-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLE15 add implementation of nftables_rules_permanent rule #10201
SLE15 add implementation of nftables_rules_permanent rule #10201
Conversation
The nftables_rules_permanent rule is based on the CIS requirement 3.5.2.10 There are some internal decisions made for the rule based on the facts that: - Requirement assumes the system firewall is managed explicitely by nftables package and relevant kernel modules, i.e. no firewalld, no iptables installed - SLE 15 nftables package comes with following number of configuration files: - /etc/nftables/arp-filter - /etc/nftables/bridge-filter - /etc/nftables/inet-filter - /etc/nftables/ipv4-filter - /etc/nftables/ipv4-mangle - /etc/nftables/ipv4-nat - /etc/nftables/ipv4-raw - /etc/nftables/ipv6-filter - /etc/nftables/ipv6-mangle - /etc/nftables/ipv6-nat - /etc/nftables/ipv6-raw , where bridge, arp and inet(ipv4+ipv6), should cover L2+L3 layers of the IP stack, which are mainly addressed in other nftables requirements So the design of the OVAL checks and Ansible and Bash remediation was made in a way that the rule will check that there is top-level configuration file, as described by the requirement /etc/sysconfig/nftables, which will include per protocol family configuration files that come with the native package The contents of the actual configuration as far as I uderstand the requirement should be left to the customer site policy. The main idea of the rule as I tried to follow it was to make sure that there exists a configuration which to be applied on boot. All of the changes made were SLE15 specific, since I based my logic on how the native nftables package for SUSE SLE15 looks like.
Hi @teacup-on-rockingchair. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
linux_os/guide/system/network/network-nftables/nftables_rules_permanent/ansible/sle15.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/network/network-nftables/nftables_rules_permanent/bash/sle15.sh
Outdated
Show resolved
Hide resolved
...etwork/network-nftables/nftables_rules_permanent/tests/invalid_top_level_config_file.fail.sh
Outdated
Show resolved
Hide resolved
...etwork/network-nftables/nftables_rules_permanent/tests/invalid_top_level_config_file.fail.sh
Outdated
Show resolved
Hide resolved
Thanks to @jan-cerny for the feedback
...etwork/network-nftables/nftables_rules_permanent/tests/invalid_top_level_config_file.fail.sh
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks
@ComplianceAsCode/suse-maintainers PTAL |
@marcusburghardt Can you take a look if it can be merged instead of SUSE? |
or also @Mab879 |
linux_os/guide/system/network/network-nftables/nftables_rules_permanent/ansible/sle15.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/network/network-nftables/nftables_rules_permanent/ansible/sle15.yml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rule is complete, but there are some opportunities to improve the readability.
linux_os/guide/system/network/network-nftables/nftables_rules_permanent/oval/sle15.xml
Show resolved
Hide resolved
linux_os/guide/system/network/network-nftables/nftables_rules_permanent/rule.yml
Show resolved
Hide resolved
…permanent/rule.yml Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
Use cleaner approach when looping throug bridge arp and inet protocol families for file definitions Thanks to @marcusburghardt for the hint 🙇
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only a small detail is pending. The jinja2 variable declaration can be removed in Ansible now.
linux_os/guide/system/network/network-nftables/nftables_rules_permanent/ansible/sle15.yml
Outdated
Show resolved
Hide resolved
…permanent/ansible/sle15.yml Unnecessary variable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM now. Thanks
Code Climate has analyzed commit 1467145 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.4%. View more on Code Climate. |
Overriding CODEOWNERS since a SUSE approver is not currently available. |
9a62e1e
into
ComplianceAsCode:master
Description:
Rationale:
There are some internal decisions made for the rule based on the facts that:
, where bridge, arp and inet(ipv4+ipv6), should cover L2+L3 layers of the IP stack, which are mainly addressed in other nftables requirements
Review Hints:
The design of the OVAL checks and Ansible and Bash remediation was made in a way that the rule will check that there is top-level configuration file,
as described by the requirement /etc/sysconfig/nftables, which will include per protocol family configuration files that come with the native package.
The contents of the actual configuration as far as I understand the requirement should be left to the customer site policy.
The main idea of the rule as I tried to follow it was to make sure that there exists a configuration which to be applied on boot.
All of the changes made were SLE15 specific, since I based my logic on how the native nftables package for SUSE SLE15 looks like.