From 2f0f9914e94e2aaf614b530548d94354a8bcab2d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Oct 2022 18:59:06 +0200 Subject: [PATCH 01/14] Improve rule descriptions for firewalld_sshd_port_enabled It was also included the platform section since the scope of this rule is only applicable to machines and not to containers. --- .../firewalld_sshd_port_enabled/rule.yml | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml index 77ba9d3cca4..9b96faf222d 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml @@ -5,14 +5,14 @@ prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 title: 'Enable SSH Server firewalld Firewall Exception' description: |- - By default, inbound connections to SSH's port are allowed. If - the SSH server is being used but denied by the firewall, this exception should - be added to the firewall configuration. + If the SSH server is in use, inbound connections to SSH's port should be allowed to permit + remote access through SSH. In more restrictive firewalld settings, the SSH port should be + added to the proper firewalld zone in order to allow SSH remote access.

{{{ describe_firewalld_allow(proto="tcp", service="ssh") }}} rationale: |- - If inbound SSH connections are expected, adding a firewall rule exception + If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone will allow remote access through the SSH port. severity: medium @@ -28,11 +28,23 @@ references: nist: AC-17(a),CM-6(b),CM-7(a),CM-7(b) srg: SRG-OS-000096-GPOS-00050 -ocil_clause: 'sshd service is disabled by firewall' +platform: machine + +ocil_clause: 'sshd service is not enabled in the proper firewalld zone' + ocil: | {{{ ocil_firewalld_allow_access(port="22", proto="tcp", service="ssh") }}} fixtext: |- - Enable sshd in firewalld configuration. + Enable SSH service in firewalld configuration. {{{ describe_firewalld_allow(proto="tcp", service="ssh") }}} + +warnings: + - general: |- + The remediation for this rule uses firewall-cmd and nmcli tools. + Therefore, it will only be executed if firewalld and NetworkManager + services are running. Otherwise, the remediation will be aborted and a informative message + will be shown in the remediation report. + These respective services will not be started in order to preserve any intentional change + in network components related to firewall and network interfaces. From 4e76d01001398948de8d1b085964bbb1ea68626c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Oct 2022 09:02:08 +0200 Subject: [PATCH 02/14] Increase robustness of firewalld_sshd_port_enabled bash remediation The remediation was not capable to properly treat some special cases, like a system with multiple interfaces. It wasn't also capable to safely configure the correct interface since it was assuming the NetworkManager connection file was prefixed with the network interface name. In addition, it is not stable to manually change firewalld XML files while a proper command is present. This commit makes the remediation reliable and assertive by using firewall-cmd and nmcli commands. --- .../bash/shared.sh | 76 +++++++++---------- 1 file changed, 37 insertions(+), 39 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh index a328bee5c8a..e1b4f0fbd20 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh @@ -5,49 +5,47 @@ # disruption = low {{{ bash_package_install("firewalld") }}} - +{{{ bash_package_install("NetworkManager") }}} {{{ bash_instantiate_variables("firewalld_sshd_zone") }}} -{{% if product in ['rhel9'] %}} - {{% set network_config_path = "/etc/NetworkManager/system-connections/${interface}.nmconnection" %}} -{{% else %}} - {{% set network_config_path = "/etc/sysconfig/network-scripts/ifcfg-${interface}" %}} -{{% endif %}} +if firewall-cmd --state -q; then + # First make sure the SSH service is enabled in run-time for the proper zone. + # This is to avoid connection issues when new interfaces are addeded to this zone. + firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh -# This assumes that firewalld_sshd_zone is one of the pre-defined zones -if [ ! -f "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" ]; then - cp "/usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml" "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" -fi -if ! grep -q 'service name="ssh"' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"; then - sed -i '/<\/description>/a \ - ' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" -fi + if systemctl is-active NetworkManager; then + # This will collect all NetworkManager connections names + readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -# Check if any eth interface is bounded to the zone with SSH service enabled -nic_bound=false -readarray -t eth_interface_list < <(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') -for interface in "${eth_interface_list[@]}"; do - if grep -qi "ZONE=$firewalld_sshd_zone" "{{{ network_config_path }}}"; then - nic_bound=true - break; - fi -done - -if [ $nic_bound = false ];then - # Add first NIC to SSH enabled zone - interface="${eth_interface_list[0]}" - - if ! firewall-cmd --state -q; then - {{% if product in ['rhel9'] %}} - {{{ bash_replace_or_append(network_config_path, '^zone=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}} - {{% else %}} - {{{ bash_replace_or_append(network_config_path, '^ZONE=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}} - {{% endif %}} + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone + fi + done + systemctl restart NetworkManager else - # If firewalld service is running, we need to do this step with firewall-cmd - # Otherwise firewalld will communicate with NetworkManage and will revert assigned zone - # of NetworkManager managed interfaces upon reload - firewall-cmd --permanent --zone="$firewalld_sshd_zone" --add-interface="${eth_interface_list[0]}" - firewall-cmd --reload + echo " + NetworkManager service is not active. Remediation aborted! + This remediation could not be applied because it depends on NetworkManager service running. + The service is not started by this remediation in order to prevent connection issues." + exit 1 fi + + # Active zones are zones with at least one interface assigned to it. + # It is possible that traffic is comming by any active interface and consequently any + # active zone. So, this make sure all active zones are permanently allowing SSH service. + readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + for zone in $firewalld_active_zones; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh + done + firewall-cmd --reload +else + echo " + firewalld service is not active. Remediation aborted! + This remediation could not be applied because it depends on firewalld service running. + The service is not started by this remediation in order to prevent connection issues." + exit 1 fi From a1fe2e8c34f8dbbaf573e6d6fa37b8e4fc63ad09 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 19 Oct 2022 13:19:46 +0200 Subject: [PATCH 03/14] Include warning message regarging custom SSH port --- .../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml index 9b96faf222d..d49a2af1d02 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml @@ -48,3 +48,10 @@ warnings: will be shown in the remediation report. These respective services will not be started in order to preserve any intentional change in network components related to firewall and network interfaces. + - general: |- + This rule also checks if the SSH port was modified by the administrator and is reflecting + the expected port number. Although this is checked, fixing the custom ssh.xml file is not + in the scope of the remediation since there is no reliable way to manually change the + respective file. If the default SSH port is modified, it is on the administrator + responsibility to ensure the firewalld customizations in the service port level are + properly configured. From b7c665bd163acb0595438223e4ebaa6a34e674a0 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Oct 2022 15:03:33 +0200 Subject: [PATCH 04/14] Review test scenario scripts --- .../tests/no_nic_in_ssh_zone.fail.sh | 7 +------ .../firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh | 4 ---- .../tests/ssh_zone_and_nic_mismatch.fail.sh | 4 ---- .../tests/ssh_zone_nic_bounded.pass.sh | 3 --- 4 files changed, 1 insertion(+), 17 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh index 7ed0c21ed1e..21d7c0eafc4 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh @@ -1,9 +1,5 @@ #!/bin/bash # packages = firewalld -# -# remediation = none - -# ensure firewalld installed # Make sure there is a zone with ssh service enabled firewall-cmd --permanent --zone=work --add-service=ssh @@ -11,8 +7,7 @@ firewall-cmd --permanent --zone=work --add-service=ssh all_zones=$(firewall-cmd --get-zones) eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') -# Make sure NICs are bounded to no zone -# Note: Interfaces managed by NetworkManager will be assigned to the default firewalld zone +# Make sure all NICs are not bounded to any zone for zone in $all_zones; do for interface in $eth_interfaces; do firewall-cmd --permanent --zone=$zone --remove-interface=$interface diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh index 78918c9fee5..41fb83d9489 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh @@ -1,9 +1,5 @@ #!/bin/bash # packages = firewalld -# -# remediation = none - -# ensure firewalld installed all_zones=$(firewall-cmd --get-zones) for zone in $all_zones;do diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh index fed30230588..ab05492f74d 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh @@ -1,9 +1,5 @@ #!/bin/bash # packages = firewalld -# -# remediation = none - -# ensure firewalld installed # Make sure there is only one zone with ssh service enabled all_zones=$(firewall-cmd --get-zones) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh index f426236466f..eabc38e7248 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh @@ -1,8 +1,5 @@ #!/bin/bash # packages = firewalld -# - -# ensure firewalld installed firewall-cmd --permanent --zone=public --add-service=ssh From 32a41b09b0b963e3fb681a5ea617e96383e2277c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 19 Oct 2022 08:39:04 +0200 Subject: [PATCH 05/14] Reinvent the test scenarios for firewalld_sshd_port_enabled The test scenarios were aligned to the old remediation approach, making them also incomplete and incapable to catch real cases. Once the remediation was robust, test scenarios also need the same level of robustness in order to ensure the rules is as much realistic as possible. They are now covering cases with multiple interfaces and multiple active zones. It is also covered custom SSH port. --- .../tests/customized_zone_configured.pass.sh | 37 +++++++++++++++++ .../tests/customized_zone_without_ssh.fail.sh | 37 +++++++++++++++++ .../tests/new_zone_configured.pass.sh | 39 ++++++++++++++++++ .../tests/new_zone_without_ssh.fail.sh | 40 +++++++++++++++++++ .../tests/no_nic_in_ssh_zone.fail.sh | 18 --------- .../tests/no_ssh_zone.fail.sh | 10 ----- .../tests/only_nics_configured.fail.sh | 35 ++++++++++++++++ .../tests/only_zones_configured.fail.sh | 34 ++++++++++++++++ .../tests/ssh_port_enabled.pass.sh | 5 --- .../tests/ssh_zone_and_nic_mismatch.fail.sh | 25 ------------ .../tests/ssh_zone_nic_bounded.pass.sh | 8 ---- .../tests/zones_and_nics_configured.pass.sh | 34 ++++++++++++++++ .../zones_and_nics_ok_no_custom_files.pass.sh | 39 ++++++++++++++++++ .../zones_and_nics_ok_port_changed.pass.sh | 38 ++++++++++++++++++ 14 files changed, 333 insertions(+), 66 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh new file mode 100644 index 00000000000..9bfd1737dc8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=work --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +# This will not change connections which are already assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone "work" + fi +done +systemctl restart NetworkManager + +# Active zones are zones with at least one interface assigned to it. +readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + +# It is possible that traffic is comming by any active interface and consequently any +# active zone. So, this make sure all active zones are permanently allowing SSH service. +# Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is +# created in /etc/firewalld/zones. +for zone in $firewalld_active_zones; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh + firewall-cmd --permanent --zone="$zone" --add-service=http +done + +firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh new file mode 100644 index 00000000000..f1d152c683e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=work --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +# This will not change connections which are already assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone "work" + fi +done +systemctl restart NetworkManager + +# Active zones are zones with at least one interface assigned to it. +readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + +# It is possible that traffic is comming by any active interface and consequently any +# active zone. So, this make sure all active zones are permanently allowing SSH service. +# It is to ensure a custom file is created in /etc/firewalld/zones. +for zone in $firewalld_active_zones; do + firewall-cmd --permanent --zone="$zone" --remove-service=ssh + firewall-cmd --permanent --zone="$zone" --add-service=http +done + +# Do not reload, otherwise SSG Test suite will be locked out. +#firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh new file mode 100644 index 00000000000..cb8849b3f9f --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Create a custom zone +custom_zone_name="custom" +firewall-cmd --new-zone=$custom_zone_name --permanent +firewall-cmd --reload + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=$custom_zone_name --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +# This will not change connections which are already assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone "$custom_zone_name" + fi +done +systemctl restart NetworkManager + +# Active zones are zones with at least one interface assigned to it. +readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + +# It is possible that traffic is comming by any active interface and consequently any +# active zone. So, this make sure all active zones are permanently allowing SSH service. +for zone in $firewalld_active_zones "$custom_zone_name"; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh +done + +firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh new file mode 100644 index 00000000000..5e0a6453df7 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh @@ -0,0 +1,40 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Create a custom zone +custom_zone_name="custom" +firewall-cmd --new-zone=$custom_zone_name --permanent +firewall-cmd --reload + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=$custom_zone_name --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +# This will not change connections which are already assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone "$custom_zone_name" + fi +done +systemctl restart NetworkManager + +# Active zones are zones with at least one interface assigned to it. +readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + +# It is possible that traffic is comming by any active interface and consequently any +# active zone. So, this make sure all active zones are permanently allowing SSH service. +for zone in $firewalld_active_zones "$custom_zone_name"; do + firewall-cmd --permanent --zone="$zone" --remove-service=ssh +done + +# Do not reload, otherwise SSG Test suite will be locked out. +#firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh deleted file mode 100644 index 21d7c0eafc4..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# packages = firewalld - -# Make sure there is a zone with ssh service enabled -firewall-cmd --permanent --zone=work --add-service=ssh - -all_zones=$(firewall-cmd --get-zones) -eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') - -# Make sure all NICs are not bounded to any zone -for zone in $all_zones; do - for interface in $eth_interfaces; do - firewall-cmd --permanent --zone=$zone --remove-interface=$interface - done -done - -# Do not reload, otherwise SSG Test suite will be locked out -# firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh deleted file mode 100644 index 41fb83d9489..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# packages = firewalld - -all_zones=$(firewall-cmd --get-zones) -for zone in $all_zones;do - firewall-cmd --permanent --zone=$zone --remove-service=ssh -done - -# Do not reload, otherwise SSG Test suite will be locked out -# firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh new file mode 100644 index 00000000000..98525db2729 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=work --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +# This will not change connections which are already assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone "work" + fi +done +systemctl restart NetworkManager + +# Active zones are zones with at least one interface assigned to it. +readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + +# It is possible that traffic is comming by any active interface and consequently any +# active zone. So, this make sure all active zones are permanently allowing SSH service. +for zone in $firewalld_active_zones; do + firewall-cmd --permanent --zone="$zone" --remove-service=ssh +done + +# Do not reload, otherwise SSG Test suite will be locked out. +#firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh new file mode 100644 index 00000000000..e14d6c959dc --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=work --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is already assigned to a firewalld zone, removes the assignment. +# This will not change connections which are not assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone != "--" ]; then + nmcli connection modify "$connection" connection.zone "" + fi +done +systemctl restart NetworkManager + +readarray -t firewalld_all_zones < <(firewall-cmd --get-zones) + +# Ensure all zones are permanently allowing SSH service. +for zone in $firewalld_all_zones; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh +done + +# It is not a problem to reload the settings since all interfaces without an explicit assgined zone +# will be automatically assigned to the default zone. +firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh deleted file mode 100644 index c9959c40937..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# packages = firewalld - -firewall-cmd --add-port=22/tcp -firewall-cmd --add-port=22/tcp --permanent diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh deleted file mode 100644 index ab05492f74d..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# packages = firewalld - -# Make sure there is only one zone with ssh service enabled -all_zones=$(firewall-cmd --get-zones) -for zone in $all_zones;do - firewall-cmd --permanent --zone=$zone --remove-service=ssh -done -firewall-cmd --permanent --zone=work --add-service=ssh - -all_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1) - -# Make sure NICs are bounded to no zone -for zone in $all_zones; do - for interface in $all_interfaces; do - firewall-cmd --permanent --zone=$zone --remove-interface=$interface - done -done - -eth_interfaces=$(echo "$all_interfaces" | grep -E '^(en|eth)') -# Add interface to wrong zone -firewall-cmd --permanent --zone=trusted --add-interface=${eth_interfaces[0]} - -# Do not reload, otherwise SSG Test suite will be locked out -# firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh deleted file mode 100644 index eabc38e7248..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -# packages = firewalld - -firewall-cmd --permanent --zone=public --add-service=ssh - -eth_interface=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') - -firewall-cmd --permanent --zone=public --add-interface=${eth_interface[0]} diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh new file mode 100644 index 00000000000..489fe6ae7e8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=work --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +# This will not change connections which are already assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone "work" + fi +done +systemctl restart NetworkManager + +# Active zones are zones with at least one interface assigned to it. +readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + +# It is possible that traffic is comming by any active interface and consequently any +# active zone. So, this make sure all active zones are permanently allowing SSH service. +for zone in $firewalld_active_zones; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh +done + +firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh new file mode 100644 index 00000000000..c53fb99de78 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=work --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +# This will not change connections which are already assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone "work" + fi +done +systemctl restart NetworkManager + +# Active zones are zones with at least one interface assigned to it. +readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + +# It is possible that traffic is comming by any active interface and consequently any +# active zone. So, this make sure all active zones are permanently allowing SSH service. +for zone in $firewalld_active_zones; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh +done + +# The work zone, used in this test scenario, allows ssh by default. Therefore, it is not expected +# the previous command will create a respective file in /etc. However, it makes sure the /etc dir +# is empty anyways. +rm -f /etc/firewalld/zones/* + +firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh new file mode 100644 index 00000000000..46c4ed5f4d7 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# packages = firewalld, NetworkManager +# variables = firewalld_sshd_zone=work, sshd_listening_port=2222 + +# Ensure the required services are started. +systemctl start firewalld NetworkManager + +# Ensure the SSH service is enabled in run-time for the proper zone. +# This is to avoid connection issues when new interfaces are addeded to this zone. +firewall-cmd --zone=work --add-service=ssh + +# Collect all NetworkManager connections names. +readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + +# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. +# This will not change connections which are already assigned to any firewalld zone. +for connection in $nm_connections; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone "work" + fi +done +systemctl restart NetworkManager + +# Active zones are zones with at least one interface assigned to it. +readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + +# It is possible that traffic is comming by any active interface and consequently any +# active zone. So, this make sure all active zones are permanently allowing SSH service. +for zone in $firewalld_active_zones; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh +done + +cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ +sed -i 's/port="22"/port="2222"/g' /etc/firewalld/services/ssh.xml + +# Do not reload, otherwise SSG Test suite will be locked out. +#firewall-cmd --reload From db26bb5efb0746c165e17294a7cde9c7e712cd85 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Oct 2022 11:51:05 +0200 Subject: [PATCH 06/14] Recreated OVAL assessment for firewalld_sshd_port_enabled There are some corner cases involving possible realistic scenarios with firewalld and NetworkManager. Based on the remediation refactoring, the OVAL assessment was also reformulated to be more simple and much more reliable. It is now checking firewalld packaged files and also custom files respecting the proper order in case of custom files. --- .../oval/shared.xml | 312 ++++++++++++------ 1 file changed, 206 insertions(+), 106 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml index e944f938a59..e4c03c9aa4d 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml @@ -1,109 +1,209 @@ - - {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to - the SSH port (22).") }}} - - - - - - - - - - - - - - - - /etc/firewalld/services - ^.*\.xml$ - /service/service[@name='ssh'] - - - - - - - - /etc/firewalld/services - ^.*\.xml$ - <port.*port="(\d+)" - 1 - - - - - - - /etc/firewalld/zones - ^.*\.xml$ - /zone/service[@name='ssh'] - - - - - - - - /etc/firewalld/zones - ^.*\.xml$ - <port.*port="(\d+)" - 1 - - - - - - - - - - - - - - - /etc/firewalld/zones - - /zone/service[@name='ssh'] - - - - - - - .xml - - -{{% if product in ["fedora", "rhel9"] %}} - - /etc/NetworkManager/system-connections - .*\.nmconnection - ^zone=(.*)$ - 1 - -{{% else %}} - - /etc/sysconfig/network-scripts - ifcfg-.* - ^ZONE=(.*)$ - 1 - -{{% endif %}} - - - - - - + + {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to + the SSH service.") }}} + + + + + + + + + + + + + + + + + + + + + + + var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count + + + + + + + + + + {{% if product in ["fedora", "rhel9"] %}} + /etc/NetworkManager/system-connections + .*\.nmconnection + ^zone=(.*)$ + {{% else %}} + /etc/sysconfig/network-scripts + ifcfg-.* + ^ZONE=(.*)$ + {{% endif %}} + 1 + + + + + + + + + + + + + + + {{% if product in ["fedora", "rhel9"] %}} + /etc/NetworkManager/system-connections + .*\.nmconnection + {{% else %}} + /etc/sysconfig/network-scripts + ifcfg-.* + {{% endif %}} + + + + + + + + + + /usr/lib/firewalld/zones + + /zone/service[@name='ssh'] + + + + + + + + + + /etc/firewalld/zones + + + + + + ^(dmz|external|home|internal|public|trusted|work)\.xml$ + + + + + + + + + + /etc/firewalld/zones + ^.*\.xml$ + /zone/service[@name='ssh'] + + + + /zone/service[@name='ssh'] + + + + + + + + + + /usr/lib/firewalld/services/ssh.xml + /service/port[@port='22'] + + + + + + + + + + /etc/firewalld/services/ssh.xml + <port.*port="(\d+)" + 1 + + + + + + + From 84755e320f3f8fd73151c7d8e15370a1825b080d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 19 Oct 2022 18:36:24 +0200 Subject: [PATCH 07/14] Introduce new Ansible remediation The previous remediation, besides being disaligned to the previous bash remediation, was also problematic. It was completly rewritten in this commit in order to be aligned to the Bash remediation. It was also enabled this Ansible remediation for all platforms, including RHEL9. --- .../ansible/shared.yml | 97 +++++++++++++++---- 1 file changed, 79 insertions(+), 18 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml index 2553a4d2e57..fa7830761df 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml @@ -1,28 +1,89 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_all # reboot = false # complexity = low # strategy = configure # disruption = low -- name: Ensure firewalld is installed - package: +{{{ ansible_instantiate_variables("firewalld_sshd_zone") }}} + +- name: '{{{ rule_title }}} - Ensure firewalld and NetworkManager packages are installed' + ansible.builtin.package: name: "{{ item }}" state: present with_items: - firewalld + - NetworkManager + +- name: '{{{ rule_title }}} - Collect facts about system services' + ansible.builtin.service_facts: + register: result_services_states + +- name: '{{{ rule_title }}} - Remediation is applicable if firewalld and NetworkManager services are running' + block: + - name: '{{{ rule_title }}} - Collect NetworkManager connections names' + ansible.builtin.shell: + cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 + register: result_nmcli_cmd_connections_names + changed_when: false + + - name: '{{{ rule_title }}} - Collect NetworkManager connections zones' + ansible.builtin.shell: + cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print $2}' + register: result_nmcli_cmd_connections_zones + changed_when: false + with_items: + - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" + + - name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone' + ansible.builtin.command: + cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }} + register: result_nmcli_cmd_connections_assignment + with_together: + - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" + - "{{ result_nmcli_cmd_connections_zones.results }}" + when: + - item.1.stdout == '--' + + - name: '{{{ rule_title }}} - Ensure NetworkManager connections changes are applied' + ansible.builtin.service: + name: NetworkManager + state: restarted + when: + - result_nmcli_cmd_connections_assignment is changed + + - name: '{{{ rule_title }}} - Collect firewalld active zones' + ansible.builtin.shell: + cmd: firewall-cmd --get-active-zones | grep -v interfaces + register: result_firewall_cmd_zones_names + changed_when: false + + - name: '{{{ rule_title }}} - Ensure firewalld zones allow SSH' + ansible.builtin.command: + cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh + register: result_nmcli_cmd_connections_assignment + changed_when: + - "'ALREADY_ENABLED' not in result_nmcli_cmd_connections_assignment.stderr" + with_items: + - "{{ result_firewall_cmd_zones_names.stdout_lines }}" + + - name: '{{{ rule_title }}} - Ensure firewalld changes are applied' + ansible.builtin.service: + name: firewalld + state: reloaded + when: + - result_nmcli_cmd_connections_assignment is changed + when: + - ansible_facts.services['firewalld.service'].state == 'running' + - ansible_facts.services['NetworkManager.service'].state == 'running' -{{{ ansible_instantiate_variables("sshd_listening_port") }}} - -- name: Enable SSHD in firewalld (custom port) - firewalld: - port: "{{ sshd_listening_port }}/tcp" - permanent: yes - state: enabled - when: sshd_listening_port != 22 - -- name: Enable SSHD in firewalld (default port) - firewalld: - service: ssh - permanent: yes - state: enabled - when: sshd_listening_port == 22 +- name: '{{{ rule_title }}} - Informative message based on services states' + ansible.builtin.assert: + that: + - ansible_facts.services['firewalld.service'].state == 'running' + - ansible_facts.services['NetworkManager.service'].state == 'running' + fail_msg: + - firewalld and NetworkManager services are not active. Remediation aborted! + - This remediation could not be applied because it depends on firewalld and NetworkManager services running. + - The service is not started by this remediation in order to prevent connection issues. + success_msg: + - {{{ rule_title }}} remediation successfully executed From d4f81e27994e17049f448d8410b4a8cfb5a9bdd2 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 20 Oct 2022 08:37:03 +0200 Subject: [PATCH 08/14] Fix loop over array in bash remediation --- .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh index e1b4f0fbd20..afb89b7005a 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh @@ -19,7 +19,7 @@ if firewall-cmd --state -q; then # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. - for connection in $nm_connections; do + for connection in "${nm_connections[@]}"; do current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') if [ $current_zone = "--" ]; then nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone @@ -38,7 +38,7 @@ if firewall-cmd --state -q; then # It is possible that traffic is comming by any active interface and consequently any # active zone. So, this make sure all active zones are permanently allowing SSH service. readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) - for zone in $firewalld_active_zones; do + for zone in "${firewalld_active_zones[@]}"; do firewall-cmd --permanent --zone="$zone" --add-service=ssh done firewall-cmd --reload From 403c44d66e06d5463758ba70abdca967a4173f69 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 20 Oct 2022 10:49:20 +0200 Subject: [PATCH 09/14] Trim nmcli connection names output The output from nmcli command was including leading spaces in the connection names. This was causing the the subsequent nmcli command to fail resulting in connections without a firewalld zone defined. --- .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 4 ++-- .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml index fa7830761df..6098155469c 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml @@ -22,7 +22,7 @@ block: - name: '{{{ rule_title }}} - Collect NetworkManager connections names' ansible.builtin.shell: - cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 + cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g' register: result_nmcli_cmd_connections_names changed_when: false @@ -36,7 +36,7 @@ - name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone' ansible.builtin.command: - cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }} + cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone }} register: result_nmcli_cmd_connections_assignment with_together: - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh index afb89b7005a..25e54f09477 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh @@ -15,7 +15,7 @@ if firewall-cmd --state -q; then if systemctl is-active NetworkManager; then # This will collect all NetworkManager connections names - readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) + readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. From df8cd2df8661a3fe9fb7d5b5b493a93e1f977654 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 20 Oct 2022 11:03:56 +0200 Subject: [PATCH 10/14] Simplify the Bash remediation in alignment to Ansible --- .../bash/shared.sh | 37 +++++++------------ 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh index 25e54f09477..f883e614846 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh @@ -8,31 +8,22 @@ {{{ bash_package_install("NetworkManager") }}} {{{ bash_instantiate_variables("firewalld_sshd_zone") }}} -if firewall-cmd --state -q; then +if systemctl is-active NetworkManager && systemctl is-active firewalld; then # First make sure the SSH service is enabled in run-time for the proper zone. # This is to avoid connection issues when new interfaces are addeded to this zone. firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh - if systemctl is-active NetworkManager; then - # This will collect all NetworkManager connections names - readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - for connection in "${nm_connections[@]}"; do - current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') - if [ $current_zone = "--" ]; then - nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone - fi - done - systemctl restart NetworkManager - else - echo " - NetworkManager service is not active. Remediation aborted! - This remediation could not be applied because it depends on NetworkManager service running. - The service is not started by this remediation in order to prevent connection issues." - exit 1 - fi + # This will collect all NetworkManager connections names + readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + for connection in "${nm_connections[@]}"; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone + fi + done + systemctl restart NetworkManager # Active zones are zones with at least one interface assigned to it. # It is possible that traffic is comming by any active interface and consequently any @@ -44,8 +35,8 @@ if firewall-cmd --state -q; then firewall-cmd --reload else echo " - firewalld service is not active. Remediation aborted! - This remediation could not be applied because it depends on firewalld service running. + firewalld and NetworkManager services are not active. Remediation aborted! + This remediation could not be applied because it depends on firewalld and NetworkManager services running. The service is not started by this remediation in order to prevent connection issues." exit 1 fi From 8642f416a9cdeb5f0bc06f44d17f845afe089ce6 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 20 Oct 2022 11:07:31 +0200 Subject: [PATCH 11/14] Improve wording on warning about custom ssh.xml --- .../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml index d49a2af1d02..7446a62379d 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml @@ -49,9 +49,10 @@ warnings: These respective services will not be started in order to preserve any intentional change in network components related to firewall and network interfaces. - general: |- - This rule also checks if the SSH port was modified by the administrator and is reflecting - the expected port number. Although this is checked, fixing the custom ssh.xml file is not - in the scope of the remediation since there is no reliable way to manually change the - respective file. If the default SSH port is modified, it is on the administrator + This rule also checks if the SSH port was modified by the administrator in the firewalld + services definitions and is reflecting the expected port number. Although this is checked, + fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it + is not in the scope of the remediation since there is no reliable way to manually change + the respective file. If the default SSH port is modified, it is on the administrator responsibility to ensure the firewalld customizations in the service port level are properly configured. From ab738103ab2c376dea88dcd797187adfbb07053f Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 20 Oct 2022 14:25:42 +0200 Subject: [PATCH 12/14] Optimize test scenarios Some conditions were removed from test scenarios in order to make them more resilient to test environment peculiarities. --- .../tests/customized_zone_configured.pass.sh | 4 ++-- .../tests/customized_zone_without_ssh.fail.sh | 4 ++-- .../tests/new_zone_configured.pass.sh | 7 ++----- .../tests/new_zone_without_ssh.fail.sh | 7 ++----- .../tests/only_nics_configured.fail.sh | 2 +- .../tests/only_zones_configured.fail.sh | 7 ++----- .../tests/zones_and_nics_configured.pass.sh | 2 +- .../tests/zones_and_nics_ok_no_custom_files.pass.sh | 2 +- .../tests/zones_and_nics_ok_port_changed.pass.sh | 2 +- 9 files changed, 14 insertions(+), 23 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh index 9bfd1737dc8..87e6871afb1 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. @@ -30,8 +30,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep - # Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is # created in /etc/firewalld/zones. for zone in $firewalld_active_zones; do - firewall-cmd --permanent --zone="$zone" --add-service=ssh firewall-cmd --permanent --zone="$zone" --add-service=http + firewall-cmd --permanent --zone="$zone" --add-service=ssh done firewall-cmd --reload diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh index f1d152c683e..383907d2cb7 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. @@ -29,8 +29,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep - # active zone. So, this make sure all active zones are permanently allowing SSH service. # It is to ensure a custom file is created in /etc/firewalld/zones. for zone in $firewalld_active_zones; do - firewall-cmd --permanent --zone="$zone" --remove-service=ssh firewall-cmd --permanent --zone="$zone" --add-service=http + firewall-cmd --permanent --zone="$zone" --remove-service=ssh done # Do not reload, otherwise SSG Test suite will be locked out. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh index cb8849b3f9f..9993e53788c 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh @@ -15,15 +15,12 @@ firewall-cmd --reload firewall-cmd --zone=$custom_zone_name --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. for connection in $nm_connections; do - current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') - if [ $current_zone = "--" ]; then - nmcli connection modify "$connection" connection.zone "$custom_zone_name" - fi + nmcli connection modify "$connection" connection.zone "$custom_zone_name" done systemctl restart NetworkManager diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh index 5e0a6453df7..1301679b344 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh @@ -15,15 +15,12 @@ firewall-cmd --reload firewall-cmd --zone=$custom_zone_name --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. for connection in $nm_connections; do - current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') - if [ $current_zone = "--" ]; then - nmcli connection modify "$connection" connection.zone "$custom_zone_name" - fi + nmcli connection modify "$connection" connection.zone "$custom_zone_name" done systemctl restart NetworkManager diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh index 98525db2729..6552f3f4214 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh index e14d6c959dc..72fc492e5bf 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh @@ -10,15 +10,12 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is already assigned to a firewalld zone, removes the assignment. # This will not change connections which are not assigned to any firewalld zone. for connection in $nm_connections; do - current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') - if [ $current_zone != "--" ]; then - nmcli connection modify "$connection" connection.zone "" - fi + nmcli connection modify "$connection" connection.zone "" done systemctl restart NetworkManager diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh index 489fe6ae7e8..02c627e5d00 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh index c53fb99de78..9b3aa7d203f 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh index 46c4ed5f4d7..3e27a0647b0 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) +readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. From a2a49e9e8330c12b73e1c3873974bcb9a41691d4 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 24 Oct 2022 17:04:41 +0200 Subject: [PATCH 13/14] Remediation applicable to all NetworkManager connections The remediation was initially consirering to set a firewalld zone only to active NetworkManager connections. However, it is possible that a system has more valid connection which are simply not in use at the moment. These inactive connections can be used at some point and if this happen, they will also be compliant with an explicit firewalld zone assigned to them. This way it is indeeded ensured all connections have a firewalld zone assigned. --- .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +- .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml index 6098155469c..7b0bda3f10c 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml @@ -22,7 +22,7 @@ block: - name: '{{{ rule_title }}} - Collect NetworkManager connections names' ansible.builtin.shell: - cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g' + cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }' register: result_nmcli_cmd_connections_names changed_when: false diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh index f883e614846..76822bf01d8 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh @@ -14,7 +14,7 @@ if systemctl is-active NetworkManager && systemctl is-active firewalld; then firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh # This will collect all NetworkManager connections names - readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') + readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. for connection in "${nm_connections[@]}"; do From 657c1cc0331b97ee37e7a2d44e50fab668c33ce1 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 25 Oct 2022 15:40:15 +0200 Subject: [PATCH 14/14] Improve regex to detect ifcfg files On RHEL7 and probably other distros which rely on ifcfg files by default, there is a ifcfg file for the loopback interface, which is out of the scope in this rule and should be ignored. This commit also improved the wording in a OVAL comment to make it more clear. --- .../oval/shared.xml | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml index e4c03c9aa4d..4adef2e53f5 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml @@ -59,7 +59,7 @@ ^zone=(.*)$ {{% else %}} /etc/sysconfig/network-scripts - ifcfg-.* + ^ifcfg-(?!lo).* ^ZONE=(.*)$ {{% endif %}} 1 @@ -88,7 +88,7 @@ .*\.nmconnection {{% else %}} /etc/sysconfig/network-scripts - ifcfg-.* + ^ifcfg-(?!lo).* {{% endif %}} @@ -164,12 +164,14 @@ - + directory with a file with the same name. So, its necessary to ensure the file delivered + by the package, in the /usr/lib/firewalld/services directory, was not changed. However, + if the file is changed, there is necessary to ensure there is a customized service + properly configured by the administrator. --> @@ -182,9 +184,9 @@ /service/port[@port='22'] - +