Verify firewalld service disabled

An XCCDF Rule

Description

Firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options. The firewalld service can be disabled with the following command:

$ sudo systemctl mask --now firewalld.service

Rationale

Running Firewalld along other service with the same functionality may lead to conflict and unexpected results.

ID: xccdf_org.ssgproject.content_rule_service_firewalld_disabled
Severity: Medium
References: 3.5.2.2 3.5.3.1.3

CCE-92472-0
Updated: 8 months ago


[customizations.services]
disabled = ["firewalld"]

- name: Block Disable service firewalld
  block:

  - name: Disable service firewalld
    block:
    - name: Disable service firewalld
      systemd:
        name: firewalld.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service firewalld' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-92472-0
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_firewalld_disabled

- name: Unit Socket Exists - firewalld.socket
  command: systemctl -q list-unit-files firewalld.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-92472-0
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_firewalld_disabled

- name: Disable socket firewalld
  systemd:
    name: firewalld.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("firewalld.socket",multiline=True)
  tags:
  - CCE-92472-0
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_firewalld_disabled

include disable_firewalld

class disable_firewalld {
  service {'firewalld':
    enable => false,
    ensure => 'stopped',  }
}

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'firewalld.service'
"$SYSTEMCTL_EXEC" disable 'firewalld.service'"$SYSTEMCTL_EXEC" mask 'firewalld.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files firewalld.socket; then
    "$SYSTEMCTL_EXEC" stop 'firewalld.socket'
    "$SYSTEMCTL_EXEC" mask 'firewalld.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'firewalld.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify firewalld service disabled

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Puppet

Remediation - Shell Script