New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLES-15-010220 updates for firewalld #6831
SLES-15-010220 updates for firewalld #6831
Conversation
SuSEfirewall2 was retired in SLE-12 in favor of firewalld So, we need to remove SuSEfirewall2 references from SL15 and fix up the SLES-15-010220 rule. This includes change SLES-15-010370 to SLES-15-010220. SLES-15-010370 was specific to the firewall panic switch enablement.
Hi @brett060102. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changes identified: Show detailsProfile cis on sle15: Recommended tests to execute: |
@abergmann Can you please review this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ggbecker should be good now.
cis@rhel8: 3.4.1.1 | ||
stigid@sle15: SLES-15-010220 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same STIG id is assigned to service_firewalld_enabled
. That's not ideal and we already requested DISA to split these for RHEL8. That's probably not going to be reflected to the SLE STIGs. Having a duplicate means your STIG results will map to only one of these if you import results into STIG Viewer for example. On the other hand, for openscap html reports, there will be no negative impact.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not opposed to merging this, I just want to have your acknowledgement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
acknowledged and agreed. Not quite sure what else to do given our stigs. it is better than what we have in SLE-12 where we have three rules attached to the same stig.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ggbecker let's go forward as it is. I was told that getting changes in the STIGs takes a while. We only have two STIGs related to firewalld in SLE-15 SLES-15-010220 and SLE-15 SLES-15-010370.
SLE-15 SLES-15-010220 really covers configuration which we attached to install as well, since we can't configure what is not installed.
SLE-15 SLES-15-010370 covers testing the panic feature to disable remote access. Not sure how to test that one. Direction really requires being attached to system console.
SuSEfirewall2 was retired in SLE-12 in favor of firewalld
So, we need to remove SuSEfirewall2 references from SL15
and fix up the SLES-15-010220 rule. This includes change SLES-15-010370
to SLES-15-010220. SLES-15-010370 was specific to the firewall panic switch.
Description:
We found out about SuSEfirewall2 to firewalld change after initial SLE15 work.
Rationale:
Use SLE-15 preferred firewall package.
Fixes # Issue number here (e.g. Updating sysctl XCCDF naming #26) or remove this line if no issue exists.