RHEL-08-040090 approach breaks existing firewalls (but fix is a simple file copy + 2 simple regexes)

Question

RHEL-08-040090 approach breaks existing firewalls (but fix is a simple file copy + 2 simple regexes)

Closed this issue 5 months ago · 2 comments

Describe the Issue

RHEL-08-040090 implements (tasks/fix-cat2.yml) a new firewall zone with a target of DROP per STIG. But the existing fails to respect any and all existing rules on the default public zone, breaking existng firewalls, and requiring manual configuration. This is wholly unnecessary (see Possible Solution).

Expected Behavior

Preserve existing configuration in the new firewall zone/target with minimal effort.

Actual Behavior

Disgard all existing firewall configuration, and only a few services in a manually populated variable (rhel8stig_white_list_services).

Control(s) Affected

Finding V-230504
Version RHEL-08-040090

Additional Notes

Environments will be pre-configured with the Public zone. This should be leveraged via the following ...

Possible Solution

Propose this simple but effective solution to preserve the existing firewall.

In addition to checking if the new firewall zone is created (name in rhel8stig_custom_firewall_zone) and has a target of DROP, if it does not exist ...

Copy firewall zone public (/etc/firewalld/zones/public.xml) as the new firewall zone {{ rhel8stig_custom_firewall_zone }} (/etc/firewalld/zones/{{ rhel8stig_custom_firewall_zone }}.xml).
Replace /^\s*<zone>\s*$/<zone target=DROP>/
Replace /^\s*<short>\s*Public\*<\/short>/<short>{{ rhel8stig_custom_firewall_zone }}<\/short>/

Reload firewall, then add any missing white listed services (list in rhel8stig_white_list_services), if not already enabled. Again this is such a simple solution that absolutely preserves all the configured services on the Public zonre.

Answer 1 · 2024-04-11T15:02:36.000Z

hi @BJSmithIEEE

Thank you for raising this issue and providing potential solutions. The reason it was originally written in such a way is to ensure only those services/ports that you want enabled are enabled for the firewall are in the new zone.
If it is a new build it can have some services enabled that users do not wish enabled would now be set without any way of knowing.
With every client using this is different way it is hard to satisfy all scenarios, the idea as per the stig is to provide a clean scenario where a deny-all approach is adopted.

Having said that i can see where this maybe of some use to some.
I have therefore added this along with a new variables.

rhel8stig_copy_existing_zone: false
rhel8stig_existing_zone_to_copy: public

I hope this enables you to do what you need as well and not breaking existing functionality for others.

This is currently in the April_24 branch - awaiting some feedback before merge to devel

Many thanks

uk-bolly

Answer 2 · 2024-05-01T21:28:25.000Z

I also realized no interface is assigned. We ran into that as well.

We wrote a shell script to handle all this, including identifying the interface. Unfortunately it's on an airgap network, or I'd post it here. :)