Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to _guard_var templates for firewall rules on Ubuntu 24.04 #12902

Merged
merged 7 commits into from
Jan 27, 2025
Merged

Switch to _guard_var templates for firewall rules on Ubuntu 24.04 #12902

merged 7 commits into from
Jan 27, 2025

Conversation

mpurg
Copy link
Contributor

@mpurg mpurg commented Jan 27, 2025
edited
Loading

Description:

  • Modify firewall package/service install/enable rules to use _guard_var templates on Ubuntu 24.04
  • Add tests to _guard_var templates
  • Remove package_nftables_removed from Ubuntu 24.04 controls

Rationale:

mpurg added 7 commits January 27, 2025 08:54
@mpurg
Make _guard_var templates applicable to all platforms
76c428b
@mpurg
Use new template for firewall package/service rules on Ubuntu 24.04
03ca0e6 
This change modifies the firewall package/service rules to use the templates
`..._guard_var` introduced in ComplianceAsCode#11818 to selectively install the firewall
that is chosen by the var_network_filtering_service

It also fixes the platform applicability on Ubuntu 24.04 since it
both required firewalld and required that conflicting services
be disabled when installing packages. This interfered with the
logic introduced in the new templates and could result in a
package/service not be installed/enabled.

For example, if the user selected 'nftables' as their firewall
using the new template and variable, the rule package_nftables_installed
would still be marked as not applicable because the ufw service is enabled
by default on some installations. The proposed solution removes the
applicability check and installs the package depending only on the choice of
var_network_filtering_service, irrespective of the status of the ufw service.
@mpurg
Modify available options for var_network_filtering_service on Ubuntu
834f3fd
@mpurg
Add tests for _guard_var templates
7f5607e
@mpurg
Limit package_iptables_installed tests to rhel platforms
f3b56dd
@mpurg
Define var_network_filtering_service for Ubuntu 24.04 CIS profiles
bc88442
@mpurg
Remove package_nftables_removed from Ubuntu 24.04 CIS profile
f6c6de5 
Removing nftables is not a hard requirement for CIS. If removed,
apt will also remove the ubuntu-standard package, which is
recommended to not be removed from the system.
@mpurg mpurg requested a review from a team as a code owner January 27, 2025 08:14
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 27, 2025

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jan 27, 2025
@dodys dodys added Ubuntu Ubuntu product related. CIS CIS Benchmark related. labels Jan 27, 2025
@dodys dodys self-assigned this Jan 27, 2025
@dodys dodys added this to the 0.1.76 milestone Jan 27, 2025
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 27, 2025

Code Climate has analyzed commit f6c6de5 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@mpurg mpurg changed the title Switch to _guard_var templates on Ubuntu 24.04 Switch to _guard_var templates for firewall rules on Ubuntu 24.04 Jan 27, 2025
@mpurg mpurg mentioned this pull request Jan 27, 2025
Merged
dodys
dodys approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys merged commit f0771a3 into ComplianceAsCode:master Jan 27, 2025
95 of 100 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dodys dodys dodys approved these changes

Assignees

@dodys dodys

Labels
CIS CIS Benchmark related. needs-ok-to-test Used by openshift-ci bot. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
2 participants
@mpurg @dodys