Merge pull request #11818 from teacup-on-rockingchair/firewall_by_pro…

…file_variable Firewall technology related rules per service and package change logic according to interactive profile variable
ComplianceAsCode · Jan 21, 2025 · 4016027 · 4016027
2 parents fa1f32c + 8f0fdfe
commit 4016027
Show file tree

Hide file tree

Showing 34 changed files with 563 additions and 0 deletions.
diff --git a/...ystem/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/...ystem/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
@@ -49,10 +49,20 @@ fixtext: |-
 
     {{{ package_install("firewalld") }}}
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: package_installed_guard_var
+    vars:
+        pkgname: firewalld
+        variable: var_network_filtering_service
+        value: firewalld
+{{%- else %}}
 template:
     name: package_installed
     vars:
         pkgname: firewalld
+{{%- endif %}}
+
 
 srg_requirement:
     {{{ full_name }}} must have the firewalld package installed.
diff --git a/.../system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/.../system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
@@ -55,7 +55,17 @@ fixtext: |-
 
 srg_requirement: '{{{ srg_requirement_service_enabled("firewalld") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_enabled_guard_var
+    vars:
+        packagename: firewalld
+        servicename: firewalld
+        variable: var_network_filtering_service
+        value: firewalld
+{{%- else %}}
 template:
     name: service_enabled
     vars:
         servicename: firewalld
+{{%- endif %}}
diff --git a/...ystem/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml b/...ystem/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
@@ -29,7 +29,16 @@ references:
 
 fixtext: '{{{ fixtext_package_removed("firewalld") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: package_removed_guard_var
+    vars:
+        pkgname: firewalld
+        variable: var_network_filtering_service
+        value: firewalld
+{{%- else %}}
 template:
     name: package_removed
     vars:
         pkgname: firewalld
+{{%- endif %}}
diff --git a/...stem/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml b/...stem/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml
@@ -37,8 +37,18 @@ fixtext: '{{{ fixtext_service_disabled("firewalld") }}}'
 
 srg_requirement: '{{{ srg_requirement_service_disabled("firewalld") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_disabled_guard_var
+    vars:
+        packagename: firewalld
+        servicename: firewalld
+        variable: var_network_filtering_service
+        value: firewalld
+{{%- else %}}
 template:
     name: service_disabled
     vars:
         servicename: firewalld
         packagename: firewalld
+{{%- endif %}}
diff --git a/...de/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml b/...de/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
@@ -34,8 +34,18 @@ ocil: |-
     <br /><br />
     {{{ ocil_service_enabled(service="ip6tables") }}}
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_enabled_guard_var
+    vars:
+        packagename: iptables
+        servicename: iptables
+        variable: var_network_filtering_service
+        value: iptables
+{{%- else %}}
 template:
     name: service_enabled
     vars:
         servicename: ip6tables
         packagename: iptables-ipv6
+{{%- endif %}}
diff --git a/...ide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml b/...ide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
@@ -36,7 +36,17 @@ platform: system_with_kernel and package[iptables] and service_disabled[firewall
 ocil: |-
     {{{ ocil_service_enabled(service="iptables") }}}
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_enabled_guard_var
+    vars:
+        packagename: ip6tables
+        servicename: iptables-ipv6
+        variable: var_network_filtering_service
+        value: iptables
+{{%- else %}}
 template:
     name: service_enabled
     vars:
         servicename: iptables
+{{%- endif %}}
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
@@ -36,7 +36,16 @@ ocil_clause: 'the package is not installed'
 
 ocil: '{{{ ocil_package(package="iptables") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: package_installed_guard_var
+    vars:
+        pkgname: iptables
+        variable: var_network_filtering_service
+        value: iptables
+{{%- else %}}
 template:
     name: package_installed
     vars:
         pkgname: iptables
+{{%- endif %}}
diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
@@ -27,7 +27,17 @@ references:
 
 fixtext: '{{{ fixtext_package_removed("nftables") }}}'
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: package_removed_guard_var
+    vars:
+        pkgname: nftables
+        variable: var_network_filtering_service
+        value: firewalld|nftables
+        operation: pattern match
+{{%- else %}}
 template:
     name: package_removed
     vars:
         pkgname: nftables
+{{%- endif %}}
diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
@@ -38,8 +38,18 @@ fixtext: '{{{ fixtext_service_disabled("nftables") }}}'
 
 platform: system_with_kernel and package[nftables] and package[firewalld]
 
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_disabled_guard_var
+    vars:
+        packagename: nftables
+        servicename: nftables
+        variable: var_network_filtering_service
+        value: nftables
+{{%- else %}}
 template:
     name: service_disabled
     vars:
         servicename: nftables
         packagename: nftables
+{{%- endif %}}
diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
@@ -34,9 +34,21 @@ ocil: |-
 fixtext: |-
     {{{ fixtext_service_enabled("nftables") }}}
 
+
 platform: system_with_kernel and package[nftables] and service_disabled[firewalld]
 
+
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+    name: service_enabled_guard_var
+    vars:
+        packagename: nftables
+        servicename: nftables
+        variable: var_network_filtering_service
+        value: nftables
+{{%- else %}}
 template:
     name: service_enabled
     vars:
         servicename: nftables
+{{%- endif %}}
diff --git a/linux_os/guide/system/network/var_network_filtering_service.var b/linux_os/guide/system/network/var_network_filtering_service.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'Network filtering service'
+
+description: |-
+   Network filtering service: iptables, nftables, firewalld or ufw
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    iptables: iptables
+    nftables: nftables
+    firewalld: firewalld
+    ufw: ufw
+    default: firewalld
diff --git a/products/sle12/profiles/default.profile b/products/sle12/profiles/default.profile
@@ -12,6 +12,7 @@ description: |-
     is to keep a rule in the product's XCCDF Benchmark.
 
 selections:
+    - var_network_filtering_service=iptables
     - accounts_user_dot_user_ownership
     - service_timesyncd_enabled
     - gnome_gdm_disable_xdmcp

diff --git a/products/sle15/profiles/cis.profile b/products/sle15/profiles/cis.profile
@@ -21,6 +21,7 @@ description: |-
 
 selections:
     - cis_sle15:all:l2_server
+    - var_network_filtering_service=firewalld
 # Exclude from CIS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_configure_restrictions'

diff --git a/products/sle15/profiles/default.profile b/products/sle15/profiles/default.profile
@@ -12,6 +12,7 @@ description: |-
     is to keep a rule in the product's XCCDF Benchmark.
 
 selections:
+    - var_network_filtering_service=firewalld
     - accounts_user_dot_user_ownership
     - service_timesyncd_enabled
     - gnome_gdm_disable_xdmcp

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
@@ -1761,3 +1761,31 @@ The macros generates the OVAL test including the dependent OVAL object and OVAL
 
 </def-group>
 {{%- endmacro -%}}
+
+{{#
+Macro to check if external variable is set to value
+  :param variable: Name of the external variable to check
+  :type variable: str
+  :param value: Value of the external variable
+  :type value: str
+  :param test_id: Suffix of the Ids in test, obj, and state elements
+  :type test_id: str
+  :param operation: Value operation
+  :type operation: str
+#}}
+{{%- macro oval_test_external_variable_value(variable,value,test_id='',operation='equals') -%}}
+  <ind:variable_test id="{{{ test_id }}}"
+  comment="Check external {{{ variable }}} is set to {{{ value }}}" check="all" version="1">
+    <ind:object object_ref="obj_{{{ test_id }}}"/>
+    <ind:state state_ref="ste_{{{ test_id }}}" />
+  </ind:variable_test>
+
+  <ind:variable_object id="obj_{{{ test_id }}}" version="1">
+    <ind:var_ref>{{{ variable }}}</ind:var_ref>
+  </ind:variable_object>
+  <ind:variable_state id="ste_{{{ test_id }}}" version="1">
+    <ind:value operation="{{{ operation }}}" datatype="string">{{{ value }}}</ind:value>
+  </ind:variable_state>
+
+  <external_variable comment="External variable {{{ variable }}}" datatype="string" id="{{{ variable }}}" version="1" />
+{{%- endmacro -%}}
diff --git a/shared/templates/package_installed_guard_var/ansible.template b/shared/templates/package_installed_guard_var/ansible.template
@@ -0,0 +1,17 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables(VARIABLE) }}}
+
+- name: Ensure {{{ PKGNAME }}} is installed
+  ansible.builtin.package:
+    name: "{{{ PKGNAME }}}"
+    state: present
+{{% if OPERATION == "pattern match" %}}
+  when: {{{ VARIABLE }}} is regex("{{{ VALUE }}}")
+{{% else %}}
+  when: {{{ VARIABLE }}} == "{{{ VALUE }}}"
+{{% endif %}}
diff --git a/shared/templates/package_installed_guard_var/bash.template b/shared/templates/package_installed_guard_var/bash.template
@@ -0,0 +1,17 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+{{{ bash_instantiate_variables(VARIABLE) }}}
+
+{{% if OPERATION == "pattern match" %}}
+  if [[ "{{{ VALUE }}}" =~ ${{{ VARIABLE }}} ]]; then
+    {{{ bash_package_install(package=PKGNAME) }}}
+  fi
+{{% else %}}
+  if [ ${{{ VARIABLE }}} == {{{ VALUE }}} ]; then
+    {{{ bash_package_install(package=PKGNAME) }}}
+  fi
+{{% endif %}}
diff --git a/shared/templates/package_installed_guard_var/oval.template b/shared/templates/package_installed_guard_var/oval.template
@@ -0,0 +1,26 @@
+<def-group>
+  {{%- set variable_value_test_id = _RULE_ID + "_test_variable_" + VARIABLE -%}}
+  {{% if OPERATION is defined %}}
+    {{%- set variable_value_op = OPERATION -%}}
+  {{% else %}}
+    {{%- set variable_value_op = "equals" -%}}
+  {{% endif %}}
+  <definition class="compliance" id="{{{ _RULE_ID }}}"
+  version="1">
+    {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_sle"]) }}}
+    <criteria operator="OR" comment="package {{{ PKGNAME }}} is installed or not needed">
+      <criteria comment="{{{ PKGNAME }}} is not needed" operator="AND">
+        <criterion comment="variable {{{ VARIABLE }}} is set to {{{ VALUE }}}"
+        test_ref="{{{ variable_value_test_id }}}" negate="true"/>
+      </criteria>
+      <criteria comment="package {{{ PKGNAME }}} is installed and needed" operator="AND">
+        <criterion comment="package {{{ PKGNAME }}} is installed"
+        test_ref="test_package_{{{ PKGNAME }}}_installed" />
+        <criterion comment="variable {{{ VARIABLE }}} is set to {{{ VALUE }}}"
+        test_ref="{{{ variable_value_test_id }}}" />
+      </criteria>
+    </criteria>
+  </definition>
+{{{ oval_test_external_variable_value(variable=VARIABLE, value=VALUE, test_id=variable_value_test_id, operation=variable_value_op) }}}
+{{{ oval_test_package_installed(package=PKGNAME, evr=EVR, test_id="test_package_"+PKGNAME+"_installed") }}}
+</def-group>
diff --git a/shared/templates/package_installed_guard_var/template.py b/shared/templates/package_installed_guard_var/template.py
@@ -0,0 +1,12 @@
+import re
+
+
+def preprocess(data, lang):
+    if "evr" in data:
+        evr = data["evr"]
+        if evr and not re.match(r'\d:\d[\d\w+.]*-\d[\d\w+.]*', evr, 0):
+            raise RuntimeError(
+                "ERROR: input violation: evr key should be in "
+                "epoch:version-release format, but package {0} has set "
+                "evr to {1}".format(data["pkgname"], evr))
+    return data
diff --git a/shared/templates/package_installed_guard_var/template.yml b/shared/templates/package_installed_guard_var/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval
diff --git a/shared/templates/package_removed_guard_var/ansible.template b/shared/templates/package_removed_guard_var/ansible.template
@@ -0,0 +1,18 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables(VARIABLE) }}}
+
+- name: Ensure {{{ PKGNAME }}} is removed
+  ansible.builtin.package:
+    name: "{{{ PKGNAME }}}"
+    state: absent
+  when: {{{ VARIABLE }}} != "{{{ VALUE }}}"
+{{% if OPERATION == "pattern match" %}}
+  when: {{{ VARIABLE }}} is not regex("{{{ VALUE }}}")
+{{% else %}}
+  when: {{{ VARIABLE }}} != "{{{ VALUE }}}"
+{{% endif %}}
diff --git a/shared/templates/package_removed_guard_var/bash.template b/shared/templates/package_removed_guard_var/bash.template
@@ -0,0 +1,23 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+# CAUTION: This remediation script will remove {{{ PKGNAME }}}
+#	   from the system, and may remove any packages
+#	   that depend on {{{ PKGNAME }}}. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+{{{ bash_instantiate_variables(VARIABLE) }}}
+
+{{% if OPERATION == "pattern match" %}}
+  if ! [[ "{{{ VALUE }}}" =~ ${{{ VARIABLE }}} ]]; then
+    {{{ bash_package_remove(package=PKGNAME) }}}
+  fi
+{{% else %}}
+  if [ ${{{ VARIABLE }}} != {{{ VALUE }}} ]; then
+    {{{ bash_package_remove(package=PKGNAME) }}}
+  fi
+{{% endif %}}