[stabilization] firewalld_sshd_port_enabled add zone to all connections
#12260
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
+++ xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
@@ -22,7 +22,7 @@
firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
# This will collect all NetworkManager connections names
- readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
+ readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
for connection in "${nm_connections[@]}"; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
+++ xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
@@ -53,7 +53,7 @@
- name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
connections names
ansible.builtin.shell:
- cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
+ cmd: nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }'
register: result_nmcli_cmd_connections_names
changed_when: false
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers' differs.
--- oval:ssg-sshd_use_approved_ciphers:def:1
+++ oval:ssg-sshd_use_approved_ciphers:def:1
@@ -1,5 +1,3 @@
-criteria AND
-extend_definition oval:ssg-installed_OS_is_FIPS_certified:def:1
criteria OR
criteria AND
extend_definition oval:ssg-sshd_not_required_or_unset:def:1 |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
@mildas please remove the unwanted commits |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit 4d75c91 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
@jan-cerny commits are fine, the problem was base branch in PR. |
|
Automatus errors are expected as the remediation required running firewalld and NetworkManager services |
|
/packit build |
jan-cerny
merged commit c3ec259
into
ComplianceAsCode:stabilization-v0.1.74
Description:
Configure
zone=...for all non-loopback connections on the system.ethernetis not the only type that can be connected to machine https://docs.fedoraproject.org/en-US/quick-docs/configuring-ip-networking-with-nmcli/#_the_nmcli_optionsRationale:
Fixes issue when remediation failed on system with
infinibandconnection.Fixes #12233
Review Hints:
and see Testing Farm CI
and ideally test on aarch64 system, the one with
infinibandconnection