --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
|
|
|
f6303c |
From 32a41b09b0b963e3fb681a5ea617e96383e2277c Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Wed, 19 Oct 2022 08:39:04 +0200
|
|
|
f6303c |
Subject: [PATCH 05/14] Reinvent the test scenarios for
|
|
|
f6303c |
firewalld_sshd_port_enabled
|
|
|
f6303c |
|
|
|
f6303c |
The test scenarios were aligned to the old remediation approach, making
|
|
|
f6303c |
them also incomplete and incapable to catch real cases. Once the
|
|
|
f6303c |
remediation was robust, test scenarios also need the same level of
|
|
|
f6303c |
robustness in order to ensure the rules is as much realistic as
|
|
|
f6303c |
possible. They are now covering cases with multiple interfaces and
|
|
|
f6303c |
multiple active zones. It is also covered custom SSH port.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../tests/customized_zone_configured.pass.sh | 37 +++++++++++++++++
|
|
|
f6303c |
.../tests/customized_zone_without_ssh.fail.sh | 37 +++++++++++++++++
|
|
|
f6303c |
.../tests/new_zone_configured.pass.sh | 39 ++++++++++++++++++
|
|
|
f6303c |
.../tests/new_zone_without_ssh.fail.sh | 40 +++++++++++++++++++
|
|
|
f6303c |
.../tests/no_nic_in_ssh_zone.fail.sh | 18 ---------
|
|
|
f6303c |
.../tests/no_ssh_zone.fail.sh | 10 -----
|
|
|
f6303c |
.../tests/only_nics_configured.fail.sh | 35 ++++++++++++++++
|
|
|
f6303c |
.../tests/only_zones_configured.fail.sh | 34 ++++++++++++++++
|
|
|
f6303c |
.../tests/ssh_port_enabled.pass.sh | 5 ---
|
|
|
f6303c |
.../tests/ssh_zone_and_nic_mismatch.fail.sh | 25 ------------
|
|
|
f6303c |
.../tests/ssh_zone_nic_bounded.pass.sh | 8 ----
|
|
|
f6303c |
.../tests/zones_and_nics_configured.pass.sh | 34 ++++++++++++++++
|
|
|
f6303c |
.../zones_and_nics_ok_no_custom_files.pass.sh | 39 ++++++++++++++++++
|
|
|
f6303c |
.../zones_and_nics_ok_port_changed.pass.sh | 38 ++++++++++++++++++
|
|
|
f6303c |
14 files changed, 333 insertions(+), 66 deletions(-)
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
|
|
|
f6303c |
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
|
|
|
f6303c |
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
|
|
|
f6303c |
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh
|
|
|
f6303c |
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
|
|
|
f6303c |
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..9bfd1737dc8
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
|
|
|
f6303c |
@@ -0,0 +1,37 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "work"
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+# Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is
|
|
|
f6303c |
+# created in /etc/firewalld/zones.
|
|
|
f6303c |
+for zone in $firewalld_active_zones; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=http
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..f1d152c683e
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
|
|
|
f6303c |
@@ -0,0 +1,37 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "work"
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+# It is to ensure a custom file is created in /etc/firewalld/zones.
|
|
|
f6303c |
+for zone in $firewalld_active_zones; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=http
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Do not reload, otherwise SSG Test suite will be locked out.
|
|
|
f6303c |
+#firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..cb8849b3f9f
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
|
|
|
f6303c |
@@ -0,0 +1,39 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Create a custom zone
|
|
|
f6303c |
+custom_zone_name="custom"
|
|
|
f6303c |
+firewall-cmd --new-zone=$custom_zone_name --permanent
|
|
|
f6303c |
+firewall-cmd --reload
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=$custom_zone_name --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "$custom_zone_name"
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+for zone in $firewalld_active_zones "$custom_zone_name"; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..5e0a6453df7
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
|
|
|
f6303c |
@@ -0,0 +1,40 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Create a custom zone
|
|
|
f6303c |
+custom_zone_name="custom"
|
|
|
f6303c |
+firewall-cmd --new-zone=$custom_zone_name --permanent
|
|
|
f6303c |
+firewall-cmd --reload
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=$custom_zone_name --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "$custom_zone_name"
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+for zone in $firewalld_active_zones "$custom_zone_name"; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Do not reload, otherwise SSG Test suite will be locked out.
|
|
|
f6303c |
+#firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
|
|
|
f6303c |
deleted file mode 100644
|
|
|
f6303c |
index 21d7c0eafc4..00000000000
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
|
|
|
f6303c |
+++ /dev/null
|
|
|
f6303c |
@@ -1,18 +0,0 @@
|
|
|
f6303c |
-#!/bin/bash
|
|
|
f6303c |
-# packages = firewalld
|
|
|
f6303c |
-
|
|
|
f6303c |
-# Make sure there is a zone with ssh service enabled
|
|
|
f6303c |
-firewall-cmd --permanent --zone=work --add-service=ssh
|
|
|
f6303c |
-
|
|
|
f6303c |
-all_zones=$(firewall-cmd --get-zones)
|
|
|
f6303c |
-eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
|
|
|
f6303c |
-
|
|
|
f6303c |
-# Make sure all NICs are not bounded to any zone
|
|
|
f6303c |
-for zone in $all_zones; do
|
|
|
f6303c |
- for interface in $eth_interfaces; do
|
|
|
f6303c |
- firewall-cmd --permanent --zone=$zone --remove-interface=$interface
|
|
|
f6303c |
- done
|
|
|
f6303c |
-done
|
|
|
f6303c |
-
|
|
|
f6303c |
-# Do not reload, otherwise SSG Test suite will be locked out
|
|
|
f6303c |
-# firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
|
|
|
f6303c |
deleted file mode 100644
|
|
|
f6303c |
index 41fb83d9489..00000000000
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
|
|
|
f6303c |
+++ /dev/null
|
|
|
f6303c |
@@ -1,10 +0,0 @@
|
|
|
f6303c |
-#!/bin/bash
|
|
|
f6303c |
-# packages = firewalld
|
|
|
f6303c |
-
|
|
|
f6303c |
-all_zones=$(firewall-cmd --get-zones)
|
|
|
f6303c |
-for zone in $all_zones;do
|
|
|
f6303c |
- firewall-cmd --permanent --zone=$zone --remove-service=ssh
|
|
|
f6303c |
-done
|
|
|
f6303c |
-
|
|
|
f6303c |
-# Do not reload, otherwise SSG Test suite will be locked out
|
|
|
f6303c |
-# firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..98525db2729
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
|
|
|
f6303c |
@@ -0,0 +1,35 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "work"
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+for zone in $firewalld_active_zones; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Do not reload, otherwise SSG Test suite will be locked out.
|
|
|
f6303c |
+#firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..e14d6c959dc
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
|
|
|
f6303c |
@@ -0,0 +1,34 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is already assigned to a firewalld zone, removes the assignment.
|
|
|
f6303c |
+# This will not change connections which are not assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone != "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone ""
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+readarray -t firewalld_all_zones < <(firewall-cmd --get-zones)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure all zones are permanently allowing SSH service.
|
|
|
f6303c |
+for zone in $firewalld_all_zones; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is not a problem to reload the settings since all interfaces without an explicit assgined zone
|
|
|
f6303c |
+# will be automatically assigned to the default zone.
|
|
|
f6303c |
+firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh
|
|
|
f6303c |
deleted file mode 100644
|
|
|
f6303c |
index c9959c40937..00000000000
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh
|
|
|
f6303c |
+++ /dev/null
|
|
|
f6303c |
@@ -1,5 +0,0 @@
|
|
|
f6303c |
-#!/bin/bash
|
|
|
f6303c |
-# packages = firewalld
|
|
|
f6303c |
-
|
|
|
f6303c |
-firewall-cmd --add-port=22/tcp
|
|
|
f6303c |
-firewall-cmd --add-port=22/tcp --permanent
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
|
|
|
f6303c |
deleted file mode 100644
|
|
|
f6303c |
index ab05492f74d..00000000000
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
|
|
|
f6303c |
+++ /dev/null
|
|
|
f6303c |
@@ -1,25 +0,0 @@
|
|
|
f6303c |
-#!/bin/bash
|
|
|
f6303c |
-# packages = firewalld
|
|
|
f6303c |
-
|
|
|
f6303c |
-# Make sure there is only one zone with ssh service enabled
|
|
|
f6303c |
-all_zones=$(firewall-cmd --get-zones)
|
|
|
f6303c |
-for zone in $all_zones;do
|
|
|
f6303c |
- firewall-cmd --permanent --zone=$zone --remove-service=ssh
|
|
|
f6303c |
-done
|
|
|
f6303c |
-firewall-cmd --permanent --zone=work --add-service=ssh
|
|
|
f6303c |
-
|
|
|
f6303c |
-all_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1)
|
|
|
f6303c |
-
|
|
|
f6303c |
-# Make sure NICs are bounded to no zone
|
|
|
f6303c |
-for zone in $all_zones; do
|
|
|
f6303c |
- for interface in $all_interfaces; do
|
|
|
f6303c |
- firewall-cmd --permanent --zone=$zone --remove-interface=$interface
|
|
|
f6303c |
- done
|
|
|
f6303c |
-done
|
|
|
f6303c |
-
|
|
|
f6303c |
-eth_interfaces=$(echo "$all_interfaces" | grep -E '^(en|eth)')
|
|
|
f6303c |
-# Add interface to wrong zone
|
|
|
f6303c |
-firewall-cmd --permanent --zone=trusted --add-interface=${eth_interfaces[0]}
|
|
|
f6303c |
-
|
|
|
f6303c |
-# Do not reload, otherwise SSG Test suite will be locked out
|
|
|
f6303c |
-# firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
|
|
|
f6303c |
deleted file mode 100644
|
|
|
f6303c |
index eabc38e7248..00000000000
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
|
|
|
f6303c |
+++ /dev/null
|
|
|
f6303c |
@@ -1,8 +0,0 @@
|
|
|
f6303c |
-#!/bin/bash
|
|
|
f6303c |
-# packages = firewalld
|
|
|
f6303c |
-
|
|
|
f6303c |
-firewall-cmd --permanent --zone=public --add-service=ssh
|
|
|
f6303c |
-
|
|
|
f6303c |
-eth_interface=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
|
|
|
f6303c |
-
|
|
|
f6303c |
-firewall-cmd --permanent --zone=public --add-interface=${eth_interface[0]}
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..489fe6ae7e8
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
|
|
|
f6303c |
@@ -0,0 +1,34 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "work"
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+for zone in $firewalld_active_zones; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..c53fb99de78
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
|
|
|
f6303c |
@@ -0,0 +1,39 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "work"
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+for zone in $firewalld_active_zones; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+# The work zone, used in this test scenario, allows ssh by default. Therefore, it is not expected
|
|
|
f6303c |
+# the previous command will create a respective file in /etc. However, it makes sure the /etc dir
|
|
|
f6303c |
+# is empty anyways.
|
|
|
f6303c |
+rm -f /etc/firewalld/zones/*
|
|
|
f6303c |
+
|
|
|
f6303c |
+firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..46c4ed5f4d7
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
|
|
|
f6303c |
@@ -0,0 +1,38 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+# packages = firewalld, NetworkManager
|
|
|
f6303c |
+# variables = firewalld_sshd_zone=work, sshd_listening_port=2222
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the required services are started.
|
|
|
f6303c |
+systemctl start firewalld NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Ensure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
+# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
+firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Collect all NetworkManager connections names.
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+for connection in $nm_connections; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "work"
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+done
|
|
|
f6303c |
+systemctl restart NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
+
|
|
|
f6303c |
+# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
+for zone in $firewalld_active_zones; do
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
+done
|
|
|
f6303c |
+
|
|
|
f6303c |
+cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/
|
|
|
f6303c |
+sed -i 's/port="22"/port="2222"/g' /etc/firewalld/services/ssh.xml
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Do not reload, otherwise SSG Test suite will be locked out.
|
|
|
f6303c |
+#firewall-cmd --reload
|
|
|
f6303c |
|
|
|
f6303c |
From db26bb5efb0746c165e17294a7cde9c7e712cd85 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Thu, 13 Oct 2022 11:51:05 +0200
|
|
|
f6303c |
Subject: [PATCH 06/14] Recreated OVAL assessment for
|
|
|
f6303c |
firewalld_sshd_port_enabled
|
|
|
f6303c |
|
|
|
f6303c |
There are some corner cases involving possible realistic scenarios with
|
|
|
f6303c |
firewalld and NetworkManager. Based on the remediation refactoring, the
|
|
|
f6303c |
OVAL assessment was also reformulated to be more simple and much more
|
|
|
f6303c |
reliable. It is now checking firewalld packaged files and also custom
|
|
|
f6303c |
files respecting the proper order in case of custom files.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../oval/shared.xml | 312 ++++++++++++------
|
|
|
f6303c |
1 file changed, 206 insertions(+), 106 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
|
f6303c |
index e944f938a59..e4c03c9aa4d 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
|
f6303c |
@@ -1,109 +1,209 @@
|
|
|
f6303c |
<def-group>
|
|
|
f6303c |
- <definition class="compliance" id="firewalld_sshd_port_enabled" version="1">
|
|
|
f6303c |
- {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to
|
|
|
f6303c |
- the SSH port (22).") }}}
|
|
|
f6303c |
- <criteria operator="OR">
|
|
|
f6303c |
- <criterion comment="ssh service is enabled in services" test_ref="test_firewalld_service_sshd_enabled" />
|
|
|
f6303c |
- <criterion comment="ssh port is enabled in services" test_ref="test_firewalld_service_sshd_port_enabled" />
|
|
|
f6303c |
- <criteria operator="AND">
|
|
|
f6303c |
- <criterion comment="ssh service is enabled in zones" test_ref="test_firewalld_zone_sshd_enabled" />
|
|
|
f6303c |
- <criterion comment="there is at least one NIC assigned to a zone with ssh enabled" test_ref="test_nic_assigned_to_sshd_enabled_zone" />
|
|
|
f6303c |
- </criteria>
|
|
|
f6303c |
- <criterion comment="ssh port is enabled in zones" test_ref="test_firewalld_zone_sshd_port_enabled" />
|
|
|
f6303c |
- </criteria>
|
|
|
f6303c |
- </definition>
|
|
|
f6303c |
-
|
|
|
f6303c |
-
|
|
|
f6303c |
- id="test_firewalld_service_sshd_enabled" version="1">
|
|
|
f6303c |
- <ind:object object_ref="object_firewalld_service_sshd_enabled" />
|
|
|
f6303c |
- </ind:xmlfilecontent_test>
|
|
|
f6303c |
- <ind:xmlfilecontent_object id="object_firewalld_service_sshd_enabled" version="1">
|
|
|
f6303c |
- <ind:path>/etc/firewalld/services</ind:path>
|
|
|
f6303c |
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
|
f6303c |
- <ind:xpath>/service/service[@name='ssh']</ind:xpath>
|
|
|
f6303c |
- </ind:xmlfilecontent_object>
|
|
|
f6303c |
-
|
|
|
f6303c |
-
|
|
|
f6303c |
- id="test_firewalld_service_sshd_port_enabled" version="1">
|
|
|
f6303c |
- <ind:object object_ref="object_firewalld_service_sshd_port_enabled" />
|
|
|
f6303c |
- <ind:state state_ref="state_sshd_listening_port" />
|
|
|
f6303c |
- </ind:textfilecontent54_test>
|
|
|
f6303c |
- <ind:textfilecontent54_object id="object_firewalld_service_sshd_port_enabled" version="1">
|
|
|
f6303c |
- <ind:path>/etc/firewalld/services</ind:path>
|
|
|
f6303c |
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
|
f6303c |
- <ind:pattern operation="pattern match"><port.*port="(\d+)"</ind:pattern>
|
|
|
f6303c |
- <ind:instance datatype="int" operation="equals">1</ind:instance>
|
|
|
f6303c |
- </ind:textfilecontent54_object>
|
|
|
f6303c |
-
|
|
|
f6303c |
-
|
|
|
f6303c |
- id="test_firewalld_zone_sshd_enabled" version="1">
|
|
|
f6303c |
- <ind:object object_ref="object_firewalld_zone_sshd_enabled" />
|
|
|
f6303c |
- </ind:xmlfilecontent_test>
|
|
|
f6303c |
- <ind:xmlfilecontent_object id="object_firewalld_zone_sshd_enabled" version="1">
|
|
|
f6303c |
- <ind:path>/etc/firewalld/zones</ind:path>
|
|
|
f6303c |
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
|
f6303c |
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
|
f6303c |
- </ind:xmlfilecontent_object>
|
|
|
f6303c |
-
|
|
|
f6303c |
-
|
|
|
f6303c |
- id="test_firewalld_zone_sshd_port_enabled" version="1">
|
|
|
f6303c |
- <ind:object object_ref="object_firewalld_zone_sshd_port_enabled" />
|
|
|
f6303c |
- <ind:state state_ref="state_sshd_listening_port" />
|
|
|
f6303c |
- </ind:textfilecontent54_test>
|
|
|
f6303c |
- <ind:textfilecontent54_object id="object_firewalld_zone_sshd_port_enabled" version="1">
|
|
|
f6303c |
- <ind:path>/etc/firewalld/zones</ind:path>
|
|
|
f6303c |
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
|
f6303c |
- <ind:pattern operation="pattern match"><port.*port="(\d+)"</ind:pattern>
|
|
|
f6303c |
- <ind:instance datatype="int" operation="equals">1</ind:instance>
|
|
|
f6303c |
- </ind:textfilecontent54_object>
|
|
|
f6303c |
-
|
|
|
f6303c |
-
|
|
|
f6303c |
- <local_variable id="var_firewalld_sshd_enabled_zones" datatype="string" version="1" comment="firewalld zones with ssh service enabled">
|
|
|
f6303c |
- <regex_capture pattern="(\S+).xml">
|
|
|
f6303c |
- <object_component item_field="filename" object_ref="object_firewalld_zone_sshd_enabled" />
|
|
|
f6303c |
- </regex_capture>
|
|
|
f6303c |
- </local_variable>
|
|
|
f6303c |
-
|
|
|
f6303c |
-
|
|
|
f6303c |
-
|
|
|
f6303c |
- id="test_nic_assigned_to_sshd_enabled_zone" version="1">
|
|
|
f6303c |
- <ind:object object_ref="object_zones_with_nics" />
|
|
|
f6303c |
- </ind:xmlfilecontent_test>
|
|
|
f6303c |
- <ind:xmlfilecontent_object id="object_zones_with_nics" version="1">
|
|
|
f6303c |
- <ind:path>/etc/firewalld/zones</ind:path>
|
|
|
f6303c |
- <ind:filename operation="pattern match" var_check="at least one" var_ref="var_firewalld_zones_with_assigned_nics"/>
|
|
|
f6303c |
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
|
f6303c |
- </ind:xmlfilecontent_object>
|
|
|
f6303c |
-
|
|
|
f6303c |
-
|
|
|
f6303c |
- <local_variable id="var_firewalld_zones_with_assigned_nics" datatype="string" version="1" comment="firewalld zones with ssh service enabled">
|
|
|
f6303c |
- <concat>
|
|
|
f6303c |
- <object_component item_field="subexpression" object_ref="object_nic_assigned_to_firewalld_zone" />
|
|
|
f6303c |
- <literal_component>.xml</literal_component>
|
|
|
f6303c |
- </concat>
|
|
|
f6303c |
- </local_variable>
|
|
|
f6303c |
-{{% if product in ["fedora", "rhel9"] %}}
|
|
|
f6303c |
-
|
|
|
f6303c |
- id="object_nic_assigned_to_firewalld_zone" version="2">
|
|
|
f6303c |
- <ind:path>/etc/NetworkManager/system-connections</ind:path>
|
|
|
f6303c |
- <ind:filename operation="pattern match">.*\.nmconnection</ind:filename>
|
|
|
f6303c |
- <ind:pattern operation="pattern match">^zone=(.*)$</ind:pattern>
|
|
|
f6303c |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f6303c |
- </ind:textfilecontent54_object>
|
|
|
f6303c |
-{{% else %}}
|
|
|
f6303c |
-
|
|
|
f6303c |
- id="object_nic_assigned_to_firewalld_zone" version="1">
|
|
|
f6303c |
- <ind:path>/etc/sysconfig/network-scripts</ind:path>
|
|
|
f6303c |
- <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
|
|
|
f6303c |
- <ind:pattern operation="pattern match">^ZONE=(.*)$</ind:pattern>
|
|
|
f6303c |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f6303c |
- </ind:textfilecontent54_object>
|
|
|
f6303c |
-{{% endif %}}
|
|
|
f6303c |
-
|
|
|
f6303c |
- <ind:textfilecontent54_state comment="port ssh is listening" id="state_sshd_listening_port" version="1">
|
|
|
f6303c |
- <ind:subexpression datatype="int" operation="equals" var_ref="sshd_listening_port" />
|
|
|
f6303c |
- </ind:textfilecontent54_state>
|
|
|
f6303c |
-
|
|
|
f6303c |
- <external_variable comment="port ssh is listening" datatype="int" id="sshd_listening_port" version="1" />
|
|
|
f6303c |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
f6303c |
+ {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to
|
|
|
f6303c |
+ the SSH service.") }}}
|
|
|
f6303c |
+ <criteria operator="AND">
|
|
|
f6303c |
+
|
|
|
f6303c |
+ test_ref="test_firewalld_sshd_port_enabled_all_nics_in_zones"/>
|
|
|
f6303c |
+ <criteria operator="OR">
|
|
|
f6303c |
+ <criteria operator="AND">
|
|
|
f6303c |
+
|
|
|
f6303c |
+ comment="Ensure default file zones have SSH service defined"
|
|
|
f6303c |
+ test_ref="test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr"/>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ comment="Ensure default files from active zones were not overridden"
|
|
|
f6303c |
+ test_ref="test_firewalld_sshd_port_enabled_usr_zones_not_overridden"/>
|
|
|
f6303c |
+ </criteria>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ comment="Ensure custom files from active zones have SSH service defined"
|
|
|
f6303c |
+ test_ref="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"/>
|
|
|
f6303c |
+ </criteria>
|
|
|
f6303c |
+ <criteria operator="AND">
|
|
|
f6303c |
+
|
|
|
f6303c |
+ comment="Ensure default file for SSH service is correct"
|
|
|
f6303c |
+ test_ref="test_firewalld_sshd_port_enabled_ssh_service_usr"/>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ comment="Ensure the modified firewalld SSH port is correct"
|
|
|
f6303c |
+ test_ref="test_firewalld_sshd_port_enabled_ssh_service_etc"/>
|
|
|
f6303c |
+ </criteria>
|
|
|
f6303c |
+ </criteria>
|
|
|
f6303c |
+ </definition>
|
|
|
f6303c |
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ check="all" check_existence="at_least_one_exists" version="1"
|
|
|
f6303c |
+ comment="All NICs must have a firewalld zone defined in their settings">
|
|
|
f6303c |
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_network_conf_files_count"/>
|
|
|
f6303c |
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_network_conf_files_count"/>
|
|
|
f6303c |
+ </ind:variable_test>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ version="1">
|
|
|
f6303c |
+ <ind:var_ref>var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count</ind:var_ref>
|
|
|
f6303c |
+ </ind:variable_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ datatype="int" version="1"
|
|
|
f6303c |
+ comment="Variable including number of network config files with an assiged zone">
|
|
|
f6303c |
+ <count>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ object_ref="object_firewalld_sshd_port_enabled_zones_assigned_to_nics"/>
|
|
|
f6303c |
+ </count>
|
|
|
f6303c |
+ </local_variable>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ comment="Check the respective zone parameter in all NICs configuration files" version="3">
|
|
|
f6303c |
+ {{% if product in ["fedora", "rhel9"] %}}
|
|
|
f6303c |
+ <ind:path>/etc/NetworkManager/system-connections</ind:path>
|
|
|
f6303c |
+ <ind:filename operation="pattern match">.*\.nmconnection</ind:filename>
|
|
|
f6303c |
+ <ind:pattern operation="pattern match">^zone=(.*)$</ind:pattern>
|
|
|
f6303c |
+ {{% else %}}
|
|
|
f6303c |
+ <ind:path>/etc/sysconfig/network-scripts</ind:path>
|
|
|
f6303c |
+ <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
|
|
|
f6303c |
+ <ind:pattern operation="pattern match">^ZONE=(.*)$</ind:pattern>
|
|
|
f6303c |
+ {{% endif %}}
|
|
|
f6303c |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f6303c |
+ </ind:textfilecontent54_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ version="1">
|
|
|
f6303c |
+
|
|
|
f6303c |
+ var_ref="var_firewalld_sshd_port_enabled_network_conf_files_count"/>
|
|
|
f6303c |
+ </ind:variable_state>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ datatype="int" version="1"
|
|
|
f6303c |
+ comment="Variable including number of network config files present in the system">
|
|
|
f6303c |
+ <count>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ object_ref="object_firewalld_sshd_port_enabled_network_conf_files"/>
|
|
|
f6303c |
+ </count>
|
|
|
f6303c |
+ </local_variable>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ <unix:file_object id="object_firewalld_sshd_port_enabled_network_conf_files" version="1">
|
|
|
f6303c |
+
|
|
|
f6303c |
+ recurse_file_system="all"/>
|
|
|
f6303c |
+ {{% if product in ["fedora", "rhel9"] %}}
|
|
|
f6303c |
+ <unix:path>/etc/NetworkManager/system-connections</unix:path>
|
|
|
f6303c |
+ <unix:filename operation="pattern match">.*\.nmconnection</unix:filename>
|
|
|
f6303c |
+ {{% else %}}
|
|
|
f6303c |
+ <unix:path>/etc/sysconfig/network-scripts</unix:path>
|
|
|
f6303c |
+ <unix:filename operation="pattern match">ifcfg-.*</unix:filename>
|
|
|
f6303c |
+ {{% endif %}}
|
|
|
f6303c |
+ </unix:file_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ respective names, all other zones delivered in the firewalld package allow SSH
|
|
|
f6303c |
+ out-of-box. This test ensure these files are indeed allowing SSH in case a NIC is
|
|
|
f6303c |
+ assigned to any of these existing zones. -->
|
|
|
f6303c |
+
|
|
|
f6303c |
+ check="all" check_existence="at_least_one_exists" version="1"
|
|
|
f6303c |
+ comment="SSH service is defined in all zones delivered in the firewalld package">
|
|
|
f6303c |
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_usr"/>
|
|
|
f6303c |
+ </ind:xmlfilecontent_test>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ version="1">
|
|
|
f6303c |
+ <ind:path>/usr/lib/firewalld/zones</ind:path>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ var_ref="var_firewalld_sshd_port_enabled_default_zones"/>
|
|
|
f6303c |
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
|
f6303c |
+ </ind:xmlfilecontent_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ to confirm they are indeed in use by not having an equivalent file in /etc/firewalld/zones
|
|
|
f6303c |
+ dir. Otherwise, it is not possible to rely only on default files and the /etc dir should
|
|
|
f6303c |
+ also be checked. -->
|
|
|
f6303c |
+
|
|
|
f6303c |
+ check="all" check_existence="none_exist"
|
|
|
f6303c |
+ comment="there is no equivalent zone file defined by the administrator in /etc dir">
|
|
|
f6303c |
+ <unix:object object_ref="object_firewalld_sshd_port_enabled_customized_zone_files"/>
|
|
|
f6303c |
+ </unix:file_test>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ <unix:file_object id="object_firewalld_sshd_port_enabled_customized_zone_files" version="1">
|
|
|
f6303c |
+
|
|
|
f6303c |
+ recurse_file_system="all"/>
|
|
|
f6303c |
+ <unix:path>/etc/firewalld/zones</unix:path>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ var_ref="var_firewalld_sshd_port_enabled_default_zones"/>
|
|
|
f6303c |
+ </unix:file_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ OVAL resources in order to detect and assess only active zone, which are zones with at
|
|
|
f6303c |
+ least one NIC assigned to it. Since it was possible to easily have the list of active
|
|
|
f6303c |
+ zones, it was cumbersome to use that list in other OVAL objects without introduce a high
|
|
|
f6303c |
+ level of complexity to make sure environments with multiple NICs and multiple zones are
|
|
|
f6303c |
+ in use. So, in favor of simplicity and readbility it was decided to work with a static
|
|
|
f6303c |
+ list. It means that, in the future, it is possible this list needs to be updated. -->
|
|
|
f6303c |
+
|
|
|
f6303c |
+ datatype="string"
|
|
|
f6303c |
+ comment="Regex containing the list of zones files delivered in the firewalld package">
|
|
|
f6303c |
+ <literal_component>^(dmz|external|home|internal|public|trusted|work)\.xml$</literal_component>
|
|
|
f6303c |
+ </local_variable>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ in the /etc/firewalld/zones dir in order to override the default zone settings. The same
|
|
|
f6303c |
+ directory is applicable for new zones created by the administrator. Therefore, all files
|
|
|
f6303c |
+ in this directory should also allow SSH. -->
|
|
|
f6303c |
+
|
|
|
f6303c |
+ check="all" check_existence="at_least_one_exists" version="1"
|
|
|
f6303c |
+ comment="SSH service is defined in all zones created or modified by the administrator">
|
|
|
f6303c |
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
|
|
f6303c |
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
|
|
|
f6303c |
+ </ind:xmlfilecontent_test>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ <ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
|
|
f6303c |
+ <ind:path>/etc/firewalld/zones</ind:path>
|
|
|
f6303c |
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
|
f6303c |
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
|
f6303c |
+ </ind:xmlfilecontent_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
+ <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
|
|
f6303c |
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
|
f6303c |
+ </ind:xmlfilecontent_state>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ SSH port is defined as 22/tcp by default. However, is that possible cases where the
|
|
|
f6303c |
+ administrator want, by any reason, to change this default port. The proper way to do this
|
|
|
f6303c |
+ is overriding the respectice SSH service file by populating the /etc/firewalld/services
|
|
|
f6303c |
+ directory. So, its necessary to ensure the default file is interger and the, if is the
|
|
|
f6303c |
+ case, the customized service is properly configured. -->
|
|
|
f6303c |
+
|
|
|
f6303c |
+ check="all" check_existence="all_exist" version="1"
|
|
|
f6303c |
+ comment="SSH service is interger in the /usr/lib/firewalld/services dir">
|
|
|
f6303c |
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_ssh_service_file_usr"/>
|
|
|
f6303c |
+ </ind:xmlfilecontent_test>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ version="1">
|
|
|
f6303c |
+ <ind:filepath>/usr/lib/firewalld/services/ssh.xml</ind:filepath>
|
|
|
f6303c |
+ <ind:xpath>/service/port[@port='22']</ind:xpath>
|
|
|
f6303c |
+ </ind:xmlfilecontent_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ ssh.xml file is placed in the /etc/firewalld/services directory with the proper port
|
|
|
f6303c |
+ defined. -->
|
|
|
f6303c |
+
|
|
|
f6303c |
+ check="all" check_existence="any_exist" version="1"
|
|
|
f6303c |
+ comment="SSH service is properly configured in /etc/firewalld/services dir">
|
|
|
f6303c |
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_ssh_service_file_etc"/>
|
|
|
f6303c |
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_ssh_service_file_etc"/>
|
|
|
f6303c |
+ </ind:textfilecontent54_test>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ version="1">
|
|
|
f6303c |
+ <ind:filepath>/etc/firewalld/services/ssh.xml</ind:filepath>
|
|
|
f6303c |
+ <ind:pattern operation="pattern match"><port.*port="(\d+)"</ind:pattern>
|
|
|
f6303c |
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
|
|
f6303c |
+ </ind:textfilecontent54_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ comment="expected SSH port as defined by external variable" version="1">
|
|
|
f6303c |
+ <ind:subexpression datatype="int" operation="equals" var_ref="sshd_listening_port"/>
|
|
|
f6303c |
+ </ind:textfilecontent54_state>
|
|
|
f6303c |
+
|
|
|
f6303c |
+
|
|
|
f6303c |
+ comment="external variable containing the expected SSH port"/>
|
|
|
f6303c |
</def-group>
|
|
|
f6303c |
|
|
|
f6303c |
From 84755e320f3f8fd73151c7d8e15370a1825b080d Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Wed, 19 Oct 2022 18:36:24 +0200
|
|
|
f6303c |
Subject: [PATCH 07/14] Introduce new Ansible remediation
|
|
|
f6303c |
|
|
|
f6303c |
The previous remediation, besides being disaligned to the previous bash
|
|
|
f6303c |
remediation, was also problematic. It was completly rewritten in this
|
|
|
f6303c |
commit in order to be aligned to the Bash remediation. It was also
|
|
|
f6303c |
enabled this Ansible remediation for all platforms, including RHEL9.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../ansible/shared.yml | 97 +++++++++++++++----
|
|
|
f6303c |
1 file changed, 79 insertions(+), 18 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
index 2553a4d2e57..fa7830761df 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
@@ -1,28 +1,89 @@
|
|
|
f6303c |
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
|
|
|
f6303c |
+# platform = multi_platform_all
|
|
|
f6303c |
# reboot = false
|
|
|
f6303c |
# complexity = low
|
|
|
f6303c |
# strategy = configure
|
|
|
f6303c |
# disruption = low
|
|
|
f6303c |
|
|
|
f6303c |
-- name: Ensure firewalld is installed
|
|
|
f6303c |
- package:
|
|
|
f6303c |
+{{{ ansible_instantiate_variables("firewalld_sshd_zone") }}}
|
|
|
f6303c |
+
|
|
|
f6303c |
+- name: '{{{ rule_title }}} - Ensure firewalld and NetworkManager packages are installed'
|
|
|
f6303c |
+ ansible.builtin.package:
|
|
|
f6303c |
name: "{{ item }}"
|
|
|
f6303c |
state: present
|
|
|
f6303c |
with_items:
|
|
|
f6303c |
- firewalld
|
|
|
f6303c |
+ - NetworkManager
|
|
|
f6303c |
+
|
|
|
f6303c |
+- name: '{{{ rule_title }}} - Collect facts about system services'
|
|
|
f6303c |
+ ansible.builtin.service_facts:
|
|
|
f6303c |
+ register: result_services_states
|
|
|
f6303c |
+
|
|
|
f6303c |
+- name: '{{{ rule_title }}} - Remediation is applicable if firewalld and NetworkManager services are running'
|
|
|
f6303c |
+ block:
|
|
|
f6303c |
+ - name: '{{{ rule_title }}} - Collect NetworkManager connections names'
|
|
|
f6303c |
+ ansible.builtin.shell:
|
|
|
f6303c |
+ cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2
|
|
|
f6303c |
+ register: result_nmcli_cmd_connections_names
|
|
|
f6303c |
+ changed_when: false
|
|
|
f6303c |
+
|
|
|
f6303c |
+ - name: '{{{ rule_title }}} - Collect NetworkManager connections zones'
|
|
|
f6303c |
+ ansible.builtin.shell:
|
|
|
f6303c |
+ cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print $2}'
|
|
|
f6303c |
+ register: result_nmcli_cmd_connections_zones
|
|
|
f6303c |
+ changed_when: false
|
|
|
f6303c |
+ with_items:
|
|
|
f6303c |
+ - "{{ result_nmcli_cmd_connections_names.stdout_lines }}"
|
|
|
f6303c |
+
|
|
|
f6303c |
+ - name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone'
|
|
|
f6303c |
+ ansible.builtin.command:
|
|
|
f6303c |
+ cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }}
|
|
|
f6303c |
+ register: result_nmcli_cmd_connections_assignment
|
|
|
f6303c |
+ with_together:
|
|
|
f6303c |
+ - "{{ result_nmcli_cmd_connections_names.stdout_lines }}"
|
|
|
f6303c |
+ - "{{ result_nmcli_cmd_connections_zones.results }}"
|
|
|
f6303c |
+ when:
|
|
|
f6303c |
+ - item.1.stdout == '--'
|
|
|
f6303c |
+
|
|
|
f6303c |
+ - name: '{{{ rule_title }}} - Ensure NetworkManager connections changes are applied'
|
|
|
f6303c |
+ ansible.builtin.service:
|
|
|
f6303c |
+ name: NetworkManager
|
|
|
f6303c |
+ state: restarted
|
|
|
f6303c |
+ when:
|
|
|
f6303c |
+ - result_nmcli_cmd_connections_assignment is changed
|
|
|
f6303c |
+
|
|
|
f6303c |
+ - name: '{{{ rule_title }}} - Collect firewalld active zones'
|
|
|
f6303c |
+ ansible.builtin.shell:
|
|
|
f6303c |
+ cmd: firewall-cmd --get-active-zones | grep -v interfaces
|
|
|
f6303c |
+ register: result_firewall_cmd_zones_names
|
|
|
f6303c |
+ changed_when: false
|
|
|
f6303c |
+
|
|
|
f6303c |
+ - name: '{{{ rule_title }}} - Ensure firewalld zones allow SSH'
|
|
|
f6303c |
+ ansible.builtin.command:
|
|
|
f6303c |
+ cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh
|
|
|
f6303c |
+ register: result_nmcli_cmd_connections_assignment
|
|
|
f6303c |
+ changed_when:
|
|
|
f6303c |
+ - "'ALREADY_ENABLED' not in result_nmcli_cmd_connections_assignment.stderr"
|
|
|
f6303c |
+ with_items:
|
|
|
f6303c |
+ - "{{ result_firewall_cmd_zones_names.stdout_lines }}"
|
|
|
f6303c |
+
|
|
|
f6303c |
+ - name: '{{{ rule_title }}} - Ensure firewalld changes are applied'
|
|
|
f6303c |
+ ansible.builtin.service:
|
|
|
f6303c |
+ name: firewalld
|
|
|
f6303c |
+ state: reloaded
|
|
|
f6303c |
+ when:
|
|
|
f6303c |
+ - result_nmcli_cmd_connections_assignment is changed
|
|
|
f6303c |
+ when:
|
|
|
f6303c |
+ - ansible_facts.services['firewalld.service'].state == 'running'
|
|
|
f6303c |
+ - ansible_facts.services['NetworkManager.service'].state == 'running'
|
|
|
f6303c |
|
|
|
f6303c |
-{{{ ansible_instantiate_variables("sshd_listening_port") }}}
|
|
|
f6303c |
-
|
|
|
f6303c |
-- name: Enable SSHD in firewalld (custom port)
|
|
|
f6303c |
- firewalld:
|
|
|
f6303c |
- port: "{{ sshd_listening_port }}/tcp"
|
|
|
f6303c |
- permanent: yes
|
|
|
f6303c |
- state: enabled
|
|
|
f6303c |
- when: sshd_listening_port != 22
|
|
|
f6303c |
-
|
|
|
f6303c |
-- name: Enable SSHD in firewalld (default port)
|
|
|
f6303c |
- firewalld:
|
|
|
f6303c |
- service: ssh
|
|
|
f6303c |
- permanent: yes
|
|
|
f6303c |
- state: enabled
|
|
|
f6303c |
- when: sshd_listening_port == 22
|
|
|
f6303c |
+- name: '{{{ rule_title }}} - Informative message based on services states'
|
|
|
f6303c |
+ ansible.builtin.assert:
|
|
|
f6303c |
+ that:
|
|
|
f6303c |
+ - ansible_facts.services['firewalld.service'].state == 'running'
|
|
|
f6303c |
+ - ansible_facts.services['NetworkManager.service'].state == 'running'
|
|
|
f6303c |
+ fail_msg:
|
|
|
f6303c |
+ - firewalld and NetworkManager services are not active. Remediation aborted!
|
|
|
f6303c |
+ - This remediation could not be applied because it depends on firewalld and NetworkManager services running.
|
|
|
f6303c |
+ - The service is not started by this remediation in order to prevent connection issues.
|
|
|
f6303c |
+ success_msg:
|
|
|
f6303c |
+ - {{{ rule_title }}} remediation successfully executed
|
|
|
f6303c |
|
|
|
f6303c |
From d4f81e27994e17049f448d8410b4a8cfb5a9bdd2 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Thu, 20 Oct 2022 08:37:03 +0200
|
|
|
f6303c |
Subject: [PATCH 08/14] Fix loop over array in bash remediation
|
|
|
f6303c |
|
|
|
f6303c |
---
|
|
|
f6303c |
.../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 4 ++--
|
|
|
f6303c |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
index e1b4f0fbd20..afb89b7005a 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
@@ -19,7 +19,7 @@ if firewall-cmd --state -q; then
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
- for connection in $nm_connections; do
|
|
|
f6303c |
+ for connection in "${nm_connections[@]}"; do
|
|
|
f6303c |
current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
if [ $current_zone = "--" ]; then
|
|
|
f6303c |
nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
|
|
|
f6303c |
@@ -38,7 +38,7 @@ if firewall-cmd --state -q; then
|
|
|
f6303c |
# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
|
|
|
f6303c |
- for zone in $firewalld_active_zones; do
|
|
|
f6303c |
+ for zone in "${firewalld_active_zones[@]}"; do
|
|
|
f6303c |
firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
done
|
|
|
f6303c |
firewall-cmd --reload
|
|
|
f6303c |
|
|
|
f6303c |
From 403c44d66e06d5463758ba70abdca967a4173f69 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Thu, 20 Oct 2022 10:49:20 +0200
|
|
|
f6303c |
Subject: [PATCH 09/14] Trim nmcli connection names output
|
|
|
f6303c |
|
|
|
f6303c |
The output from nmcli command was including leading spaces in the
|
|
|
f6303c |
connection names. This was causing the the subsequent nmcli command to
|
|
|
f6303c |
fail resulting in connections without a firewalld zone defined.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 4 ++--
|
|
|
f6303c |
.../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +-
|
|
|
f6303c |
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
index fa7830761df..6098155469c 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
@@ -22,7 +22,7 @@
|
|
|
f6303c |
block:
|
|
|
f6303c |
- name: '{{{ rule_title }}} - Collect NetworkManager connections names'
|
|
|
f6303c |
ansible.builtin.shell:
|
|
|
f6303c |
- cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2
|
|
|
f6303c |
+ cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g'
|
|
|
f6303c |
register: result_nmcli_cmd_connections_names
|
|
|
f6303c |
changed_when: false
|
|
|
f6303c |
|
|
|
f6303c |
@@ -36,7 +36,7 @@
|
|
|
f6303c |
|
|
|
f6303c |
- name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone'
|
|
|
f6303c |
ansible.builtin.command:
|
|
|
f6303c |
- cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }}
|
|
|
f6303c |
+ cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone }}
|
|
|
f6303c |
register: result_nmcli_cmd_connections_assignment
|
|
|
f6303c |
with_together:
|
|
|
f6303c |
- "{{ result_nmcli_cmd_connections_names.stdout_lines }}"
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
index afb89b7005a..25e54f09477 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
@@ -15,7 +15,7 @@ if firewall-cmd --state -q; then
|
|
|
f6303c |
|
|
|
f6303c |
if systemctl is-active NetworkManager; then
|
|
|
f6303c |
# This will collect all NetworkManager connections names
|
|
|
f6303c |
- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
|
|
|
f6303c |
From df8cd2df8661a3fe9fb7d5b5b493a93e1f977654 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Thu, 20 Oct 2022 11:03:56 +0200
|
|
|
f6303c |
Subject: [PATCH 10/14] Simplify the Bash remediation in alignment to Ansible
|
|
|
f6303c |
|
|
|
f6303c |
---
|
|
|
f6303c |
.../bash/shared.sh | 37 +++++++------------
|
|
|
f6303c |
1 file changed, 14 insertions(+), 23 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
index 25e54f09477..f883e614846 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
@@ -8,31 +8,22 @@
|
|
|
f6303c |
{{{ bash_package_install("NetworkManager") }}}
|
|
|
f6303c |
{{{ bash_instantiate_variables("firewalld_sshd_zone") }}}
|
|
|
f6303c |
|
|
|
f6303c |
-if firewall-cmd --state -q; then
|
|
|
f6303c |
+if systemctl is-active NetworkManager && systemctl is-active firewalld; then
|
|
|
f6303c |
# First make sure the SSH service is enabled in run-time for the proper zone.
|
|
|
f6303c |
# This is to avoid connection issues when new interfaces are addeded to this zone.
|
|
|
f6303c |
firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
- if systemctl is-active NetworkManager; then
|
|
|
f6303c |
- # This will collect all NetworkManager connections names
|
|
|
f6303c |
- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g')
|
|
|
f6303c |
-
|
|
|
f6303c |
- # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
- # This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
- for connection in "${nm_connections[@]}"; do
|
|
|
f6303c |
- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
- if [ $current_zone = "--" ]; then
|
|
|
f6303c |
- nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
|
|
|
f6303c |
- fi
|
|
|
f6303c |
- done
|
|
|
f6303c |
- systemctl restart NetworkManager
|
|
|
f6303c |
- else
|
|
|
f6303c |
- echo "
|
|
|
f6303c |
- NetworkManager service is not active. Remediation aborted!
|
|
|
f6303c |
- This remediation could not be applied because it depends on NetworkManager service running.
|
|
|
f6303c |
- The service is not started by this remediation in order to prevent connection issues."
|
|
|
f6303c |
- exit 1
|
|
|
f6303c |
- fi
|
|
|
f6303c |
+ # This will collect all NetworkManager connections names
|
|
|
f6303c |
+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g')
|
|
|
f6303c |
+ # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
+ # This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
+ for connection in "${nm_connections[@]}"; do
|
|
|
f6303c |
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
+ if [ $current_zone = "--" ]; then
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
|
|
|
f6303c |
+ fi
|
|
|
f6303c |
+ done
|
|
|
f6303c |
+ systemctl restart NetworkManager
|
|
|
f6303c |
|
|
|
f6303c |
# Active zones are zones with at least one interface assigned to it.
|
|
|
f6303c |
# It is possible that traffic is comming by any active interface and consequently any
|
|
|
f6303c |
@@ -44,8 +35,8 @@ if firewall-cmd --state -q; then
|
|
|
f6303c |
firewall-cmd --reload
|
|
|
f6303c |
else
|
|
|
f6303c |
echo "
|
|
|
f6303c |
- firewalld service is not active. Remediation aborted!
|
|
|
f6303c |
- This remediation could not be applied because it depends on firewalld service running.
|
|
|
f6303c |
+ firewalld and NetworkManager services are not active. Remediation aborted!
|
|
|
f6303c |
+ This remediation could not be applied because it depends on firewalld and NetworkManager services running.
|
|
|
f6303c |
The service is not started by this remediation in order to prevent connection issues."
|
|
|
f6303c |
exit 1
|
|
|
f6303c |
fi
|
|
|
f6303c |
|
|
|
f6303c |
From 8642f416a9cdeb5f0bc06f44d17f845afe089ce6 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Thu, 20 Oct 2022 11:07:31 +0200
|
|
|
f6303c |
Subject: [PATCH 11/14] Improve wording on warning about custom ssh.xml
|
|
|
f6303c |
|
|
|
f6303c |
---
|
|
|
f6303c |
.../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 9 +++++----
|
|
|
f6303c |
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
index d49a2af1d02..7446a62379d 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
|
f6303c |
@@ -49,9 +49,10 @@ warnings:
|
|
|
f6303c |
These respective services will not be started in order to preserve any intentional change
|
|
|
f6303c |
in network components related to firewall and network interfaces.
|
|
|
f6303c |
- general: |-
|
|
|
f6303c |
- This rule also checks if the SSH port was modified by the administrator and is reflecting
|
|
|
f6303c |
- the expected port number. Although this is checked, fixing the custom ssh.xml file is not
|
|
|
f6303c |
- in the scope of the remediation since there is no reliable way to manually change the
|
|
|
f6303c |
- respective file. If the default SSH port is modified, it is on the administrator
|
|
|
f6303c |
+ This rule also checks if the SSH port was modified by the administrator in the firewalld
|
|
|
f6303c |
+ services definitions and is reflecting the expected port number. Although this is checked,
|
|
|
f6303c |
+ fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it
|
|
|
f6303c |
+ is not in the scope of the remediation since there is no reliable way to manually change
|
|
|
f6303c |
+ the respective file. If the default SSH port is modified, it is on the administrator
|
|
|
f6303c |
responsibility to ensure the firewalld customizations in the service port level are
|
|
|
f6303c |
properly configured.
|
|
|
f6303c |
|
|
|
f6303c |
From ab738103ab2c376dea88dcd797187adfbb07053f Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Thu, 20 Oct 2022 14:25:42 +0200
|
|
|
f6303c |
Subject: [PATCH 12/14] Optimize test scenarios
|
|
|
f6303c |
|
|
|
f6303c |
Some conditions were removed from test scenarios in order to make them
|
|
|
f6303c |
more resilient to test environment peculiarities.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../tests/customized_zone_configured.pass.sh | 4 ++--
|
|
|
f6303c |
.../tests/customized_zone_without_ssh.fail.sh | 4 ++--
|
|
|
f6303c |
.../tests/new_zone_configured.pass.sh | 7 ++-----
|
|
|
f6303c |
.../tests/new_zone_without_ssh.fail.sh | 7 ++-----
|
|
|
f6303c |
.../tests/only_nics_configured.fail.sh | 2 +-
|
|
|
f6303c |
.../tests/only_zones_configured.fail.sh | 7 ++-----
|
|
|
f6303c |
.../tests/zones_and_nics_configured.pass.sh | 2 +-
|
|
|
f6303c |
.../tests/zones_and_nics_ok_no_custom_files.pass.sh | 2 +-
|
|
|
f6303c |
.../tests/zones_and_nics_ok_port_changed.pass.sh | 2 +-
|
|
|
f6303c |
9 files changed, 14 insertions(+), 23 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
|
|
|
f6303c |
index 9bfd1737dc8..87e6871afb1 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
|
|
|
f6303c |
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
|
|
|
f6303c |
firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
@@ -30,8 +30,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -
|
|
|
f6303c |
# Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is
|
|
|
f6303c |
# created in /etc/firewalld/zones.
|
|
|
f6303c |
for zone in $firewalld_active_zones; do
|
|
|
f6303c |
- firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
firewall-cmd --permanent --zone="$zone" --add-service=http
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
|
|
|
f6303c |
done
|
|
|
f6303c |
|
|
|
f6303c |
firewall-cmd --reload
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
|
|
|
f6303c |
index f1d152c683e..383907d2cb7 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
|
|
|
f6303c |
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
|
|
|
f6303c |
firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
@@ -29,8 +29,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -
|
|
|
f6303c |
# active zone. So, this make sure all active zones are permanently allowing SSH service.
|
|
|
f6303c |
# It is to ensure a custom file is created in /etc/firewalld/zones.
|
|
|
f6303c |
for zone in $firewalld_active_zones; do
|
|
|
f6303c |
- firewall-cmd --permanent --zone="$zone" --remove-service=ssh
|
|
|
f6303c |
firewall-cmd --permanent --zone="$zone" --add-service=http
|
|
|
f6303c |
+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh
|
|
|
f6303c |
done
|
|
|
f6303c |
|
|
|
f6303c |
# Do not reload, otherwise SSG Test suite will be locked out.
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
|
|
|
f6303c |
index cb8849b3f9f..9993e53788c 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
|
|
|
f6303c |
@@ -15,15 +15,12 @@ firewall-cmd --reload
|
|
|
f6303c |
firewall-cmd --zone=$custom_zone_name --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
for connection in $nm_connections; do
|
|
|
f6303c |
- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
- if [ $current_zone = "--" ]; then
|
|
|
f6303c |
- nmcli connection modify "$connection" connection.zone "$custom_zone_name"
|
|
|
f6303c |
- fi
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "$custom_zone_name"
|
|
|
f6303c |
done
|
|
|
f6303c |
systemctl restart NetworkManager
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
|
|
|
f6303c |
index 5e0a6453df7..1301679b344 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
|
|
|
f6303c |
@@ -15,15 +15,12 @@ firewall-cmd --reload
|
|
|
f6303c |
firewall-cmd --zone=$custom_zone_name --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
for connection in $nm_connections; do
|
|
|
f6303c |
- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
- if [ $current_zone = "--" ]; then
|
|
|
f6303c |
- nmcli connection modify "$connection" connection.zone "$custom_zone_name"
|
|
|
f6303c |
- fi
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone "$custom_zone_name"
|
|
|
f6303c |
done
|
|
|
f6303c |
systemctl restart NetworkManager
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
|
|
|
f6303c |
index 98525db2729..6552f3f4214 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
|
|
|
f6303c |
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
|
|
|
f6303c |
firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
|
|
|
f6303c |
index e14d6c959dc..72fc492e5bf 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
|
|
|
f6303c |
@@ -10,15 +10,12 @@ systemctl start firewalld NetworkManager
|
|
|
f6303c |
firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is already assigned to a firewalld zone, removes the assignment.
|
|
|
f6303c |
# This will not change connections which are not assigned to any firewalld zone.
|
|
|
f6303c |
for connection in $nm_connections; do
|
|
|
f6303c |
- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
|
|
|
f6303c |
- if [ $current_zone != "--" ]; then
|
|
|
f6303c |
- nmcli connection modify "$connection" connection.zone ""
|
|
|
f6303c |
- fi
|
|
|
f6303c |
+ nmcli connection modify "$connection" connection.zone ""
|
|
|
f6303c |
done
|
|
|
f6303c |
systemctl restart NetworkManager
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
|
|
|
f6303c |
index 489fe6ae7e8..02c627e5d00 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
|
|
|
f6303c |
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
|
|
|
f6303c |
firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
|
|
|
f6303c |
index c53fb99de78..9b3aa7d203f 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
|
|
|
f6303c |
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
|
|
|
f6303c |
firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
|
|
|
f6303c |
index 46c4ed5f4d7..3e27a0647b0 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
|
|
|
f6303c |
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
|
|
|
f6303c |
firewall-cmd --zone=work --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# Collect all NetworkManager connections names.
|
|
|
f6303c |
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
|
|
|
f6303c |
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
|
|
|
f6303c |
From a2a49e9e8330c12b73e1c3873974bcb9a41691d4 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Mon, 24 Oct 2022 17:04:41 +0200
|
|
|
f6303c |
Subject: [PATCH 13/14] Remediation applicable to all NetworkManager
|
|
|
f6303c |
connections
|
|
|
f6303c |
|
|
|
f6303c |
The remediation was initially consirering to set a firewalld zone only
|
|
|
f6303c |
to active NetworkManager connections. However, it is possible that a
|
|
|
f6303c |
system has more valid connection which are simply not in use at the
|
|
|
f6303c |
moment. These inactive connections can be used at some point and if this
|
|
|
f6303c |
happen, they will also be compliant with an explicit firewalld zone
|
|
|
f6303c |
assigned to them. This way it is indeeded ensured all connections have a
|
|
|
f6303c |
firewalld zone assigned.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +-
|
|
|
f6303c |
.../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +-
|
|
|
f6303c |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
index 6098155469c..7b0bda3f10c 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
|
|
|
f6303c |
@@ -22,7 +22,7 @@
|
|
|
f6303c |
block:
|
|
|
f6303c |
- name: '{{{ rule_title }}} - Collect NetworkManager connections names'
|
|
|
f6303c |
ansible.builtin.shell:
|
|
|
f6303c |
- cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g'
|
|
|
f6303c |
+ cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
|
|
|
f6303c |
register: result_nmcli_cmd_connections_names
|
|
|
f6303c |
changed_when: false
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
index f883e614846..76822bf01d8 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
|
|
|
f6303c |
@@ -14,7 +14,7 @@ if systemctl is-active NetworkManager && systemctl is-active firewalld; then
|
|
|
f6303c |
firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
|
|
|
f6303c |
|
|
|
f6303c |
# This will collect all NetworkManager connections names
|
|
|
f6303c |
- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g')
|
|
|
f6303c |
+ readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
|
|
|
f6303c |
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
|
|
|
f6303c |
# This will not change connections which are already assigned to any firewalld zone.
|
|
|
f6303c |
for connection in "${nm_connections[@]}"; do
|
|
|
f6303c |
|
|
|
f6303c |
From 657c1cc0331b97ee37e7a2d44e50fab668c33ce1 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Marcus Burghardt <maburgha@redhat.com>
|
|
|
f6303c |
Date: Tue, 25 Oct 2022 15:40:15 +0200
|
|
|
f6303c |
Subject: [PATCH 14/14] Improve regex to detect ifcfg files
|
|
|
f6303c |
|
|
|
f6303c |
On RHEL7 and probably other distros which rely on ifcfg files by
|
|
|
f6303c |
default, there is a ifcfg file for the loopback interface, which is out
|
|
|
f6303c |
of the scope in this rule and should be ignored. This commit also
|
|
|
f6303c |
improved the wording in a OVAL comment to make it more clear.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../oval/shared.xml | 22 ++++++++++---------
|
|
|
f6303c |
1 file changed, 12 insertions(+), 10 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
|
f6303c |
index e4c03c9aa4d..4adef2e53f5 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
|
f6303c |
@@ -59,7 +59,7 @@
|
|
|
f6303c |
<ind:pattern operation="pattern match">^zone=(.*)$</ind:pattern>
|
|
|
f6303c |
{{% else %}}
|
|
|
f6303c |
<ind:path>/etc/sysconfig/network-scripts</ind:path>
|
|
|
f6303c |
- <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
|
|
|
f6303c |
+ <ind:filename operation="pattern match">^ifcfg-(?!lo).*</ind:filename>
|
|
|
f6303c |
<ind:pattern operation="pattern match">^ZONE=(.*)$</ind:pattern>
|
|
|
f6303c |
{{% endif %}}
|
|
|
f6303c |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f6303c |
@@ -88,7 +88,7 @@
|
|
|
f6303c |
<unix:filename operation="pattern match">.*\.nmconnection</unix:filename>
|
|
|
f6303c |
{{% else %}}
|
|
|
f6303c |
<unix:path>/etc/sysconfig/network-scripts</unix:path>
|
|
|
f6303c |
- <unix:filename operation="pattern match">ifcfg-.*</unix:filename>
|
|
|
f6303c |
+ <unix:filename operation="pattern match">^ifcfg-(?!lo).*</unix:filename>
|
|
|
f6303c |
{{% endif %}}
|
|
|
f6303c |
</unix:file_object>
|
|
|
f6303c |
|
|
|
f6303c |
@@ -164,12 +164,14 @@
|
|
|
f6303c |
</ind:xmlfilecontent_state>
|
|
|
f6303c |
|
|
|
f6303c |
|
|
|
f6303c |
-
|
|
|
f6303c |
- SSH port is defined as 22/tcp by default. However, is that possible cases where the
|
|
|
f6303c |
- administrator want, by any reason, to change this default port. The proper way to do this
|
|
|
f6303c |
+
|
|
|
f6303c |
+ SSH port is defined as 22/tcp by default. However, there are possible cases where the
|
|
|
f6303c |
+ admin wants, for whatever reason, to change this default port. The proper way to do this
|
|
|
f6303c |
is overriding the respectice SSH service file by populating the /etc/firewalld/services
|
|
|
f6303c |
- directory. So, its necessary to ensure the default file is interger and the, if is the
|
|
|
f6303c |
- case, the customized service is properly configured. -->
|
|
|
f6303c |
+ directory with a file with the same name. So, its necessary to ensure the file delivered
|
|
|
f6303c |
+ by the package, in the /usr/lib/firewalld/services directory, was not changed. However,
|
|
|
f6303c |
+ if the file is changed, there is necessary to ensure there is a customized service
|
|
|
f6303c |
+ properly configured by the administrator. -->
|
|
|
f6303c |
|
|
|
f6303c |
check="all" check_existence="all_exist" version="1"
|
|
|
f6303c |
comment="SSH service is interger in the /usr/lib/firewalld/services dir">
|
|
|
f6303c |
@@ -182,9 +184,9 @@
|
|
|
f6303c |
<ind:xpath>/service/port[@port='22']</ind:xpath>
|
|
|
f6303c |
</ind:xmlfilecontent_object>
|
|
|
f6303c |
|
|
|
f6303c |
-
|
|
|
f6303c |
- ssh.xml file is placed in the /etc/firewalld/services directory with the proper port
|
|
|
f6303c |
- defined. -->
|
|
|
f6303c |
+
|
|
|
f6303c |
+ modified ssh.xml file is placed in the /etc/firewalld/services directory with the proper
|
|
|
f6303c |
+ port defined. -->
|
|
|
f6303c |
|
|
|
f6303c |
check="all" check_existence="any_exist" version="1"
|
|
|
f6303c |
comment="SSH service is properly configured in /etc/firewalld/services dir">
|