SLE15 add nftables ensure default deny policy #10249
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
do-not-merge/work-in-progress
|
Hi @teacup-on-rockingchair. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: sle15 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
teacup-on-rockingchair
force-pushed
the
sle_add_nftables_ensure_default_deny_policy
branch
from
0b02ab9 to
a09610f
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
marcusburghardt
requested changes
Apr 27, 2023
..._os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/oval/sle15.xml
Show resolved
Hide resolved
..._os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/oval/sle15.xml
Outdated
Show resolved
Hide resolved
..._os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/oval/sle15.xml
Show resolved
Hide resolved
..._os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/oval/sle15.xml
Outdated
Show resolved
Hide resolved
..._os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/oval/sle15.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
Outdated
Show resolved
Hide resolved
| rationale: |- | ||
| There are two policies: accept (Default) and drop. If the policy is set to accept, the | ||
| firewall will accept any packet that is not configured to be denied and the packet will | ||
| continue traversing the network stack. It is easier to allow acceptable usage than to block |
There was a problem hiding this comment.
I think an easier management is an argument, but not the strongest one for this requirement. Maybe the main argument here is to ensure that any traffic without an explicit rule is denied by default.
The first part seems to fit better in the description section:
There are two policies: accept (Default) and drop. If the policy is set to accept, the
firewall will accept any packet that is not configured to be denied and the packet will
continue traversing the network stack.
linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
Outdated
Show resolved
Hide resolved
var_nftable_master_config_file changed to var_nftables_master_config_file
…_default_deny_policy/oval/sle15.xml Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
…_default_deny_policy/oval/sle15.xml Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
…_default_deny_policy/oval/sle15.xml Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
…_default_deny_policy/oval/sle15.xml Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_nftables_rules_permanent'.
--- xccdf_org.ssgproject.content_rule_nftables_rules_permanent
+++ xccdf_org.ssgproject.content_rule_nftables_rules_permanent
@@ -1,11 +1,11 @@
[title]:
-Ensure nftables rules are permanent
+Ensure nftables Rules are Permanent
[description]:
nftables is a subsystem of the Linux kernel providing filtering and classification of
network packets/datagrams/frames. The nftables service reads the
-'xccdf_org.ssgproject.content_value_var_nftable_master_config_file' file for a nftables file or files to
+'xccdf_org.ssgproject.content_value_var_nftables_master_config_file' file for a nftables file or files to
include in the nftables ruleset. A nftables ruleset containing the input, forward, and output
base chains allow network traffic to be filtered.
bash remediation for rule 'xccdf_org.ssgproject.content_rule_nftables_rules_permanent' differs.
--- xccdf_org.ssgproject.content_rule_nftables_rules_permanent
+++ xccdf_org.ssgproject.content_rule_nftables_rules_permanent
@@ -1,19 +1,19 @@
-var_nftable_master_config_file=''
+var_nftables_master_config_file=''
-if [ ! -f "${var_nftable_master_config_file}" ]; then
- touch "${var_nftable_master_config_file}"
+if [ ! -f "${var_nftables_master_config_file}" ]; then
+ touch "${var_nftables_master_config_file}"
fi
-grep -qxF 'include "/etc/nftables/bridge-filter"' "${var_nftable_master_config_file}" \
- || echo 'include "/etc/nftables/bridge-filter"' >> "${var_nftable_master_config_file}"
+grep -qxF 'include "/etc/nftables/bridge-filter"' "${var_nftables_master_config_file}" \
+ || echo 'include "/etc/nftables/bridge-filter"' >> "${var_nftables_master_config_file}"
-grep -qxF 'include "/etc/nftables/arp-filter"' "${var_nftable_master_config_file}" \
- || echo 'include "/etc/nftables/arp-filter"' >> "${var_nftable_master_config_file}"
+grep -qxF 'include "/etc/nftables/arp-filter"' "${var_nftables_master_config_file}" \
+ || echo 'include "/etc/nftables/arp-filter"' >> "${var_nftables_master_config_file}"
-grep -qxF 'include "/etc/nftables/inet-filter"' "${var_nftable_master_config_file}" \
- || echo 'include "/etc/nftables/inet-filter"' >> "${var_nftable_master_config_file}"
+grep -qxF 'include "/etc/nftables/inet-filter"' "${var_nftables_master_config_file}" \
+ || echo 'include "/etc/nftables/inet-filter"' >> "${var_nftables_master_config_file}"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_nftables_rules_permanent' differs.
--- xccdf_org.ssgproject.content_rule_nftables_rules_permanent
+++ xccdf_org.ssgproject.content_rule_nftables_rules_permanent
@@ -1,12 +1,12 @@
-- name: XCCDF Value var_nftable_master_config_file # promote to variable
+- name: XCCDF Value var_nftables_master_config_file # promote to variable
set_fact:
- var_nftable_master_config_file: !!str
+ var_nftables_master_config_file: !!str
tags:
- always
- name: Check the top-level configuration file exists
ansible.builtin.stat:
- path: '{{ var_nftable_master_config_file }}'
+ path: '{{ var_nftables_master_config_file }}'
tags:
- CCE-92485-2
- low_complexity
@@ -18,7 +18,7 @@
- name: Check the relevant file is included configuration
ansible.builtin.lineinfile:
- path: '{{ var_nftable_master_config_file }}'
+ path: '{{ var_nftables_master_config_file }}'
line: include "/etc/nftables/{{ item }}-filter"
create: true
loop: |
marcusburghardt
added
SLES
Also re-word description and rationale sections Thanks to @marcusburghardt for the feedback on that
…_default_deny_policy/rule.yml Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
teacup-on-rockingchair
force-pushed
the
sle_add_nftables_ensure_default_deny_policy
branch
from
2b8d8ee to
1e202ca
Compare
|
Code Climate has analyzed commit 1e202ca and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.4% (0.0% change). View more on Code Climate. |
|
@teacup-on-rockingchair , do you plan to include test scenario scripts? I think it would be great. |
marcusburghardt
approved these changes
May 4, 2023
|
Overriding CODEOWNERS as @teacup-on-rockingchair can't approve his own PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Review Hints: