Skip to content

Fix rule firewalld_sshd_port_enabled OVAL check#12914

Merged
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
evgenyz:fix-oval-firewalld_sshd_port_enabled
Jan 28, 2025
Merged

Fix rule firewalld_sshd_port_enabled OVAL check#12914
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
evgenyz:fix-oval-firewalld_sshd_port_enabled

Conversation

@evgenyz
Copy link
Copy Markdown
Member

@evgenyz evgenyz commented Jan 28, 2025

Description:

  • OVAL: Do not check for zone assignment in network connections

Rationale:

@evgenyz
Rule: firewalld_sshd_port_enabled, OVAL: Do not check for
4d4eb7c 
zone assignment in network connections

Since any interface is implicitly assigned to the default zone (if not
configured differently) we just have to make sure that SSH
is allowed in the default zone (and we do that).
@evgenyz evgenyz added OVAL OVAL update. Related to the systems assessments. Update Rule Issues or pull requests related to Rules updates. labels Jan 28, 2025
@evgenyz evgenyz added this to the 0.1.76 milestone Jan 28, 2025
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 28, 2025

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OVAL for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs.
--- oval:ssg-firewalld_sshd_port_enabled:def:1
+++ oval:ssg-firewalld_sshd_port_enabled:def:1
@@ -1,5 +1,4 @@
 criteria AND
-criterion oval:ssg-test_firewalld_sshd_port_enabled_all_nics_in_zones:tst:1
 criteria OR
 criteria AND
 criterion oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr:tst:1

@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Jan 28, 2025

Code Climate has analyzed commit 4d4eb7c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 self-assigned this Jan 28, 2025
Mab879
Mab879 approved these changes Jan 28, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waving Automatus tests as they pass locally.

Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/Developer/ComplianceAsCode/content/tests/logs/rule-custom-2025-01-28-1012/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
INFO - Script customized_zone_configured.pass.sh using profile (all) OK
INFO - Script customized_zone_without_ssh.fail.sh using profile (all) OK
INFO - Script new_zone_configured.pass.sh using profile (all) OK
INFO - Script new_zone_without_ssh.fail.sh using profile (all) OK
INFO - Script only_nics_configured.fail.sh using profile (all) OK
INFO - Script zones_and_nics_configured.pass.sh using profile (all) OK
INFO - Script zones_and_nics_ok_no_custom_files.pass.sh using profile (all) OK
INFO - Script zones_and_nics_ok_port_changed.pass.sh using profile (all) OK
INFO - Script only_zones_configured.pass.sh using profile (all) OK

@Mab879 Mab879 merged commit caf94a1 into ComplianceAsCode:master Jan 28, 2025
@marcusburghardt
Copy link
Copy Markdown
Member

marcusburghardt commented Jan 31, 2025
edited
Loading

I am afraid the removal of these checks will bring back issues that were solved by them in the past. I don't remember from top of my head now, but they were there for good a reason. Lets keep watching.

In case you see something @matusmarhefka @jan-cerny @ggbecker @vojtapolasek @comps

@marcusburghardt
Copy link
Copy Markdown
Member

marcusburghardt commented Jan 31, 2025

You can check all the history of the refactoring here: #9712
There were corner cases covered that are no longer covered after this PR. They are also hard to catch with automated tests but they are legit. So I strongly recommend to revert this PR and try a different approach to fix #11625 without regression.

@evgenyz
Copy link
Copy Markdown
Member Author

evgenyz commented Jan 31, 2025

You can check all the history of the refactoring here: #9712 There were corner cases covered that are no longer covered after this PR. They are also hard to catch with automated tests but they are legit. So I strongly recommend to revert this PR and try a different approach to fix #11625 without regression.

What exactly regressed after this change?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

OVAL OVAL update. Related to the systems assessments. Update Rule Issues or pull requests related to Rules updates.

Projects

None yet

Milestone

0.1.76

Development

Successfully merging this pull request may close these issues.

rule firewalld_sshd_port_enabled fails to remediate with imagebuilder

3 participants

@evgenyz @marcusburghardt @Mab879