From 2f0f9914e94e2aaf614b530548d94354a8bcab2d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 13 Oct 2022 18:59:06 +0200
Subject: [PATCH 01/14] Improve rule descriptions for
firewalld_sshd_port_enabled
It was also included the platform section since the scope of this rule
is only applicable to machines and not to containers.
---
.../firewalld_sshd_port_enabled/rule.yml | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
index 77ba9d3cca4..9b96faf222d 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
@@ -5,14 +5,14 @@ prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Enable SSH Server firewalld Firewall Exception'
description: |-
- By default, inbound connections to SSH's port are allowed. If
- the SSH server is being used but denied by the firewall, this exception should
- be added to the firewall configuration.
+ If the SSH server is in use, inbound connections to SSH's port should be allowed to permit
+ remote access through SSH. In more restrictive firewalld settings, the SSH port should be
+ added to the proper firewalld zone in order to allow SSH remote access.
<br /><br />
{{{ describe_firewalld_allow(proto="tcp", service="ssh") }}}
rationale: |-
- If inbound SSH connections are expected, adding a firewall rule exception
+ If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone
will allow remote access through the SSH port.
severity: medium
@@ -28,11 +28,23 @@ references:
nist: AC-17(a),CM-6(b),CM-7(a),CM-7(b)
srg: SRG-OS-000096-GPOS-00050
-ocil_clause: 'sshd service is disabled by firewall'
+platform: machine
+
+ocil_clause: 'sshd service is not enabled in the proper firewalld zone'
+
ocil: |
{{{ ocil_firewalld_allow_access(port="22", proto="tcp", service="ssh") }}}
fixtext: |-
- Enable sshd in firewalld configuration.
+ Enable SSH service in firewalld configuration.
{{{ describe_firewalld_allow(proto="tcp", service="ssh") }}}
+
+warnings:
+ - general: |-
+ The remediation for this rule uses <tt>firewall-cmd</tt> and <tt>nmcli</tt> tools.
+ Therefore, it will only be executed if <tt>firewalld</tt> and <tt>NetworkManager</tt>
+ services are running. Otherwise, the remediation will be aborted and a informative message
+ will be shown in the remediation report.
+ These respective services will not be started in order to preserve any intentional change
+ in network components related to firewall and network interfaces.
From 4e76d01001398948de8d1b085964bbb1ea68626c Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 14 Oct 2022 09:02:08 +0200
Subject: [PATCH 02/14] Increase robustness of firewalld_sshd_port_enabled bash
remediation
The remediation was not capable to properly treat some special cases,
like a system with multiple interfaces. It wasn't also capable to safely
configure the correct interface since it was assuming the NetworkManager
connection file was prefixed with the network interface name. In
addition, it is not stable to manually change firewalld XML files while
a proper command is present. This commit makes the remediation reliable
and assertive by using firewall-cmd and nmcli commands.
---
.../bash/shared.sh | 76 +++++++++----------
1 file changed, 37 insertions(+), 39 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
index a328bee5c8a..e1b4f0fbd20 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
@@ -5,49 +5,47 @@
# disruption = low
{{{ bash_package_install("firewalld") }}}
-
+{{{ bash_package_install("NetworkManager") }}}
{{{ bash_instantiate_variables("firewalld_sshd_zone") }}}
-{{% if product in ['rhel9'] %}}
- {{% set network_config_path = "/etc/NetworkManager/system-connections/${interface}.nmconnection" %}}
-{{% else %}}
- {{% set network_config_path = "/etc/sysconfig/network-scripts/ifcfg-${interface}" %}}
-{{% endif %}}
+if firewall-cmd --state -q; then
+ # First make sure the SSH service is enabled in run-time for the proper zone.
+ # This is to avoid connection issues when new interfaces are addeded to this zone.
+ firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
-# This assumes that firewalld_sshd_zone is one of the pre-defined zones
-if [ ! -f "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" ]; then
- cp "/usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml" "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"
-fi
-if ! grep -q 'service name="ssh"' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"; then
- sed -i '/<\/description>/a \
- <service name="ssh"/>' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"
-fi
+ if systemctl is-active NetworkManager; then
+ # This will collect all NetworkManager connections names
+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
-# Check if any eth interface is bounded to the zone with SSH service enabled
-nic_bound=false
-readarray -t eth_interface_list < <(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
-for interface in "${eth_interface_list[@]}"; do
- if grep -qi "ZONE=$firewalld_sshd_zone" "{{{ network_config_path }}}"; then
- nic_bound=true
- break;
- fi
-done
-
-if [ $nic_bound = false ];then
- # Add first NIC to SSH enabled zone
- interface="${eth_interface_list[0]}"
-
- if ! firewall-cmd --state -q; then
- {{% if product in ['rhel9'] %}}
- {{{ bash_replace_or_append(network_config_path, '^zone=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}}
- {{% else %}}
- {{{ bash_replace_or_append(network_config_path, '^ZONE=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}}
- {{% endif %}}
+ # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+ # This will not change connections which are already assigned to any firewalld zone.
+ for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
+ fi
+ done
+ systemctl restart NetworkManager
else
- # If firewalld service is running, we need to do this step with firewall-cmd
- # Otherwise firewalld will communicate with NetworkManage and will revert assigned zone
- # of NetworkManager managed interfaces upon reload
- firewall-cmd --permanent --zone="$firewalld_sshd_zone" --add-interface="${eth_interface_list[0]}"
- firewall-cmd --reload
+ echo "
+ NetworkManager service is not active. Remediation aborted!
+ This remediation could not be applied because it depends on NetworkManager service running.
+ The service is not started by this remediation in order to prevent connection issues."
+ exit 1
fi
+
+ # Active zones are zones with at least one interface assigned to it.
+ # It is possible that traffic is comming by any active interface and consequently any
+ # active zone. So, this make sure all active zones are permanently allowing SSH service.
+ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+ for zone in $firewalld_active_zones; do
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
+ done
+ firewall-cmd --reload
+else
+ echo "
+ firewalld service is not active. Remediation aborted!
+ This remediation could not be applied because it depends on firewalld service running.
+ The service is not started by this remediation in order to prevent connection issues."
+ exit 1
fi
From a1fe2e8c34f8dbbaf573e6d6fa37b8e4fc63ad09 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 19 Oct 2022 13:19:46 +0200
Subject: [PATCH 03/14] Include warning message regarging custom SSH port
---
.../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
index 9b96faf222d..d49a2af1d02 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
@@ -48,3 +48,10 @@ warnings:
will be shown in the remediation report.
These respective services will not be started in order to preserve any intentional change
in network components related to firewall and network interfaces.
+ - general: |-
+ This rule also checks if the SSH port was modified by the administrator and is reflecting
+ the expected port number. Although this is checked, fixing the custom ssh.xml file is not
+ in the scope of the remediation since there is no reliable way to manually change the
+ respective file. If the default SSH port is modified, it is on the administrator
+ responsibility to ensure the firewalld customizations in the service port level are
+ properly configured.
From b7c665bd163acb0595438223e4ebaa6a34e674a0 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 14 Oct 2022 15:03:33 +0200
Subject: [PATCH 04/14] Review test scenario scripts
---
.../tests/no_nic_in_ssh_zone.fail.sh | 7 +------
.../firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh | 4 ----
.../tests/ssh_zone_and_nic_mismatch.fail.sh | 4 ----
.../tests/ssh_zone_nic_bounded.pass.sh | 3 ---
4 files changed, 1 insertion(+), 17 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
index 7ed0c21ed1e..21d7c0eafc4 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
@@ -1,9 +1,5 @@
#!/bin/bash
# packages = firewalld
-#
-# remediation = none
-
-# ensure firewalld installed
# Make sure there is a zone with ssh service enabled
firewall-cmd --permanent --zone=work --add-service=ssh
@@ -11,8 +7,7 @@ firewall-cmd --permanent --zone=work --add-service=ssh
all_zones=$(firewall-cmd --get-zones)
eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
-# Make sure NICs are bounded to no zone
-# Note: Interfaces managed by NetworkManager will be assigned to the default firewalld zone
+# Make sure all NICs are not bounded to any zone
for zone in $all_zones; do
for interface in $eth_interfaces; do
firewall-cmd --permanent --zone=$zone --remove-interface=$interface
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
index 78918c9fee5..41fb83d9489 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
@@ -1,9 +1,5 @@
#!/bin/bash
# packages = firewalld
-#
-# remediation = none
-
-# ensure firewalld installed
all_zones=$(firewall-cmd --get-zones)
for zone in $all_zones;do
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
index fed30230588..ab05492f74d 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
@@ -1,9 +1,5 @@
#!/bin/bash
# packages = firewalld
-#
-# remediation = none
-
-# ensure firewalld installed
# Make sure there is only one zone with ssh service enabled
all_zones=$(firewall-cmd --get-zones)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
index f426236466f..eabc38e7248 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
@@ -1,8 +1,5 @@
#!/bin/bash
# packages = firewalld
-#
-
-# ensure firewalld installed
firewall-cmd --permanent --zone=public --add-service=ssh
From 32a41b09b0b963e3fb681a5ea617e96383e2277c Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 19 Oct 2022 08:39:04 +0200
Subject: [PATCH 05/14] Reinvent the test scenarios for
firewalld_sshd_port_enabled
The test scenarios were aligned to the old remediation approach, making
them also incomplete and incapable to catch real cases. Once the
remediation was robust, test scenarios also need the same level of
robustness in order to ensure the rules is as much realistic as
possible. They are now covering cases with multiple interfaces and
multiple active zones. It is also covered custom SSH port.
---
.../tests/customized_zone_configured.pass.sh | 37 +++++++++++++++++
.../tests/customized_zone_without_ssh.fail.sh | 37 +++++++++++++++++
.../tests/new_zone_configured.pass.sh | 39 ++++++++++++++++++
.../tests/new_zone_without_ssh.fail.sh | 40 +++++++++++++++++++
.../tests/no_nic_in_ssh_zone.fail.sh | 18 ---------
.../tests/no_ssh_zone.fail.sh | 10 -----
.../tests/only_nics_configured.fail.sh | 35 ++++++++++++++++
.../tests/only_zones_configured.fail.sh | 34 ++++++++++++++++
.../tests/ssh_port_enabled.pass.sh | 5 ---
.../tests/ssh_zone_and_nic_mismatch.fail.sh | 25 ------------
.../tests/ssh_zone_nic_bounded.pass.sh | 8 ----
.../tests/zones_and_nics_configured.pass.sh | 34 ++++++++++++++++
.../zones_and_nics_ok_no_custom_files.pass.sh | 39 ++++++++++++++++++
.../zones_and_nics_ok_port_changed.pass.sh | 38 ++++++++++++++++++
14 files changed, 333 insertions(+), 66 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
new file mode 100644
index 00000000000..9bfd1737dc8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=work --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+# This will not change connections which are already assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone "work"
+ fi
+done
+systemctl restart NetworkManager
+
+# Active zones are zones with at least one interface assigned to it.
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+
+# It is possible that traffic is comming by any active interface and consequently any
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
+# Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is
+# created in /etc/firewalld/zones.
+for zone in $firewalld_active_zones; do
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
+ firewall-cmd --permanent --zone="$zone" --add-service=http
+done
+
+firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
new file mode 100644
index 00000000000..f1d152c683e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=work --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+# This will not change connections which are already assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone "work"
+ fi
+done
+systemctl restart NetworkManager
+
+# Active zones are zones with at least one interface assigned to it.
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+
+# It is possible that traffic is comming by any active interface and consequently any
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
+# It is to ensure a custom file is created in /etc/firewalld/zones.
+for zone in $firewalld_active_zones; do
+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh
+ firewall-cmd --permanent --zone="$zone" --add-service=http
+done
+
+# Do not reload, otherwise SSG Test suite will be locked out.
+#firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
new file mode 100644
index 00000000000..cb8849b3f9f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Create a custom zone
+custom_zone_name="custom"
+firewall-cmd --new-zone=$custom_zone_name --permanent
+firewall-cmd --reload
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=$custom_zone_name --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+# This will not change connections which are already assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone "$custom_zone_name"
+ fi
+done
+systemctl restart NetworkManager
+
+# Active zones are zones with at least one interface assigned to it.
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+
+# It is possible that traffic is comming by any active interface and consequently any
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
+for zone in $firewalld_active_zones "$custom_zone_name"; do
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
+done
+
+firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
new file mode 100644
index 00000000000..5e0a6453df7
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Create a custom zone
+custom_zone_name="custom"
+firewall-cmd --new-zone=$custom_zone_name --permanent
+firewall-cmd --reload
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=$custom_zone_name --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+# This will not change connections which are already assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone "$custom_zone_name"
+ fi
+done
+systemctl restart NetworkManager
+
+# Active zones are zones with at least one interface assigned to it.
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+
+# It is possible that traffic is comming by any active interface and consequently any
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
+for zone in $firewalld_active_zones "$custom_zone_name"; do
+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh
+done
+
+# Do not reload, otherwise SSG Test suite will be locked out.
+#firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
deleted file mode 100644
index 21d7c0eafc4..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-# packages = firewalld
-
-# Make sure there is a zone with ssh service enabled
-firewall-cmd --permanent --zone=work --add-service=ssh
-
-all_zones=$(firewall-cmd --get-zones)
-eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
-
-# Make sure all NICs are not bounded to any zone
-for zone in $all_zones; do
- for interface in $eth_interfaces; do
- firewall-cmd --permanent --zone=$zone --remove-interface=$interface
- done
-done
-
-# Do not reload, otherwise SSG Test suite will be locked out
-# firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
deleted file mode 100644
index 41fb83d9489..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = firewalld
-
-all_zones=$(firewall-cmd --get-zones)
-for zone in $all_zones;do
- firewall-cmd --permanent --zone=$zone --remove-service=ssh
-done
-
-# Do not reload, otherwise SSG Test suite will be locked out
-# firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
new file mode 100644
index 00000000000..98525db2729
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=work --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+# This will not change connections which are already assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone "work"
+ fi
+done
+systemctl restart NetworkManager
+
+# Active zones are zones with at least one interface assigned to it.
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+
+# It is possible that traffic is comming by any active interface and consequently any
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
+for zone in $firewalld_active_zones; do
+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh
+done
+
+# Do not reload, otherwise SSG Test suite will be locked out.
+#firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
new file mode 100644
index 00000000000..e14d6c959dc
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=work --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is already assigned to a firewalld zone, removes the assignment.
+# This will not change connections which are not assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone != "--" ]; then
+ nmcli connection modify "$connection" connection.zone ""
+ fi
+done
+systemctl restart NetworkManager
+
+readarray -t firewalld_all_zones < <(firewall-cmd --get-zones)
+
+# Ensure all zones are permanently allowing SSH service.
+for zone in $firewalld_all_zones; do
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
+done
+
+# It is not a problem to reload the settings since all interfaces without an explicit assgined zone
+# will be automatically assigned to the default zone.
+firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh
deleted file mode 100644
index c9959c40937..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# packages = firewalld
-
-firewall-cmd --add-port=22/tcp
-firewall-cmd --add-port=22/tcp --permanent
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
deleted file mode 100644
index ab05492f74d..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-# packages = firewalld
-
-# Make sure there is only one zone with ssh service enabled
-all_zones=$(firewall-cmd --get-zones)
-for zone in $all_zones;do
- firewall-cmd --permanent --zone=$zone --remove-service=ssh
-done
-firewall-cmd --permanent --zone=work --add-service=ssh
-
-all_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1)
-
-# Make sure NICs are bounded to no zone
-for zone in $all_zones; do
- for interface in $all_interfaces; do
- firewall-cmd --permanent --zone=$zone --remove-interface=$interface
- done
-done
-
-eth_interfaces=$(echo "$all_interfaces" | grep -E '^(en|eth)')
-# Add interface to wrong zone
-firewall-cmd --permanent --zone=trusted --add-interface=${eth_interfaces[0]}
-
-# Do not reload, otherwise SSG Test suite will be locked out
-# firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
deleted file mode 100644
index eabc38e7248..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-# packages = firewalld
-
-firewall-cmd --permanent --zone=public --add-service=ssh
-
-eth_interface=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
-
-firewall-cmd --permanent --zone=public --add-interface=${eth_interface[0]}
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
new file mode 100644
index 00000000000..489fe6ae7e8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=work --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+# This will not change connections which are already assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone "work"
+ fi
+done
+systemctl restart NetworkManager
+
+# Active zones are zones with at least one interface assigned to it.
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+
+# It is possible that traffic is comming by any active interface and consequently any
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
+for zone in $firewalld_active_zones; do
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
+done
+
+firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
new file mode 100644
index 00000000000..c53fb99de78
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=work --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+# This will not change connections which are already assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone "work"
+ fi
+done
+systemctl restart NetworkManager
+
+# Active zones are zones with at least one interface assigned to it.
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+
+# It is possible that traffic is comming by any active interface and consequently any
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
+for zone in $firewalld_active_zones; do
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
+done
+
+# The work zone, used in this test scenario, allows ssh by default. Therefore, it is not expected
+# the previous command will create a respective file in /etc. However, it makes sure the /etc dir
+# is empty anyways.
+rm -f /etc/firewalld/zones/*
+
+firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
new file mode 100644
index 00000000000..46c4ed5f4d7
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# packages = firewalld, NetworkManager
+# variables = firewalld_sshd_zone=work, sshd_listening_port=2222
+
+# Ensure the required services are started.
+systemctl start firewalld NetworkManager
+
+# Ensure the SSH service is enabled in run-time for the proper zone.
+# This is to avoid connection issues when new interfaces are addeded to this zone.
+firewall-cmd --zone=work --add-service=ssh
+
+# Collect all NetworkManager connections names.
+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+
+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+# This will not change connections which are already assigned to any firewalld zone.
+for connection in $nm_connections; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone "work"
+ fi
+done
+systemctl restart NetworkManager
+
+# Active zones are zones with at least one interface assigned to it.
+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
+
+# It is possible that traffic is comming by any active interface and consequently any
+# active zone. So, this make sure all active zones are permanently allowing SSH service.
+for zone in $firewalld_active_zones; do
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
+done
+
+cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/
+sed -i 's/port="22"/port="2222"/g' /etc/firewalld/services/ssh.xml
+
+# Do not reload, otherwise SSG Test suite will be locked out.
+#firewall-cmd --reload
From db26bb5efb0746c165e17294a7cde9c7e712cd85 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 13 Oct 2022 11:51:05 +0200
Subject: [PATCH 06/14] Recreated OVAL assessment for
firewalld_sshd_port_enabled
There are some corner cases involving possible realistic scenarios with
firewalld and NetworkManager. Based on the remediation refactoring, the
OVAL assessment was also reformulated to be more simple and much more
reliable. It is now checking firewalld packaged files and also custom
files respecting the proper order in case of custom files.
---
.../oval/shared.xml | 312 ++++++++++++------
1 file changed, 206 insertions(+), 106 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
index e944f938a59..e4c03c9aa4d 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
@@ -1,109 +1,209 @@
<def-group>
- <definition class="compliance" id="firewalld_sshd_port_enabled" version="1">
- {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to
- the SSH port (22).") }}}
- <criteria operator="OR">
- <criterion comment="ssh service is enabled in services" test_ref="test_firewalld_service_sshd_enabled" />
- <criterion comment="ssh port is enabled in services" test_ref="test_firewalld_service_sshd_port_enabled" />
- <criteria operator="AND">
- <criterion comment="ssh service is enabled in zones" test_ref="test_firewalld_zone_sshd_enabled" />
- <criterion comment="there is at least one NIC assigned to a zone with ssh enabled" test_ref="test_nic_assigned_to_sshd_enabled_zone" />
- </criteria>
- <criterion comment="ssh port is enabled in zones" test_ref="test_firewalld_zone_sshd_port_enabled" />
- </criteria>
- </definition>
-
- <ind:xmlfilecontent_test check="all" check_existence="all_exist" comment="ssh service is enabled in services"
- id="test_firewalld_service_sshd_enabled" version="1">
- <ind:object object_ref="object_firewalld_service_sshd_enabled" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="object_firewalld_service_sshd_enabled" version="1">
- <ind:path>/etc/firewalld/services</ind:path>
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
- <ind:xpath>/service/service[@name='ssh']</ind:xpath>
- </ind:xmlfilecontent_object>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="ssh port is enabled in services"
- id="test_firewalld_service_sshd_port_enabled" version="1">
- <ind:object object_ref="object_firewalld_service_sshd_port_enabled" />
- <ind:state state_ref="state_sshd_listening_port" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_firewalld_service_sshd_port_enabled" version="1">
- <ind:path>/etc/firewalld/services</ind:path>
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
- <ind:pattern operation="pattern match"><port.*port="(\d+)"</ind:pattern>
- <ind:instance datatype="int" operation="equals">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:xmlfilecontent_test check="all" check_existence="all_exist" comment="ssh service is enabled in zones"
- id="test_firewalld_zone_sshd_enabled" version="1">
- <ind:object object_ref="object_firewalld_zone_sshd_enabled" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="object_firewalld_zone_sshd_enabled" version="1">
- <ind:path>/etc/firewalld/zones</ind:path>
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
- </ind:xmlfilecontent_object>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="ssh port is enabled in zones"
- id="test_firewalld_zone_sshd_port_enabled" version="1">
- <ind:object object_ref="object_firewalld_zone_sshd_port_enabled" />
- <ind:state state_ref="state_sshd_listening_port" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_firewalld_zone_sshd_port_enabled" version="1">
- <ind:path>/etc/firewalld/zones</ind:path>
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
- <ind:pattern operation="pattern match"><port.*port="(\d+)"</ind:pattern>
- <ind:instance datatype="int" operation="equals">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <!-- Grab list of zones which enable service ssh -->
- <local_variable id="var_firewalld_sshd_enabled_zones" datatype="string" version="1" comment="firewalld zones with ssh service enabled">
- <regex_capture pattern="(\S+).xml">
- <object_component item_field="filename" object_ref="object_firewalld_zone_sshd_enabled" />
- </regex_capture>
- </local_variable>
-
- <!-- check if any of the zones with NIC assigned allows sshd service -->
- <ind:xmlfilecontent_test check="all" check_existence="at_least_one_exists" comment="ssh service is enabled in zones"
- id="test_nic_assigned_to_sshd_enabled_zone" version="1">
- <ind:object object_ref="object_zones_with_nics" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="object_zones_with_nics" version="1">
- <ind:path>/etc/firewalld/zones</ind:path>
- <ind:filename operation="pattern match" var_check="at least one" var_ref="var_firewalld_zones_with_assigned_nics"/>
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
- </ind:xmlfilecontent_object>
-
- <!-- List of Zones with NIC assigned to it -->
- <local_variable id="var_firewalld_zones_with_assigned_nics" datatype="string" version="1" comment="firewalld zones with ssh service enabled">
- <concat>
- <object_component item_field="subexpression" object_ref="object_nic_assigned_to_firewalld_zone" />
- <literal_component>.xml</literal_component>
- </concat>
- </local_variable>
-{{% if product in ["fedora", "rhel9"] %}}
- <ind:textfilecontent54_object comment="Check config of all NIC"
- id="object_nic_assigned_to_firewalld_zone" version="2">
- <ind:path>/etc/NetworkManager/system-connections</ind:path>
- <ind:filename operation="pattern match">.*\.nmconnection</ind:filename>
- <ind:pattern operation="pattern match">^zone=(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-{{% else %}}
- <ind:textfilecontent54_object comment="Check config of all NIC"
- id="object_nic_assigned_to_firewalld_zone" version="1">
- <ind:path>/etc/sysconfig/network-scripts</ind:path>
- <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
- <ind:pattern operation="pattern match">^ZONE=(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-{{% endif %}}
-
- <ind:textfilecontent54_state comment="port ssh is listening" id="state_sshd_listening_port" version="1">
- <ind:subexpression datatype="int" operation="equals" var_ref="sshd_listening_port" />
- </ind:textfilecontent54_state>
-
- <external_variable comment="port ssh is listening" datatype="int" id="sshd_listening_port" version="1" />
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to
+ the SSH service.") }}}
+ <criteria operator="AND">
+ <criterion comment="Ensure all NICs have a zone defined in their config files"
+ test_ref="test_firewalld_sshd_port_enabled_all_nics_in_zones"/>
+ <criteria operator="OR">
+ <criteria operator="AND">
+ <criterion
+ comment="Ensure default file zones have SSH service defined"
+ test_ref="test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr"/>
+ <criterion
+ comment="Ensure default files from active zones were not overridden"
+ test_ref="test_firewalld_sshd_port_enabled_usr_zones_not_overridden"/>
+ </criteria>
+ <criterion
+ comment="Ensure custom files from active zones have SSH service defined"
+ test_ref="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"/>
+ </criteria>
+ <criteria operator="AND">
+ <criterion
+ comment="Ensure default file for SSH service is correct"
+ test_ref="test_firewalld_sshd_port_enabled_ssh_service_usr"/>
+ <criterion
+ comment="Ensure the modified firewalld SSH port is correct"
+ test_ref="test_firewalld_sshd_port_enabled_ssh_service_etc"/>
+ </criteria>
+ </criteria>
+ </definition>
+ <!-- all interfaces have a zone defined -->
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_all_nics_in_zones"
+ check="all" check_existence="at_least_one_exists" version="1"
+ comment="All NICs must have a firewalld zone defined in their settings">
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_network_conf_files_count"/>
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_network_conf_files_count"/>
+ </ind:variable_test>
+
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_network_conf_files_count"
+ version="1">
+ <ind:var_ref>var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable id="var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count"
+ datatype="int" version="1"
+ comment="Variable including number of network config files with an assiged zone">
+ <count>
+ <object_component item_field="instance"
+ object_ref="object_firewalld_sshd_port_enabled_zones_assigned_to_nics"/>
+ </count>
+ </local_variable>
+
+ <ind:textfilecontent54_object id="object_firewalld_sshd_port_enabled_zones_assigned_to_nics"
+ comment="Check the respective zone parameter in all NICs configuration files" version="3">
+ {{% if product in ["fedora", "rhel9"] %}}
+ <ind:path>/etc/NetworkManager/system-connections</ind:path>
+ <ind:filename operation="pattern match">.*\.nmconnection</ind:filename>
+ <ind:pattern operation="pattern match">^zone=(.*)$</ind:pattern>
+ {{% else %}}
+ <ind:path>/etc/sysconfig/network-scripts</ind:path>
+ <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
+ <ind:pattern operation="pattern match">^ZONE=(.*)$</ind:pattern>
+ {{% endif %}}
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_network_conf_files_count"
+ version="1">
+ <ind:value datatype="int" operation="equals" var_check="at least one"
+ var_ref="var_firewalld_sshd_port_enabled_network_conf_files_count"/>
+ </ind:variable_state>
+
+ <local_variable id="var_firewalld_sshd_port_enabled_network_conf_files_count"
+ datatype="int" version="1"
+ comment="Variable including number of network config files present in the system">
+ <count>
+ <object_component item_field="filepath"
+ object_ref="object_firewalld_sshd_port_enabled_network_conf_files"/>
+ </count>
+ </local_variable>
+
+ <unix:file_object id="object_firewalld_sshd_port_enabled_network_conf_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
+ recurse_file_system="all"/>
+ {{% if product in ["fedora", "rhel9"] %}}
+ <unix:path>/etc/NetworkManager/system-connections</unix:path>
+ <unix:filename operation="pattern match">.*\.nmconnection</unix:filename>
+ {{% else %}}
+ <unix:path>/etc/sysconfig/network-scripts</unix:path>
+ <unix:filename operation="pattern match">ifcfg-.*</unix:filename>
+ {{% endif %}}
+ </unix:file_object>
+
+ <!-- zones allow SSH -->
+ <!-- Except to the block and drop zones, which have a clear purpose suggested by their
+ respective names, all other zones delivered in the firewalld package allow SSH
+ out-of-box. This test ensure these files are indeed allowing SSH in case a NIC is
+ assigned to any of these existing zones. -->
+ <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr"
+ check="all" check_existence="at_least_one_exists" version="1"
+ comment="SSH service is defined in all zones delivered in the firewalld package">
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_usr"/>
+ </ind:xmlfilecontent_test>
+
+ <ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_usr"
+ version="1">
+ <ind:path>/usr/lib/firewalld/zones</ind:path>
+ <ind:filename operation="pattern match" var_check="all"
+ var_ref="var_firewalld_sshd_port_enabled_default_zones"/>
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <!-- Once the default firewalld zone files are confirmed to be allowing ssh, it is necessary
+ to confirm they are indeed in use by not having an equivalent file in /etc/firewalld/zones
+ dir. Otherwise, it is not possible to rely only on default files and the /etc dir should
+ also be checked. -->
+ <unix:file_test id="test_firewalld_sshd_port_enabled_usr_zones_not_overridden" version="1"
+ check="all" check_existence="none_exist"
+ comment="there is no equivalent zone file defined by the administrator in /etc dir">
+ <unix:object object_ref="object_firewalld_sshd_port_enabled_customized_zone_files"/>
+ </unix:file_test>
+
+ <unix:file_object id="object_firewalld_sshd_port_enabled_customized_zone_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
+ recurse_file_system="all"/>
+ <unix:path>/etc/firewalld/zones</unix:path>
+ <unix:filename operation="pattern match" var_check="at least one"
+ var_ref="var_firewalld_sshd_port_enabled_default_zones"/>
+ </unix:file_object>
+
+ <!-- During the refactoring of this file, it was tried many techniques to use the available
+ OVAL resources in order to detect and assess only active zone, which are zones with at
+ least one NIC assigned to it. Since it was possible to easily have the list of active
+ zones, it was cumbersome to use that list in other OVAL objects without introduce a high
+ level of complexity to make sure environments with multiple NICs and multiple zones are
+ in use. So, in favor of simplicity and readbility it was decided to work with a static
+ list. It means that, in the future, it is possible this list needs to be updated. -->
+ <local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
+ datatype="string"
+ comment="Regex containing the list of zones files delivered in the firewalld package">
+ <literal_component>^(dmz|external|home|internal|public|trusted|work)\.xml$</literal_component>
+ </local_variable>
+
+ <!-- If any default zone is modified by the administrator, the respective zone file is placed
+ in the /etc/firewalld/zones dir in order to override the default zone settings. The same
+ directory is applicable for new zones created by the administrator. Therefore, all files
+ in this directory should also allow SSH. -->
+ <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
+ check="all" check_existence="at_least_one_exists" version="1"
+ comment="SSH service is defined in all zones created or modified by the administrator">
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
+ </ind:xmlfilecontent_test>
+
+ <ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
+ <ind:path>/etc/firewalld/zones</ind:path>
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
+ </ind:xmlfilecontent_state>
+
+ <!-- SSH service is configured as expected -->
+ <!-- The firewalld package brings many services already defined out-of-box, inclusing SSH.
+ SSH port is defined as 22/tcp by default. However, is that possible cases where the
+ administrator want, by any reason, to change this default port. The proper way to do this
+ is overriding the respectice SSH service file by populating the /etc/firewalld/services
+ directory. So, its necessary to ensure the default file is interger and the, if is the
+ case, the customized service is properly configured. -->
+ <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_ssh_service_usr"
+ check="all" check_existence="all_exist" version="1"
+ comment="SSH service is interger in the /usr/lib/firewalld/services dir">
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_ssh_service_file_usr"/>
+ </ind:xmlfilecontent_test>
+
+ <ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_ssh_service_file_usr"
+ version="1">
+ <ind:filepath>/usr/lib/firewalld/services/ssh.xml</ind:filepath>
+ <ind:xpath>/service/port[@port='22']</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <!-- If, by any reason, the administrator decides to change the SSH default port, the modified
+ ssh.xml file is placed in the /etc/firewalld/services directory with the proper port
+ defined. -->
+ <ind:textfilecontent54_test id="test_firewalld_sshd_port_enabled_ssh_service_etc"
+ check="all" check_existence="any_exist" version="1"
+ comment="SSH service is properly configured in /etc/firewalld/services dir">
+ <ind:object object_ref="object_firewalld_sshd_port_enabled_ssh_service_file_etc"/>
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_ssh_service_file_etc"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_firewalld_sshd_port_enabled_ssh_service_file_etc"
+ version="1">
+ <ind:filepath>/etc/firewalld/services/ssh.xml</ind:filepath>
+ <ind:pattern operation="pattern match"><port.*port="(\d+)"</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_firewalld_sshd_port_enabled_ssh_service_file_etc"
+ comment="expected SSH port as defined by external variable" version="1">
+ <ind:subexpression datatype="int" operation="equals" var_ref="sshd_listening_port"/>
+ </ind:textfilecontent54_state>
+
+ <external_variable id="sshd_listening_port" datatype="int" version="1"
+ comment="external variable containing the expected SSH port"/>
</def-group>
From 84755e320f3f8fd73151c7d8e15370a1825b080d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 19 Oct 2022 18:36:24 +0200
Subject: [PATCH 07/14] Introduce new Ansible remediation
The previous remediation, besides being disaligned to the previous bash
remediation, was also problematic. It was completly rewritten in this
commit in order to be aligned to the Bash remediation. It was also
enabled this Ansible remediation for all platforms, including RHEL9.
---
.../ansible/shared.yml | 97 +++++++++++++++----
1 file changed, 79 insertions(+), 18 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
index 2553a4d2e57..fa7830761df 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
@@ -1,28 +1,89 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_all
# reboot = false
# complexity = low
# strategy = configure
# disruption = low
-- name: Ensure firewalld is installed
- package:
+{{{ ansible_instantiate_variables("firewalld_sshd_zone") }}}
+
+- name: '{{{ rule_title }}} - Ensure firewalld and NetworkManager packages are installed'
+ ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- firewalld
+ - NetworkManager
+
+- name: '{{{ rule_title }}} - Collect facts about system services'
+ ansible.builtin.service_facts:
+ register: result_services_states
+
+- name: '{{{ rule_title }}} - Remediation is applicable if firewalld and NetworkManager services are running'
+ block:
+ - name: '{{{ rule_title }}} - Collect NetworkManager connections names'
+ ansible.builtin.shell:
+ cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2
+ register: result_nmcli_cmd_connections_names
+ changed_when: false
+
+ - name: '{{{ rule_title }}} - Collect NetworkManager connections zones'
+ ansible.builtin.shell:
+ cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print $2}'
+ register: result_nmcli_cmd_connections_zones
+ changed_when: false
+ with_items:
+ - "{{ result_nmcli_cmd_connections_names.stdout_lines }}"
+
+ - name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone'
+ ansible.builtin.command:
+ cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }}
+ register: result_nmcli_cmd_connections_assignment
+ with_together:
+ - "{{ result_nmcli_cmd_connections_names.stdout_lines }}"
+ - "{{ result_nmcli_cmd_connections_zones.results }}"
+ when:
+ - item.1.stdout == '--'
+
+ - name: '{{{ rule_title }}} - Ensure NetworkManager connections changes are applied'
+ ansible.builtin.service:
+ name: NetworkManager
+ state: restarted
+ when:
+ - result_nmcli_cmd_connections_assignment is changed
+
+ - name: '{{{ rule_title }}} - Collect firewalld active zones'
+ ansible.builtin.shell:
+ cmd: firewall-cmd --get-active-zones | grep -v interfaces
+ register: result_firewall_cmd_zones_names
+ changed_when: false
+
+ - name: '{{{ rule_title }}} - Ensure firewalld zones allow SSH'
+ ansible.builtin.command:
+ cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh
+ register: result_nmcli_cmd_connections_assignment
+ changed_when:
+ - "'ALREADY_ENABLED' not in result_nmcli_cmd_connections_assignment.stderr"
+ with_items:
+ - "{{ result_firewall_cmd_zones_names.stdout_lines }}"
+
+ - name: '{{{ rule_title }}} - Ensure firewalld changes are applied'
+ ansible.builtin.service:
+ name: firewalld
+ state: reloaded
+ when:
+ - result_nmcli_cmd_connections_assignment is changed
+ when:
+ - ansible_facts.services['firewalld.service'].state == 'running'
+ - ansible_facts.services['NetworkManager.service'].state == 'running'
-{{{ ansible_instantiate_variables("sshd_listening_port") }}}
-
-- name: Enable SSHD in firewalld (custom port)
- firewalld:
- port: "{{ sshd_listening_port }}/tcp"
- permanent: yes
- state: enabled
- when: sshd_listening_port != 22
-
-- name: Enable SSHD in firewalld (default port)
- firewalld:
- service: ssh
- permanent: yes
- state: enabled
- when: sshd_listening_port == 22
+- name: '{{{ rule_title }}} - Informative message based on services states'
+ ansible.builtin.assert:
+ that:
+ - ansible_facts.services['firewalld.service'].state == 'running'
+ - ansible_facts.services['NetworkManager.service'].state == 'running'
+ fail_msg:
+ - firewalld and NetworkManager services are not active. Remediation aborted!
+ - This remediation could not be applied because it depends on firewalld and NetworkManager services running.
+ - The service is not started by this remediation in order to prevent connection issues.
+ success_msg:
+ - {{{ rule_title }}} remediation successfully executed
From d4f81e27994e17049f448d8410b4a8cfb5a9bdd2 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 20 Oct 2022 08:37:03 +0200
Subject: [PATCH 08/14] Fix loop over array in bash remediation
---
.../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
index e1b4f0fbd20..afb89b7005a 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
@@ -19,7 +19,7 @@ if firewall-cmd --state -q; then
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
- for connection in $nm_connections; do
+ for connection in "${nm_connections[@]}"; do
current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
if [ $current_zone = "--" ]; then
nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
@@ -38,7 +38,7 @@ if firewall-cmd --state -q; then
# It is possible that traffic is comming by any active interface and consequently any
# active zone. So, this make sure all active zones are permanently allowing SSH service.
readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
- for zone in $firewalld_active_zones; do
+ for zone in "${firewalld_active_zones[@]}"; do
firewall-cmd --permanent --zone="$zone" --add-service=ssh
done
firewall-cmd --reload
From 403c44d66e06d5463758ba70abdca967a4173f69 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 20 Oct 2022 10:49:20 +0200
Subject: [PATCH 09/14] Trim nmcli connection names output
The output from nmcli command was including leading spaces in the
connection names. This was causing the the subsequent nmcli command to
fail resulting in connections without a firewalld zone defined.
---
.../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 4 ++--
.../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
index fa7830761df..6098155469c 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
@@ -22,7 +22,7 @@
block:
- name: '{{{ rule_title }}} - Collect NetworkManager connections names'
ansible.builtin.shell:
- cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2
+ cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g'
register: result_nmcli_cmd_connections_names
changed_when: false
@@ -36,7 +36,7 @@
- name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone'
ansible.builtin.command:
- cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }}
+ cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone }}
register: result_nmcli_cmd_connections_assignment
with_together:
- "{{ result_nmcli_cmd_connections_names.stdout_lines }}"
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
index afb89b7005a..25e54f09477 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
@@ -15,7 +15,7 @@ if firewall-cmd --state -q; then
if systemctl is-active NetworkManager; then
# This will collect all NetworkManager connections names
- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
From df8cd2df8661a3fe9fb7d5b5b493a93e1f977654 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 20 Oct 2022 11:03:56 +0200
Subject: [PATCH 10/14] Simplify the Bash remediation in alignment to Ansible
---
.../bash/shared.sh | 37 +++++++------------
1 file changed, 14 insertions(+), 23 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
index 25e54f09477..f883e614846 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
@@ -8,31 +8,22 @@
{{{ bash_package_install("NetworkManager") }}}
{{{ bash_instantiate_variables("firewalld_sshd_zone") }}}
-if firewall-cmd --state -q; then
+if systemctl is-active NetworkManager && systemctl is-active firewalld; then
# First make sure the SSH service is enabled in run-time for the proper zone.
# This is to avoid connection issues when new interfaces are addeded to this zone.
firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
- if systemctl is-active NetworkManager; then
- # This will collect all NetworkManager connections names
- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g')
-
- # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
- # This will not change connections which are already assigned to any firewalld zone.
- for connection in "${nm_connections[@]}"; do
- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
- if [ $current_zone = "--" ]; then
- nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
- fi
- done
- systemctl restart NetworkManager
- else
- echo "
- NetworkManager service is not active. Remediation aborted!
- This remediation could not be applied because it depends on NetworkManager service running.
- The service is not started by this remediation in order to prevent connection issues."
- exit 1
- fi
+ # This will collect all NetworkManager connections names
+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g')
+ # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
+ # This will not change connections which are already assigned to any firewalld zone.
+ for connection in "${nm_connections[@]}"; do
+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
+ if [ $current_zone = "--" ]; then
+ nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
+ fi
+ done
+ systemctl restart NetworkManager
# Active zones are zones with at least one interface assigned to it.
# It is possible that traffic is comming by any active interface and consequently any
@@ -44,8 +35,8 @@ if firewall-cmd --state -q; then
firewall-cmd --reload
else
echo "
- firewalld service is not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld service running.
+ firewalld and NetworkManager services are not active. Remediation aborted!
+ This remediation could not be applied because it depends on firewalld and NetworkManager services running.
The service is not started by this remediation in order to prevent connection issues."
exit 1
fi
From 8642f416a9cdeb5f0bc06f44d17f845afe089ce6 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 20 Oct 2022 11:07:31 +0200
Subject: [PATCH 11/14] Improve wording on warning about custom ssh.xml
---
.../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
index d49a2af1d02..7446a62379d 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
@@ -49,9 +49,10 @@ warnings:
These respective services will not be started in order to preserve any intentional change
in network components related to firewall and network interfaces.
- general: |-
- This rule also checks if the SSH port was modified by the administrator and is reflecting
- the expected port number. Although this is checked, fixing the custom ssh.xml file is not
- in the scope of the remediation since there is no reliable way to manually change the
- respective file. If the default SSH port is modified, it is on the administrator
+ This rule also checks if the SSH port was modified by the administrator in the firewalld
+ services definitions and is reflecting the expected port number. Although this is checked,
+ fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it
+ is not in the scope of the remediation since there is no reliable way to manually change
+ the respective file. If the default SSH port is modified, it is on the administrator
responsibility to ensure the firewalld customizations in the service port level are
properly configured.
From ab738103ab2c376dea88dcd797187adfbb07053f Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 20 Oct 2022 14:25:42 +0200
Subject: [PATCH 12/14] Optimize test scenarios
Some conditions were removed from test scenarios in order to make them
more resilient to test environment peculiarities.
---
.../tests/customized_zone_configured.pass.sh | 4 ++--
.../tests/customized_zone_without_ssh.fail.sh | 4 ++--
.../tests/new_zone_configured.pass.sh | 7 ++-----
.../tests/new_zone_without_ssh.fail.sh | 7 ++-----
.../tests/only_nics_configured.fail.sh | 2 +-
.../tests/only_zones_configured.fail.sh | 7 ++-----
.../tests/zones_and_nics_configured.pass.sh | 2 +-
.../tests/zones_and_nics_ok_no_custom_files.pass.sh | 2 +-
.../tests/zones_and_nics_ok_port_changed.pass.sh | 2 +-
9 files changed, 14 insertions(+), 23 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
index 9bfd1737dc8..87e6871afb1 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
firewall-cmd --zone=work --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
@@ -30,8 +30,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -
# Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is
# created in /etc/firewalld/zones.
for zone in $firewalld_active_zones; do
- firewall-cmd --permanent --zone="$zone" --add-service=ssh
firewall-cmd --permanent --zone="$zone" --add-service=http
+ firewall-cmd --permanent --zone="$zone" --add-service=ssh
done
firewall-cmd --reload
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
index f1d152c683e..383907d2cb7 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
firewall-cmd --zone=work --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
@@ -29,8 +29,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -
# active zone. So, this make sure all active zones are permanently allowing SSH service.
# It is to ensure a custom file is created in /etc/firewalld/zones.
for zone in $firewalld_active_zones; do
- firewall-cmd --permanent --zone="$zone" --remove-service=ssh
firewall-cmd --permanent --zone="$zone" --add-service=http
+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh
done
# Do not reload, otherwise SSG Test suite will be locked out.
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
index cb8849b3f9f..9993e53788c 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh
@@ -15,15 +15,12 @@ firewall-cmd --reload
firewall-cmd --zone=$custom_zone_name --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
for connection in $nm_connections; do
- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
- if [ $current_zone = "--" ]; then
- nmcli connection modify "$connection" connection.zone "$custom_zone_name"
- fi
+ nmcli connection modify "$connection" connection.zone "$custom_zone_name"
done
systemctl restart NetworkManager
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
index 5e0a6453df7..1301679b344 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh
@@ -15,15 +15,12 @@ firewall-cmd --reload
firewall-cmd --zone=$custom_zone_name --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
for connection in $nm_connections; do
- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
- if [ $current_zone = "--" ]; then
- nmcli connection modify "$connection" connection.zone "$custom_zone_name"
- fi
+ nmcli connection modify "$connection" connection.zone "$custom_zone_name"
done
systemctl restart NetworkManager
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
index 98525db2729..6552f3f4214 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
firewall-cmd --zone=work --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
index e14d6c959dc..72fc492e5bf 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh
@@ -10,15 +10,12 @@ systemctl start firewalld NetworkManager
firewall-cmd --zone=work --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is already assigned to a firewalld zone, removes the assignment.
# This will not change connections which are not assigned to any firewalld zone.
for connection in $nm_connections; do
- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
- if [ $current_zone != "--" ]; then
- nmcli connection modify "$connection" connection.zone ""
- fi
+ nmcli connection modify "$connection" connection.zone ""
done
systemctl restart NetworkManager
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
index 489fe6ae7e8..02c627e5d00 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
firewall-cmd --zone=work --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
index c53fb99de78..9b3aa7d203f 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
firewall-cmd --zone=work --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
index 46c4ed5f4d7..3e27a0647b0 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh
@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager
firewall-cmd --zone=work --add-service=ssh
# Collect all NetworkManager connections names.
-readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2)
+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
From a2a49e9e8330c12b73e1c3873974bcb9a41691d4 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 24 Oct 2022 17:04:41 +0200
Subject: [PATCH 13/14] Remediation applicable to all NetworkManager
connections
The remediation was initially consirering to set a firewalld zone only
to active NetworkManager connections. However, it is possible that a
system has more valid connection which are simply not in use at the
moment. These inactive connections can be used at some point and if this
happen, they will also be compliant with an explicit firewalld zone
assigned to them. This way it is indeeded ensured all connections have a
firewalld zone assigned.
---
.../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +-
.../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
index 6098155469c..7b0bda3f10c 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
@@ -22,7 +22,7 @@
block:
- name: '{{{ rule_title }}} - Collect NetworkManager connections names'
ansible.builtin.shell:
- cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g'
+ cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
register: result_nmcli_cmd_connections_names
changed_when: false
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
index f883e614846..76822bf01d8 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
@@ -14,7 +14,7 @@ if systemctl is-active NetworkManager && systemctl is-active firewalld; then
firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
# This will collect all NetworkManager connections names
- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g')
+ readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
for connection in "${nm_connections[@]}"; do
From 657c1cc0331b97ee37e7a2d44e50fab668c33ce1 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Tue, 25 Oct 2022 15:40:15 +0200
Subject: [PATCH 14/14] Improve regex to detect ifcfg files
On RHEL7 and probably other distros which rely on ifcfg files by
default, there is a ifcfg file for the loopback interface, which is out
of the scope in this rule and should be ignored. This commit also
improved the wording in a OVAL comment to make it more clear.
---
.../oval/shared.xml | 22 ++++++++++---------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
index e4c03c9aa4d..4adef2e53f5 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
@@ -59,7 +59,7 @@
<ind:pattern operation="pattern match">^zone=(.*)$</ind:pattern>
{{% else %}}
<ind:path>/etc/sysconfig/network-scripts</ind:path>
- <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
+ <ind:filename operation="pattern match">^ifcfg-(?!lo).*</ind:filename>
<ind:pattern operation="pattern match">^ZONE=(.*)$</ind:pattern>
{{% endif %}}
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
@@ -88,7 +88,7 @@
<unix:filename operation="pattern match">.*\.nmconnection</unix:filename>
{{% else %}}
<unix:path>/etc/sysconfig/network-scripts</unix:path>
- <unix:filename operation="pattern match">ifcfg-.*</unix:filename>
+ <unix:filename operation="pattern match">^ifcfg-(?!lo).*</unix:filename>
{{% endif %}}
</unix:file_object>
@@ -164,12 +164,14 @@
</ind:xmlfilecontent_state>
<!-- SSH service is configured as expected -->
- <!-- The firewalld package brings many services already defined out-of-box, inclusing SSH.
- SSH port is defined as 22/tcp by default. However, is that possible cases where the
- administrator want, by any reason, to change this default port. The proper way to do this
+ <!-- The firewalld package brings many services already defined out-of-box, including SSH.
+ SSH port is defined as 22/tcp by default. However, there are possible cases where the
+ admin wants, for whatever reason, to change this default port. The proper way to do this
is overriding the respectice SSH service file by populating the /etc/firewalld/services
- directory. So, its necessary to ensure the default file is interger and the, if is the
- case, the customized service is properly configured. -->
+ directory with a file with the same name. So, its necessary to ensure the file delivered
+ by the package, in the /usr/lib/firewalld/services directory, was not changed. However,
+ if the file is changed, there is necessary to ensure there is a customized service
+ properly configured by the administrator. -->
<ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_ssh_service_usr"
check="all" check_existence="all_exist" version="1"
comment="SSH service is interger in the /usr/lib/firewalld/services dir">
@@ -182,9 +184,9 @@
<ind:xpath>/service/port[@port='22']</ind:xpath>
</ind:xmlfilecontent_object>
- <!-- If, by any reason, the administrator decides to change the SSH default port, the modified
- ssh.xml file is placed in the /etc/firewalld/services directory with the proper port
- defined. -->
+ <!-- If, for whatever reason, the administrator decides to change the SSH default port, the
+ modified ssh.xml file is placed in the /etc/firewalld/services directory with the proper
+ port defined. -->
<ind:textfilecontent54_test id="test_firewalld_sshd_port_enabled_ssh_service_etc"
check="all" check_existence="any_exist" version="1"
comment="SSH service is properly configured in /etc/firewalld/services dir">