SLES-15-010220 updates for firewalld

[brett060102]

SuSEfirewall2 was retired in SLE-12 in favor of firewalld
So, we need to remove SuSEfirewall2 references from SL15
and fix up the SLES-15-010220 rule. This includes change SLES-15-010370
to SLES-15-010220. SLES-15-010370 was specific to the firewall panic switch.

Description:

• Fix SLES-15-010220
  We found out about SuSEfirewall2 to firewalld change after initial SLE15 work.

Rationale:

• Use SLE-15 preferred firewall package.

• Fixes # Issue number here (e.g. Updating sysctl XCCDF naming #26) or remove this line if no issue exists.

[openshift-ci-robot]

Hi @brett060102. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openscap-ci]

Changes identified:
Profiles:
 cis on sle15
 stig on sle15

Show details

Profile cis on sle15:
 Rule kernel_module_dccp_disabled removed from cis profile.
Profile stig on sle15:
 Rule package_firewalld_installed added to stig profile.
 Rule service_SuSEfirewall2_enabled, package_SuSEfirewall2_installed, kernel_module_dccp_disabled, susefirewall2_only_required_services removed from stig profile.

Recommended tests to execute:
 build_product sle15
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle15-ds.xml cis
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle15-ds.xml stig

[brett060102]

@abergmann Can you please review this?

[brett060102]

@ggbecker should be good now.

[ggbecker]

The same STIG id is assigned to service_firewalld_enabled. That's not ideal and we already requested DISA to split these for RHEL8. That's probably not going to be reflected to the SLE STIGs. Having a duplicate means your STIG results will map to only one of these if you import results into STIG Viewer for example. On the other hand, for openscap html reports, there will be no negative impact.

[ggbecker]

I'm not opposed to merging this, I just want to have your acknowledgement.

[brett060102]

acknowledged and agreed. Not quite sure what else to do given our stigs. it is better than what we have in SLE-12 where we have three rules attached to the same stig.

[brett060102]

@ggbecker let's go forward as it is. I was told that getting changes in the STIGs takes a while. We only have two STIGs related to firewalld in SLE-15 SLES-15-010220 and SLE-15 SLES-15-010370.
SLE-15 SLES-15-010220 really covers configuration which we attached to install as well, since we can't configure what is not installed.

SLE-15 SLES-15-010370 covers testing the panic feature to disable remote access. Not sure how to test that one. Direction really requires being attached to system console.