Bug 1386803

Summary: Remediation script for CCE-27349-0 (Set Default firewalld Zone for Incoming Packets)
Product: Red Hat Enterprise Linux 7 Reporter: Petaris <Petaris>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: mhaicman, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-23 17:31:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Petaris 2016-10-19 16:16:48 UTC 
Description of problem:  This isn't exactly a bug but a usage consideration.  The remediation script correctly implements this fix but if the systems network interface has not been explicitly assigned to a zone then after firewalld gets restarted you will loose all network communication with the system.

I suggest that either a warning be implemented or that the remediation script first checks that at least one network interface has been explicitly assigned to a zone, perhaps the "public"zone as that would avoid loss of network communication with the system.


Version-Release number of selected component (if applicable):  openscap-1.2.9-5, SSG 0.1.29.1, USGCB/STIG Profile


How reproducible: Reproducible under the below circumstances


Steps to Reproduce:
1. Make sure that your NIC does not have the zone explicitly set in the config
2. Run openscap with the remediation function
3. Restart the firewalld service or reboot the system

Actual results: Loss of all network communication


Expected results: Warning or settings change to prevent this situation


Additional info:  As stated above, this is not really a bug as much as a disruptive situation.  Additional information should be supplied in the documentation of this security enhancement that warns of the need to have explicitly set your NICs to a zone, probably "public" to avoid loss of network communication.  If possible a part of the remediation scripts function should be to check to ensure this has been done prior to changing the default zone.
Comment 2 Watson Yuuma Sato 2017-11-16 13:00:18 UTC 
Hello, thank you for suggestion.

We have tried to tackled the problem by adding remediation to Rule that opens a door for SSH, but this path showed it self to be troublesome, see https://github.com/OpenSCAP/scap-security-guide/pull/2285.

We ended up dropping remediation for this Set Default firewalld Zone: https://github.com/OpenSCAP/scap-security-guide/pull/2328

The remediation suggestion is interesting and may enable remediation for "Set Default firewalld Zone" to come back.

Unfortunately this will have to be postponed.
Comment 3 Marek Haicman 2018-03-23 17:31:51 UTC 
We have removed remediation of this script in Bug 1478414, so it is no longer breaking systems.

For making the automated remediation more clever, we have decided to not go that way. We would have to base it on some simplifying assumption anyway, and networking in the enterprise environments can be quite complex. So any assumption we would take would break it for someone, somehow.

Closing as wontfix.