Hello,
Regarding issue https://github.com/OpenSCAP/scap-security-guide/issues/2202, which is about remediation of Rule 'set_firewalld_default_zone' setting default zone of firewalld to drop, and as a consequence locking down the machine if no interface is assigned to a zone with SSH service enabled (because a interface with no zone assigned goes to default zone).
There is PR
https://github.com/OpenSCAP/scap-security-guide/pull/2285
which introduced a remediation for Rule
'firewalld_sshd_port_enabled' that will assign the first
Ethernet interface found to a zone with SSH enabled, this will
avoid lock down of the machine.
But the question
is, how useful is this remediation? Would it work in your
infrastructure?
There is concern that this scenario is too complex for a
remediation to fix correctly and in a suitable way for
everybody. There is too many unknowns about configuration,
hardware, SSH use cases.
We may be in a situation that any remediation implemented will do more harm than good.
Dropping
remediations for 'set_firewalld_default_zone'
and 'firewalld_sshd_port_enabled'
can be a safer
solution for https://github.com/OpenSCAP/scap-security-guide/issues/2202,
as the fix for these rules are not
straight forward.
With regards,
-- Watson Sato Security Technologies | Red Hat, Inc