Return condition to test firewalld service state in firewalld_loopback_traffic rules #11894
Conversation
If the firewalld service is stopped, the remediation should not start it in order to avoid connection issues. These new test scenarios test this condition.
After the ComplianceAsCode#11868 the condition to test the firewalld service state was removed, causing the remediation to report error when the service is stopped. This change also created a misalignment with Ansible remediation. This commit returns the condition to keep the alignment and better report the case to users.
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
+++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
@@ -11,10 +11,15 @@
if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv4_rule}"
firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv6_rule}"
-else
+elif systemctl is-active firewalld; then
firewall-cmd --permanent --zone=trusted --add-rich-rule="${ipv4_rule}"
firewall-cmd --permanent --zone=trusted --add-rich-rule="${ipv6_rule}"
firewall-cmd --reload
+else
+ echo "
+ firewalld service is not active. Remediation aborted!
+ This remediation could not be applied because it depends on firewalld service running.
+ The service is not started by this remediation in order to prevent connection issues."
fi
else
bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
+++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
@@ -7,9 +7,14 @@
if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
firewall-offline-cmd --zone=trusted --add-interface=lo
-else
+elif systemctl is-active firewalld; then
firewall-cmd --permanent --zone=trusted --add-interface=lo
firewall-cmd --reload
+else
+ echo "
+ firewalld service is not active. Remediation aborted!
+ This remediation could not be applied because it depends on firewalld service running.
+ The service is not started by this remediation in order to prevent connection issues."
fi
else |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit 7bb12ce and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.2% (0.0% change). View more on Code Climate. |
vojtapolasek
merged commit a4c9573
into
ComplianceAsCode:master
Description:
After the #11868 the condition to test the
firewalldservice state before trying to runfirewalld-cmdwas removed, causing the remediation to report error when the service is stopped.This change also created a misalignment with Ansible remediation.
This commit returns the condition to keep the alignment and better report the case to users.
Rationale:
Review Hints:
automatus tests should be enough.
Some CI tests using containers are expected to fail.