Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure host based firewall loopback traffic is configured to the trusted zone #361

Closed
bbaassssiiee opened this issue Mar 25, 2024 · 2 comments
Closed

Ensure host based firewall loopback traffic is configured to the trusted zone #361

bbaassssiiee opened this issue Mar 25, 2024 · 2 comments
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@bbaassssiiee
Copy link
Member

bbaassssiiee commented Mar 25, 2024
edited
Loading

Describe the Issue
Configure firewalld to restrict loopback traffic to the lo interface. The loopback traffic must be trusted by assigning the lo interface to the firewalld trusted zone. However, the loopback traffic must be restricted to the loopback interface as an anti-spoofing measure.

Expected Behavior

sudo firewall-cmd --permanent --zone=trusted --add-interface=lo
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'

Actual Behavior

sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'

Control(s) Affected
3.4.2.2
Environment (please complete the following information):

  • branch being used: [e.g. devel]
  • Ansible Version: [e.g. 2.10]
  • Host Python Version: [e.g. Python 3.7.6]
  • Ansible Server Python Version: [e.g. Python 3.7.6]
  • Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
Add the rich_rule to the trusted zone
@bbaassssiiee bbaassssiiee added the bug Something isn't working label Mar 25, 2024
bbaassssiiee added a commit to TeamSalvador/RHEL8-CIS that referenced this issue Mar 25, 2024
@bbaassssiiee
Fix for ansible-lockdown#361
78cd9f1
@bbaassssiiee bbaassssiiee mentioned this issue Mar 25, 2024
Closed
bbaassssiiee added a commit to TeamSalvador/RHEL8-CIS that referenced this issue Mar 25, 2024
@bbaassssiiee
Fix for ansible-lockdown#361
e5ac5b0 
Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>
@uk-bolly uk-bolly self-assigned this Mar 25, 2024
uk-bolly added a commit that referenced this issue Mar 25, 2024
@uk-bolly
Added #361 ensure local interface on 3.4.2.2
71520db 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@bbaassssiiee
Copy link
Member Author

bbaassssiiee commented Mar 26, 2024
edited
Loading 

 <interface name="lo"/>

The above is still missing... Should immediate: true be set?

/etc/firewalld/zones/trusted.xml now has:

<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
  <rule family="ipv4">
    <source address="127.0.0.1"/>
    <destination address="127.0.0.1" invert="True"/>
    <drop/>
  </rule>
  <rule family="ipv6">
    <source address="::1"/>
    <destination address="::1" invert="True"/>
    <drop/>
  </rule>
</zone>

@bbaassssiiee
Copy link
Member Author

Looks good now

@uk-bolly uk-bolly mentioned this issue Mar 26, 2024
Merged
uk-bolly added a commit that referenced this issue Mar 27, 2024
@uk-bolly
Issues March24 (#366)
59dcd8f 
* #359 addressed thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* sysctl matches requirement & handler added

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* container updated and cautions updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issues #360 addressed thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added #361 ensure local interface on 3.4.2.2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #363 addressed

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated handler

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix issues with pam_unix

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* added extra options

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #365 addressed

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed commenting alternate file

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated var name to discovered

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* renamed variable tomake it clearer

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix typo

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated discovered variable naming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated variable naming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
uk-bolly added a commit that referenced this issue Jun 20, 2024
@uk-bolly @pre-commit-ci
@bbaassssiiee @tomkuba @ajython @frederickw082922
Release on CIS v3.0 (#386)
a1516d9 
* initial v3.0.0

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* removed old conflict line

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tidy up warning on 432

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tidy up ec2_checks

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated warning on line 435

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated prelim and typos

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1)

* March 24 updates (#356)

* added conditional to user password check #354 thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated logic to check root passwd locked

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* lint and audit order change

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated for documentation format

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Allow for a local site policy for the openSSH server. (#358)

If changes to the system-wide crypto policy are required to meet local
site policy for the openSSH server, these changes should be done with a sub-policy
assigned to the system-wide crypto policy.

The role defaults can be overridden by the user's vars.
The user should implement a .pmod file, and add its basename to `rhel8cis_allowed_crypto_policies_modules`.
The role vars are harder to change due to the 21 priority levels of Ansible.

Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>

* Issues March24 (#366)

* #359 addressed thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* sysctl matches requirement & handler added

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* container updated and cautions updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issues #360 addressed thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added #361 ensure local interface on 3.4.2.2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #363 addressed

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated handler

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* variable naming and lint updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix issues with pam_unix

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* added extra options

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #365 addressed

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed commenting alternate file

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated var name to discovered

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* renamed variable tomake it clearer

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix typo

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated discovered variable naming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated variable naming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* [pre-commit.ci] pre-commit autoupdate (#367)

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* [pre-commit.ci] pre-commit autoupdate (#368)

updates:
- [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](ansible/ansible-lint@v24.2.1...v24.2.2)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* updated for audit and url alignment (#370)

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* [pre-commit.ci] pre-commit autoupdate (#372)

updates:
- [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](Yelp/detect-secrets@v1.4.0...v1.5.0)
- [github.com/gitleaks/gitleaks: v8.18.2 → v8.18.3](gitleaks/gitleaks@v8.18.2...v8.18.3)
- [github.com/ansible-community/ansible-lint: v24.2.2 → v24.6.0](ansible/ansible-lint@v24.2.2...v24.6.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* use RHEL8 chrony.conf (#371)

Signed-off-by: Tomáš Kuba <tom.kuba@gmail.com>

* Update Alma 8 GPG Key (#369)

* Update Alma 8 GPG Key

Update AlmaLinux.yml

Signed-off-by: ajython <ajython@users.noreply.github.com>

* Update AlmaLinux.yml

Replace depricated Alma 8 GPG key 

Signed-off-by: ajython <ajython@users.noreply.github.com>

---------

Signed-off-by: ajython <ajython@users.noreply.github.com>

* May 24 updates (#376)

* updated path to match disa for audit tools

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated dict control

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated nullok logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated typos

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated typ thanks to @msachikanta

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* [pre-commit.ci] pre-commit autoupdate (#383)

updates:
- [github.com/gitleaks/gitleaks: v8.18.3 → v8.18.4](gitleaks/gitleaks@v8.18.3...v8.18.4)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* updated known issues thanks to @fgierlinger

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Interactive users logic and workflow (#385)

* interactive user vars updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* improved conditionals checks

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Tidy up titles

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated with latest devel

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* removed file not required

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* improved logic for /dev/null home dirs

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Updated workflow to new runner

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>
Signed-off-by: Tomáš Kuba <tom.kuba@gmail.com>
Signed-off-by: ajython <ajython@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Bas <bas.meijer@enexis.nl>
Co-authored-by: tomkuba <tomkuba@users.noreply.github.com>
Co-authored-by: ajython <ajython@users.noreply.github.com>
Co-authored-by: Fred W <112580756+frederickw082922@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bbaassssiiee @uk-bolly