Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor firewalld_sshd_port_enabled rule #9712

Merged
merged 14 commits into from
Oct 26, 2022
Merged

Refactor firewalld_sshd_port_enabled rule #9712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
2f0f991
Improve rule descriptions for firewalld_sshd_port_enabled
marcusburghardt Oct 13, 2022
4e76d01
Increase robustness of firewalld_sshd_port_enabled bash remediation
marcusburghardt Oct 14, 2022
a1fe2e8
Include warning message regarging custom SSH port
marcusburghardt Oct 19, 2022
b7c665b
Review test scenario scripts
marcusburghardt Oct 14, 2022
32a41b0
Reinvent the test scenarios for firewalld_sshd_port_enabled
marcusburghardt Oct 19, 2022
db26bb5
Recreated OVAL assessment for firewalld_sshd_port_enabled
marcusburghardt Oct 13, 2022
84755e3
Introduce new Ansible remediation
marcusburghardt Oct 19, 2022
d4f81e2
Fix loop over array in bash remediation
marcusburghardt Oct 20, 2022
403c44d
Trim nmcli connection names output
marcusburghardt Oct 20, 2022
df8cd2d
Simplify the Bash remediation in alignment to Ansible
marcusburghardt Oct 20, 2022
8642f41
Improve wording on warning about custom ssh.xml
marcusburghardt Oct 20, 2022
ab73810
Optimize test scenarios
marcusburghardt Oct 20, 2022
a2a49e9
Remediation applicable to all NetworkManager connections
marcusburghardt Oct 24, 2022
657c1cc
Improve regex to detect ifcfg files
marcusburghardt Oct 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 79 additions & 18 deletions linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,89 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
# platform = multi_platform_all
# reboot = false
# complexity = low
# strategy = configure
# disruption = low

- name: Ensure firewalld is installed
package:
{{{ ansible_instantiate_variables("firewalld_sshd_zone") }}}

- name: '{{{ rule_title }}} - Ensure firewalld and NetworkManager packages are installed'
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- firewalld
- NetworkManager

- name: '{{{ rule_title }}} - Collect facts about system services'
ansible.builtin.service_facts:
register: result_services_states

- name: '{{{ rule_title }}} - Remediation is applicable if firewalld and NetworkManager services are running'
block:
- name: '{{{ rule_title }}} - Collect NetworkManager connections names'
ansible.builtin.shell:
cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
register: result_nmcli_cmd_connections_names
changed_when: false

- name: '{{{ rule_title }}} - Collect NetworkManager connections zones'
ansible.builtin.shell:
cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print $2}'
register: result_nmcli_cmd_connections_zones
changed_when: false
with_items:
- "{{ result_nmcli_cmd_connections_names.stdout_lines }}"

- name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone'
ansible.builtin.command:
cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone }}
register: result_nmcli_cmd_connections_assignment
with_together:
- "{{ result_nmcli_cmd_connections_names.stdout_lines }}"
- "{{ result_nmcli_cmd_connections_zones.results }}"
when:
- item.1.stdout == '--'

- name: '{{{ rule_title }}} - Ensure NetworkManager connections changes are applied'
ansible.builtin.service:
name: NetworkManager
state: restarted
when:
- result_nmcli_cmd_connections_assignment is changed

- name: '{{{ rule_title }}} - Collect firewalld active zones'
ansible.builtin.shell:
cmd: firewall-cmd --get-active-zones | grep -v interfaces
register: result_firewall_cmd_zones_names
changed_when: false

- name: '{{{ rule_title }}} - Ensure firewalld zones allow SSH'
ansible.builtin.command:
cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh
register: result_nmcli_cmd_connections_assignment
changed_when:
- "'ALREADY_ENABLED' not in result_nmcli_cmd_connections_assignment.stderr"
with_items:
- "{{ result_firewall_cmd_zones_names.stdout_lines }}"

- name: '{{{ rule_title }}} - Ensure firewalld changes are applied'
ansible.builtin.service:
name: firewalld
state: reloaded
when:
- result_nmcli_cmd_connections_assignment is changed
when:
- ansible_facts.services['firewalld.service'].state == 'running'
- ansible_facts.services['NetworkManager.service'].state == 'running'

{{{ ansible_instantiate_variables("sshd_listening_port") }}}

- name: Enable SSHD in firewalld (custom port)
firewalld:
port: "{{ sshd_listening_port }}/tcp"
permanent: yes
state: enabled
when: sshd_listening_port != 22

- name: Enable SSHD in firewalld (default port)
firewalld:
service: ssh
permanent: yes
state: enabled
when: sshd_listening_port == 22
- name: '{{{ rule_title }}} - Informative message based on services states'
ansible.builtin.assert:
that:
- ansible_facts.services['firewalld.service'].state == 'running'
- ansible_facts.services['NetworkManager.service'].state == 'running'
fail_msg:
- firewalld and NetworkManager services are not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld and NetworkManager services running.
- The service is not started by this remediation in order to prevent connection issues.
success_msg:
- {{{ rule_title }}} remediation successfully executed
71 changes: 30 additions & 41 deletions linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,49 +5,38 @@
# disruption = low

{{{ bash_package_install("firewalld") }}}

{{{ bash_package_install("NetworkManager") }}}
{{{ bash_instantiate_variables("firewalld_sshd_zone") }}}

{{% if product in ['rhel9'] %}}
{{% set network_config_path = "/etc/NetworkManager/system-connections/${interface}.nmconnection" %}}
{{% else %}}
{{% set network_config_path = "/etc/sysconfig/network-scripts/ifcfg-${interface}" %}}
{{% endif %}}

# This assumes that firewalld_sshd_zone is one of the pre-defined zones
if [ ! -f "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" ]; then
cp "/usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml" "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"
fi
if ! grep -q 'service name="ssh"' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"; then
sed -i '/<\/description>/a \
<service name="ssh"/>' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"
fi

# Check if any eth interface is bounded to the zone with SSH service enabled
nic_bound=false
readarray -t eth_interface_list < <(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
for interface in "${eth_interface_list[@]}"; do
if grep -qi "ZONE=$firewalld_sshd_zone" "{{{ network_config_path }}}"; then
nic_bound=true
break;
fi
done
if systemctl is-active NetworkManager && systemctl is-active firewalld; then
# First make sure the SSH service is enabled in run-time for the proper zone.
# This is to avoid connection issues when new interfaces are addeded to this zone.
firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh

if [ $nic_bound = false ];then
# Add first NIC to SSH enabled zone
interface="${eth_interface_list[0]}"
# This will collect all NetworkManager connections names
readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
# This will not change connections which are already assigned to any firewalld zone.
for connection in "${nm_connections[@]}"; do
current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
if [ $current_zone = "--" ]; then
nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
fi
done
systemctl restart NetworkManager

if ! firewall-cmd --state -q; then
{{% if product in ['rhel9'] %}}
{{{ bash_replace_or_append(network_config_path, '^zone=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}}
{{% else %}}
{{{ bash_replace_or_append(network_config_path, '^ZONE=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}}
{{% endif %}}
else
# If firewalld service is running, we need to do this step with firewall-cmd
# Otherwise firewalld will communicate with NetworkManage and will revert assigned zone
# of NetworkManager managed interfaces upon reload
firewall-cmd --permanent --zone="$firewalld_sshd_zone" --add-interface="${eth_interface_list[0]}"
firewall-cmd --reload
fi
# Active zones are zones with at least one interface assigned to it.
# It is possible that traffic is comming by any active interface and consequently any
# active zone. So, this make sure all active zones are permanently allowing SSH service.
readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
for zone in "${firewalld_active_zones[@]}"; do
firewall-cmd --permanent --zone="$zone" --add-service=ssh
done
firewall-cmd --reload
else
echo "
firewalld and NetworkManager services are not active. Remediation aborted!
This remediation could not be applied because it depends on firewalld and NetworkManager services running.
The service is not started by this remediation in order to prevent connection issues."
exit 1
fi
Loading