Merge pull request #2144 from jan-cerny/firewall_ks

Add firewall command to Kickstart remediation

Author: evgenyz

docs/manual/manual.adoc

@@ -1155,6 +1155,8 @@ Supported commands:
 * `logvol path size` - adds `logvol` entry to the commands section of the kickstart that will mount a partition of the given `size` in MB to the given `path` as a mount point
 * `bootloader option` or `bootloader option=value` - adds `option` or `option=value` to the list in the `--append=` option in the `bootloader` command in commands section in the kickstart
 * `kdump disable` - this will disable K-Dump by adding the `com_redhat_kdump` Addon section to the kickstart with a `--disable` option
+* `firewall enable service_name` - adds `service_name` to list in the `--service=` option in the `firewall` command in commands section in the kickstart
+* `firewall disable service_name` - adds `service_name` to list in the `--remove-service=` option in the `firewall` command in commands section in the kickstart
 
 For example, to generate a kickstart for RHEL 9 STIG profile, run:
 

src/XCCDF_POLICY/xccdf_policy_remediate.c

@@ -58,6 +58,8 @@ struct kickstart_commands {
 	struct oscap_list *post;
 	struct oscap_list *logvol;
 	struct oscap_list *bootloader;
+	struct oscap_list *firewall_enable;
+	struct oscap_list *firewall_disable;
 	bool enable_kdump;
 };
 
@@ -927,6 +929,9 @@ static int _parse_line(const char *line, struct kickstart_commands *cmds)
 		KS_LOGVOL_SIZE,
 		KS_BOOTLOADER,
 		KS_KDUMP,
+		KS_FIREWALL,
+		KS_FIREWALL_ENABLE,
+		KS_FIREWALL_DISABLE,
 		KS_ERROR
 	};
 	int state = KS_START;
@@ -947,6 +952,8 @@ static int _parse_line(const char *line, struct kickstart_commands *cmds)
 				state = KS_BOOTLOADER;
 			} else if (!strcmp(word, "kdump")) {
 				state = KS_KDUMP;
+			}  else if (!strcmp(word, "firewall")) {
+				state = KS_FIREWALL;
 			} else {
 				ret = 1;
 				oscap_seterr(OSCAP_EFAMILY_OSCAP, "Unsupported command keyword '%s' in command: '%s'", word, line);
@@ -1010,6 +1017,23 @@ static int _parse_line(const char *line, struct kickstart_commands *cmds)
 				goto cleanup;
 			}
 			break;
+		case KS_FIREWALL:
+			if (!strcmp(word, "enable")) {
+				state = KS_FIREWALL_ENABLE;
+			} else if (!strcmp(word, "disable")) {
+				state = KS_FIREWALL_DISABLE;
+			} else {
+				ret = 1;
+				oscap_seterr(OSCAP_EFAMILY_OSCAP, "Unsupported 'firewall' command keyword '%s' in command: '%s'", word, line);
+				goto cleanup;
+			}
+			break;
+		case KS_FIREWALL_ENABLE:
+			oscap_list_add(cmds->firewall_enable, strdup(word));
+			break;
+		case KS_FIREWALL_DISABLE:
+			oscap_list_add(cmds->firewall_disable, strdup(word));
+			break;
 		case KS_ERROR:
 			ret = 1;
 			oscap_seterr(OSCAP_EFAMILY_OSCAP, "Unexpected string '%s' in command: '%s'", word, line);
@@ -1502,38 +1526,52 @@ static int _xccdf_policy_generate_fix_other(struct oscap_list *rules_to_fix, str
 	return ret;
 }
 
+static void _write_it_comma_list(struct oscap_iterator *it, const char *option, int output_fd)
+{
+	if (!oscap_iterator_has_more(it))
+		return;
+	_write_text_to_fd(output_fd, " ");
+	_write_text_to_fd(output_fd, option);
+	while (oscap_iterator_has_more(it)) {
+		char *item = (char *) oscap_iterator_next(it);
+		_write_text_to_fd(output_fd, item);
+		if (oscap_iterator_has_more(it))
+			_write_text_to_fd(output_fd, ",");
+	}
+}
+
 static int _generate_kickstart_services(struct kickstart_commands *cmds, int output_fd)
 {
 	struct oscap_iterator *service_disable_it = oscap_iterator_new(cmds->service_disable);
 	struct oscap_iterator *service_enable_it = oscap_iterator_new(cmds->service_enable);
 	if (oscap_iterator_has_more(service_disable_it) || oscap_iterator_has_more(service_enable_it)) {
 		_write_text_to_fd(output_fd, "# Disable and enable systemd services (required for security compliance)\n");
 		_write_text_to_fd(output_fd, "services");
-		if (oscap_iterator_has_more(service_disable_it)) {
-			_write_text_to_fd(output_fd, " --disabled=");
-			while (oscap_iterator_has_more(service_disable_it)) {
-				char *command = (char *) oscap_iterator_next(service_disable_it);
-				_write_text_to_fd(output_fd, command);
-				if (oscap_iterator_has_more(service_disable_it))
-					_write_text_to_fd(output_fd, ",");
-			}
-		}
-		if (oscap_iterator_has_more(service_enable_it)) {
-			_write_text_to_fd(output_fd, " --enabled=");
-			while (oscap_iterator_has_more(service_enable_it)) {
-				char *command = (char *) oscap_iterator_next(service_enable_it);
-				_write_text_to_fd(output_fd, command);
-				if (oscap_iterator_has_more(service_enable_it))
-					_write_text_to_fd(output_fd, ",");
-			}
-		}
+		_write_it_comma_list(service_disable_it, "--disabled=", output_fd);
+		_write_it_comma_list(service_enable_it, "--enabled=", output_fd);
 		_write_text_to_fd(output_fd, "\n\n");
 	}
 	oscap_iterator_free(service_disable_it);
 	oscap_iterator_free(service_enable_it);
 	return 0;
 }
 
+static int _generate_kickstart_firewall(struct kickstart_commands *cmds, int output_fd)
+{
+	struct oscap_iterator *disable_it = oscap_iterator_new(cmds->firewall_disable);
+	struct oscap_iterator *enable_it = oscap_iterator_new(cmds->firewall_enable);
+	if (oscap_iterator_has_more(disable_it) || oscap_iterator_has_more(enable_it)) {
+		_write_text_to_fd(output_fd, "# Disable and enable services in firewall (required for security compliance)\n");
+		_write_text_to_fd(output_fd, "firewall");
+		_write_it_comma_list(disable_it, "--remove-service=", output_fd);
+		_write_it_comma_list(enable_it, "--service=", output_fd);
+		_write_text_to_fd(output_fd, "\n\n");
+	}
+	oscap_iterator_free(disable_it);
+	oscap_iterator_free(enable_it);
+	return 0;
+}
+
 static int _generate_kickstart_packages(struct kickstart_commands *cmds, int output_fd)
 {
 	_write_text_to_fd(output_fd, "# Packages selection (required for security compliance)\n");
@@ -1723,6 +1761,8 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
 		.post = oscap_list_new(),
 		.logvol = oscap_list_new(),
 		.bootloader = oscap_list_new(),
+		.firewall_enable = oscap_list_new(),
+		.firewall_disable = oscap_list_new(),
 		.enable_kdump = true,
 	};
 
@@ -1756,6 +1796,8 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
 
 	_generate_kickstart_kdump(&cmds, output_fd);
 
+	_generate_kickstart_firewall(&cmds, output_fd);
+
 	_generate_kickstart_services(&cmds, output_fd);
 
 	_generate_kickstart_packages(&cmds, output_fd);
@@ -1775,6 +1817,8 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
 	oscap_list_free(cmds.post, free);
 	oscap_list_free(cmds.logvol, logvol_cmd_free);
 	oscap_list_free(cmds.bootloader, free);
+	oscap_list_free(cmds.firewall_enable, free);
+	oscap_list_free(cmds.firewall_disable, free);
 	return ret;
 }
 

tests/API/XCCDF/unittests/test_remediation_kickstart.ds.xml

@@ -62,6 +62,7 @@
         <select idref="xccdf_org.openscap.www_rule_7" selected="true"/>
         <select idref="xccdf_org.openscap.www_rule_8" selected="true"/>
         <select idref="xccdf_org.openscap.www_rule_9" selected="true"/>
+        <select idref="xccdf_org.openscap.www_rule_10" selected="true"/>
       </Profile>
       <Rule selected="false" id="xccdf_org.openscap.www_rule_1">
         <title>Rule 1: Enable Audit Service</title>
@@ -137,6 +138,13 @@
           kdump disable
         </fix>
       </Rule>
+      <Rule selected="false" id="xccdf_org.openscap.www_rule_10">
+        <title>Rule 10: Firewall</title>
+        <fix system="urn:xccdf:fix:script:kickstart">
+          firewall enable sshd
+          firewall disable httpd
+        </fix>
+      </Rule>
     </Benchmark>
   </ds:component>
 </ds:data-stream-collection>

tests/API/XCCDF/unittests/test_remediation_kickstart_expected.cfg

@@ -49,6 +49,9 @@ bootloader --append="quick audit=1"
 %addon com_redhat_kdump --disable
 %end
 
+# Disable and enable services in firewall (required for security compliance)
+firewall --remove-service=httpd --service=sshd
+
 # Disable and enable systemd services (required for security compliance)
 services --disabled=telnet,httpd --enabled=auditd,rsyslog,sshd