STIG: firewall need to be enabled validation

src/lib/y2security/stig_validator.rb

@@ -21,6 +21,7 @@
 require "y2security/security_policy_validator"
 require "y2security/security_policy_issues"
 require "y2network/connection_config/wireless"
+require "installation/security_settings"
 
 Yast.import "Lan"
 
@@ -107,5 +108,23 @@ def storage_issues
     def plain_filesystem?(filesystem)
       filesystem.ancestors.none? { |d| d.respond_to?(:encrypted?) && d.encrypted? }
     end
+
+    # Returns the issues in the firewall proposal
+    #
+    # * Firewall must be enabled
+    #
+    # @return [Array<Y2Issues::Issue>]
+    def firewall_issues
+      settings = Installation::SecuritySettings.instance
+
+      return [] if !!settings.enable_firewall
+
+      [
+        Y2Issues::Issue.new(
+          _("Firewall is not enabled"),
+          severity: :error, location: "proposal:firewall"
+        )
+      ]
+    end
   end
 end

test/y2security/stig_validator_test.rb

@@ -107,4 +107,30 @@
       end
     end
   end
+
+  context "when validating the firewall scope" do
+    let(:security_settings) { Installation::SecuritySettings.instance }
+    let(:enabled) { true }
+
+    before do
+      security_settings.enable_firewall = enabled
+    end
+
+    context "and the firewall is enabled" do
+      it "returns no issues" do
+        issues = subject.issues(:firewall)
+        expect(issues).to be_empty
+      end
+    end
+
+    context "and the firewall is not enabled " do
+      let(:enabled) { false }
+
+      it "returns an issue pointing that the firewall is not enabled" do
+        issues = subject.issues(:firewall)
+        expect(issues.size).to eq(1)
+        expect(issues.first.message).to include("Firewall is not enabled")
+      end
+    end
+  end
 end