Hello,
Regarding issue
https://github.com/OpenSCAP/scap-security-guide/issues/2202, which is
about remediation of Rule 'set_firewalld_default_zone' setting default
zone of firewalld to drop, and as a consequence locking down the machine
if no interface is assigned to a zone with SSH service enabled (because
a interface with no zone assigned goes to default zone).
There is PR
https://github.com/OpenSCAP/scap-security-guide/pull/2285
which introduced a remediation for Rule 'firewalld_sshd_port_enabled'
that will assign the first Ethernet interface found to a zone with SSH
enabled, this will avoid lock down of the machine.
But the question is, how useful is this remediation? Would it work in
your infrastructure?
There is concern that this scenario is too complex for a remediation to
fix correctly and in a suitable way for everybody. There is too many
unknowns about configuration, hardware, SSH use cases.
We may be in a situation that any remediation implemented will do more
harm than good.
Dropping remediations for 'set_firewalld_default_zone' and
'firewalld_sshd_port_enabled' can be asafer solution for
https://github.com/OpenSCAP/scap-security-guide/issues/2202, as the fix
for these rules are not straight forward.
With regards,
--
Watson Sato
Security Technologies | Red Hat, Inc