firewalld_sshd_port_enabled fails on aarch64 in ism_o profile

[vojtapolasek]

Description of problem:

The rule mentioned in the title fails when ism_o profile is remediated and evaluated on AARCH64 system.

SCAP Security Guide Version:

master as of d9086f6

Operating System Version:

RHEL 9.0

Steps to Reproduce:

1. provision AARCH64 machine with RHEL 9.0
2. perform hardening of the CUI profile with something like

oscap xccdf eval --remediate --profile ism_o ssg-rhel9-ds.xml

Actual Results:

The mentioned rule is reported as failing in the final report, although the remediation looks to be performed correctly.

Expected Results:

The rule is reported as passing.

Additional Information/Debugging Steps:

It seems that the OVAL check of the rule fails because of this particular test: test_firewalld_sshd_port_enabled_all_nics_in_zones

[Mab879]

[root@rhel9]# oscap xccdf eval --remediate --profile ism_o --rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled ssg-rhel9-ds.xml 
--- Starting Evaluation ---

Title   Enable SSH Server firewalld Firewall Exception
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Ident   CCE-89175-4
Result  fail


--- Starting Remediation ---

Title   Enable SSH Server firewalld Firewall Exception
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Ident   CCE-89175-4
Result  error

The remediation might be suspect.

[mildas]

@Mab879 are you sure firewalld and NetworkManager are on?
I wasn't able to reproduce it in --rule mode when those services are started:

[root@hpe-apollo-cn99xx-14-vm-28 ~]# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled ssg-rhel9-ds.xml
--- Starting Evaluation ---

Title   Enable SSH Server firewalld Firewall Exception
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Ident   CCE-89175-4
Result  fail


--- Starting Remediation ---

Title   Enable SSH Server firewalld Firewall Exception
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Ident   CCE-89175-4
Result  error

[root@hpe-apollo-cn99xx-14-vm-28 ~]# systemctl start NetworkManager; systemctl start firewalld
[root@hpe-apollo-cn99xx-14-vm-28 ~]# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled ssg-rhel9-ds.xml
--- Starting Evaluation ---

Title   Enable SSH Server firewalld Firewall Exception
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Ident   CCE-89175-4
Result  fail


--- Starting Remediation ---

Title   Enable SSH Server firewalld Firewall Exception
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Ident   CCE-89175-4
Result  fixed

^ aarch64, RHEL 9.0.0 GA compose

Edit: Same after ISM O profile remediation on latest nightly 9.0 compose. The rule passed

[Mab879]

I recently found a similar error on the STIG aarch64 test as well.

[mildas]

I recently found a similar error on the STIG aarch64 test as well.

But this time it's 9.2. ISM in 9.0 is fine.

[mildas]

Reserved the problematic system and here's what I found:

zone=public configuration is missing in one of /etc/NetworkManager/system-connections/*.nmconnection configuration files. It's caused by our remediation not setting zone for it:

# 3 connections are there
# ls /etc/NetworkManager/system-connections/
 eno1.nmconnection   ibp5s0.nmconnection  'Wired Connection.nmconnection'

# Our remediation sets it only for 2 of them
# nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
a4bf7c18-a9bf-4c2c-a04e-a8a79df4b868
0d2fb4d4-8e51-445b-95c3-d6c8550a0f31

The problem is that one of the connections is not ethernet type:

# nmcli con
NAME              UUID                                  TYPE        DEVICE 
eno1              a4bf7c18-a9bf-4c2c-a04e-a8a79df4b868  ethernet    eno1   
lo                605f6e07-b57d-4a67-93a7-49a89052f629  loopback    lo     
ibp5s0            5cc8c068-3f2b-4104-9a5f-bf3204504eac  infiniband  --         <<<<<<<<<<<
Wired Connection  0d2fb4d4-8e51-445b-95c3-d6c8550a0f31  ethernet    -- 

But OVAL expects that ALL connections have the zone set. As there's several connection types allowed (see https://docs.fedoraproject.org/en-US/quick-docs/configuring-ip-networking-with-nmcli/#_the_nmcli_options), my proposal is to change the remediation to not grep ethernet but rather grep -v loopback. Thoughts @Mab879 @vojtapolasek @jan-cerny ?

[Mab879]

I think that makes sense to exclude loop back.

[jan-cerny]

yes it probably makes sense to apply it on all interface types except loopback