107 lines
6.3 KiB
Diff
107 lines
6.3 KiB
Diff
From a8cea205d5f9f975ca03ef39e79d18698236cfe2 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Mon, 13 Feb 2023 17:49:14 +0100
|
|
Subject: [PATCH 3/5] Change custom zones check in firewalld_sshd_port_enabled
|
|
|
|
Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
|
Patch-status: Change custom zones check in firewalld_sshd_port_enabled
|
|
---
|
|
.../oval/shared.xml | 68 +++++++++++++++----
|
|
1 file changed, 54 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
index 4adef2e53f..d7c96665b4 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
@@ -133,9 +133,10 @@
|
|
OVAL resources in order to detect and assess only active zone, which are zones with at
|
|
least one NIC assigned to it. Since it was possible to easily have the list of active
|
|
zones, it was cumbersome to use that list in other OVAL objects without introduce a high
|
|
- level of complexity to make sure environments with multiple NICs and multiple zones are
|
|
- in use. So, in favor of simplicity and readbility it was decided to work with a static
|
|
- list. It means that, in the future, it is possible this list needs to be updated. -->
|
|
+ level of complexity to ensure proper assessment in environments where multiple NICs and
|
|
+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to
|
|
+ work with a static list. It means that, in the future, it is possible this list needs to
|
|
+ be updated. -->
|
|
<local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
|
|
datatype="string"
|
|
comment="Regex containing the list of zones files delivered in the firewalld package">
|
|
@@ -145,23 +146,62 @@
|
|
<!-- If any default zone is modified by the administrator, the respective zone file is placed
|
|
in the /etc/firewalld/zones dir in order to override the default zone settings. The same
|
|
directory is applicable for new zones created by the administrator. Therefore, all files
|
|
- in this directory should also allow SSH. -->
|
|
- <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
|
+ in this directory should also allow SSH.
|
|
+ This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
|
|
+ which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
|
|
+ variable test is the simplest way to check if all custom zones are allowing ssh, but have
|
|
+ an impact in transparency since the objects are not shown in reports. The transparency
|
|
+ impact can be workarounded by using other OVAL objects, but this would impact in
|
|
+ readability and would increase complexity. This solution is in favor of simplicity. -->
|
|
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
|
check="all" check_existence="at_least_one_exists" version="1"
|
|
comment="SSH service is defined in all zones created or modified by the administrator">
|
|
- <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
|
- <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
|
|
- </ind:xmlfilecontent_test>
|
|
+ <ind:object
|
|
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
|
|
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
|
+ </ind:variable_test>
|
|
+
|
|
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
|
+ version="1">
|
|
+ <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
|
|
+ </ind:variable_object>
|
|
+
|
|
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
|
+ datatype="int" version="1"
|
|
+ comment="Variable including number of custom zone files allowing ssh">
|
|
+ <count>
|
|
+ <object_component item_field="filepath"
|
|
+ object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
|
+ </count>
|
|
+ </local_variable>
|
|
|
|
<ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
|
- <ind:path>/etc/firewalld/zones</ind:path>
|
|
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
+ <ind:path>/etc/firewalld/zones</ind:path>
|
|
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
</ind:xmlfilecontent_object>
|
|
|
|
- <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
|
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
- </ind:xmlfilecontent_state>
|
|
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
|
|
+ version="1">
|
|
+ <ind:value datatype="int" operation="equals" var_check="at least one"
|
|
+ var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
|
+ </ind:variable_state>
|
|
+
|
|
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
|
|
+ datatype="int" version="1"
|
|
+ comment="Variable including number of custom zone files present in /etc/firewalld/zones">
|
|
+ <count>
|
|
+ <object_component item_field="filepath"
|
|
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
|
|
+ </count>
|
|
+ </local_variable>
|
|
+
|
|
+ <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
|
|
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
|
|
+ recurse_file_system="local"/>
|
|
+ <unix:path>/etc/firewalld/zones</unix:path>
|
|
+ <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
|
|
+ </unix:file_object>
|
|
|
|
<!-- SSH service is configured as expected -->
|
|
<!-- The firewalld package brings many services already defined out-of-box, including SSH.
|
|
--
|
|
2.39.1
|
|
|