Enable service_nftables_enabled for RHEL7 and RHEL8 #10398
Conversation
marcusburghardt
added
RHEL7
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
marcusburghardt
force-pushed
the
cis_nftables_service_rhel7_rhel8
branch
from
514be82 to
9e7fff1
Compare
|
The PR was rebased to resolve the conflict. |
This rule satisfies CIS requirements for RHEL7 and RHEL8. However, the benchmark allows to choose any of the options among firewalld, iptables and nftables. This is outdated in the benchmark and should be changed soon. Actually, iptables and nftables are possible backends for firewalld.
marcusburghardt
force-pushed
the
cis_nftables_service_rhel7_rhel8
branch
from
9e7fff1 to
7a427ce
Compare
|
Rebased to df63f7c |
| Otherwise, it will conflict with firewalld service. The preferred service to manage firewall | ||
| rules is firewalld. In addition, the default backend in RHEL7 is iptables. | ||
| status: automated | ||
| related_rules: |
There was a problem hiding this comment.
Why is it in related rules? Using related rules doesn't add the rule to the profile.
There was a problem hiding this comment.
Thanks for asking @jan-cerny . It is intentional to not include this rule in the profile.
For context, in the current versions of CIS benchmarks for RHEL7 and RHEL8, the firewall related requirements are a little bit confusing. RHEL7 is the most outdated. RHEL8 last version is newer than RHEL7 last version and a little better regarding firewall requirements but still older than RHEL9 last version. In next versions it is expected they get more similar to RHEL9 approach.
But currently, there are conflicting requirements for iptables, nftables and firewalld. There is even a confusion about management tool (firewalld) and available back-ends (iptables or nftables). In RHEL the preferred management tool is always firewalld. Regarding the back-ends, in RHEL7 it is used iptables while in RHEL8 and RHEL9 the nftables is used. This is the reason to no include the service_nftables_enabled in the RHEL7 profile. It would mess the firewalld + iptables requirements and likely cause disruptions.
On the other hands, using the related_rules parameter, we make it clear for developers that there is a rule for the requirement. In this case, there is a short context in the notes.
|
Code Climate has analyzed commit 7a427ce and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.4% (0.0% change). View more on Code Climate. |
jan-cerny
added
the
Update Profile
Description:
The
service_nftables_enabledrule satisfies CIS requirements for RHEL7 and RHEL8.However, the benchmark allows to choose any of the options among
firewalld,iptablesandnftables.This is outdated in the benchmark and should be changed soon.
Actually,
iptablesandnftablesare possible backends forfirewalld.Rationale:
Better CIS coverage for RHEL7 and RHEL8.