firewalld_sshd_port_enabled add zone to all connections

[mildas]

Description:

Configure zone=... for all non-loopback connections on the system. ethernet is not the only type that can be connected to machine https://docs.fedoraproject.org/en-US/quick-docs/configuring-ip-networking-with-nmcli/#_the_nmcli_options

Rationale:

Fixes issue when remediation failed on system with infiniband connection.

Fixes #12233

Review Hints:

python3 tests/automatus.py rule --libvirt qemu:///session test-suite-rhel8 --datastream build/ssg-rhel8-ds.xml --remediate-using bash --no-reports firewalld_sshd_port_enabled
python3 tests/automatus.py rule --libvirt qemu:///session test-suite-rhel8 --datastream build/ssg-rhel8-ds.xml --remediate-using ansible --no-reports firewalld_sshd_port_enabled
python3 tests/automatus.py rule --libvirt qemu:///session test-suite-rhel9 --datastream build/ssg-rhel9-ds.xml --remediate-using bash --no-reports firewalld_sshd_port_enabled
python3 tests/automatus.py rule --libvirt qemu:///session test-suite-rhel9 --datastream build/ssg-rhel9-ds.xml --remediate-using bash --no-reports firewalld_sshd_port_enabled

and see Testing Farm CI
and ideally test on aarch64 system, the one with infiniband connection

[mildas]

Works on RHEL 9.0 aarch with infiniband connection:

# nmcli con
NAME              UUID                                  TYPE        DEVICE 
eno1              2dbf0fc3-6137-4b05-8128-e18ac7df57d1  ethernet    eno1   
lo                60b94f80-5b88-4795-a42c-9ee4566a53e4  loopback    lo     
ibp5s0            ed7848bd-99c9-40c6-86ff-d8e27e63b380  infiniband  --     
Wired Connection  523ab1e9-e83f-48a3-9470-f2a664619d5b  ethernet    --     
# oscap xccdf eval --remediate --rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled ssg-rhel9-ds.xml
--- Starting Evaluation ---

Title   Enable SSH Server firewalld Firewall Exception
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Ident   CCE-89175-4
Result  fail


--- Starting Remediation ---

Title   Enable SSH Server firewalld Firewall Exception
Rule    xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Ident   CCE-89175-4
Result  fixed

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
+++ xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
@@ -22,7 +22,7 @@
         firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
 
         # This will collect all NetworkManager connections names
-        readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
+        readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }')
         # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
         # This will not change connections which are already assigned to any firewalld zone.
         for connection in "${nm_connections[@]}"; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
+++ xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
@@ -53,7 +53,7 @@
   - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
       connections names
     ansible.builtin.shell:
-      cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
+      cmd: nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }'
     register: result_nmcli_cmd_connections_names
     changed_when: false
 

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[Mab879]

Please back port this to stablization-0.1.74 as well please.

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12256
This image was built from commit: cefd5ba

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12256

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12256 make deploy-local

[Mab879]

The tests feature a similar string of grep ethernet should that be changed as well?

[mildas]

Right, it's unlikely someone would have VM with non-ethernet type. But updated, to keep it aligned with remediation

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[codeclimate]

Code Climate has analyzed commit cefd5ba and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[mildas]

Automatus errors are expected as the remediation required running firewalld and NetworkManager services