Skip to content

Drop firewalld default zone and sshd port fixes #2328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 18, 2017
Merged

Drop firewalld default zone and sshd port fixes #2328

merged 1 commit into from
Sep 18, 2017

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Sep 14, 2017
edited
Loading

The proper fix for #2202 is to have a remediation for firewalld_sshd_port_enabled which set ups a firewalld zone with SSH and an interface assigned to it.

But providing a good fix for firewalld_sshd_port_enabled can be very complicated
and will very likely not fit to everyone's use case. And because of that
we will drop remediation for set_firewalld_default_zone, which is causing the
remediated machine to lock down and refuse all connections.

Existent test cases for 'firewalld_sshd_port_enabled' are kept because they are still useful to test the OVAL definition.

@yuumasato
Drop firewalld default zone and sshd port fixes
8098e6e 
Providing a fix for 'firewalld_sshd_port_enabled' can be very complicated
and will very likely not fit to everyone's use case. And because of that
we drop remediation for 'set_firewalld_sshd_port', which is causing the
remediated machine to refuse all connections.
@yuumasato yuumasato added this to the 0.1.36 milestone Sep 14, 2017
@mpreisler
Copy link
Member

@openscap-ci test this please

1 similar comment
@yuumasato
Copy link
Member Author

@openscap-ci test this please

@mpreisler
Copy link
Member

I would prefer to comment these because otherwise somebody will re-add them. It's also not good to lose arguably good fixes.

@yuumasato
Copy link
Member Author

I'm afraid that empty remediation might cause bad user experience.
I guess it will be picked up by --remediate, executed, and marked as fixed, because no errors happened. And then it will still fail evaluation as nothing was done.

@mpreisler mpreisler self-assigned this Sep 18, 2017
@mpreisler
Copy link
Member

Crap, didn't realize that. OK then.

ACK

@mpreisler mpreisler merged commit 8c1cf28 into ComplianceAsCode:master Sep 18, 2017
@mpreisler mpreisler added the bugfix Fixes to reported bugs. label Sep 18, 2017
@yuumasato
Copy link
Member Author

Maybe we need to introduce some kind of sample/example remediation system, this remediation would be present in source code but not used by build system during build.
That would be a way for these sample/example remediations (that are "not good for everyone") be in the source code but not used by build system.
These example/sample remediations can serve as evidence that these are not easy, and should not be added by default, and still serve as starting point by content writers.

Would other remediations benefit from this sample/example remediation mechanism?

@yuumasato yuumasato deleted the drop_remediation_set_firewalld_default_zone branch September 18, 2017 15:08
@yuumasato yuumasato mentioned this pull request Dec 18, 2017
Merged
@yuumasato yuumasato mentioned this pull request Jan 5, 2018
Closed
@yuumasato yuumasato mentioned this pull request Aug 31, 2018
Closed
@yuumasato yuumasato mentioned this pull request Mar 4, 2019
Closed
@matejak matejak mentioned this pull request Apr 18, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix Fixes to reported bugs.
Projects
None yet
Milestone
0.1.36
Development

Successfully merging this pull request may close these issues.

SSG does not open port 22
2 participants
@yuumasato @mpreisler