From 96d3b95d63e5219ba7ca8c36d9393520d94893ff Mon Sep 17 00:00:00 2001 From: Brandon Whalen Date: Wed, 22 May 2019 10:19:55 -0400 Subject: [PATCH] In the current version of CLIP, if you enable firewalld you must modify the fix-bad-scap file. All of the variants pull from this file and so the change impacts all of the varaints. This patch updates the way that CLIP enales firewalld so that it can be enabled per variant or globally and enabling firewalld in a single variant has no impact on the other variants.. The modifications in this commit are copyrighted works of Owl Cyber Defense. (C) 2019 Owl Cyber Defense Solutions, LLC --- CONFIG_BUILD | 4 +- Help-firewalld.txt | 38 +++++++++++-------- kickstart/clip-apache/clip-apache.ks | 4 ++ kickstart/clip-minimal/clip-minimal.ks | 4 ++ .../clip-sftp-dropbox/clip-sftp-dropbox.ks | 4 ++ kickstart/includes/fix-bad-scap | 4 +- .../wip-clip-kubernetes.ks | 4 ++ kickstart/wip-clip-vpn/wip-clip-vpn.ks | 4 ++ 8 files changed, 49 insertions(+), 17 deletions(-) diff --git a/CONFIG_BUILD b/CONFIG_BUILD index d49ce3b2a..c7abcadc7 100644 --- a/CONFIG_BUILD +++ b/CONFIG_BUILD @@ -33,6 +33,7 @@ CONFIG_BUILD_SELINUX_POL_TYPE := mcs CONFIG_BUILD_CHECK_KICKSTART := y CONFIG_BUILD_ENABLE_GUI := n CONFIG_BUILD_BREAK_GUI := n +CONFIG_ENABLE_FIREWALLD := n # DEPRECATED OPTIONS # These CONFIG_BUILD_ options are deprecated and no longer tested/used. @@ -84,6 +85,7 @@ CONFIG_BUILD_BASH_VARS += ISO_VERSION=$(strip $(ISO_VERSION)) CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_ENABLE_DHCP=$(strip $(CONFIG_BUILD_ENABLE_DHCP)) CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_ENABLE_GUI=$(strip $(CONFIG_BUILD_ENABLE_GUI)) CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_BREAK_GUI=$(strip $(CONFIG_BUILD_BREAK_GUI)) +CONFIG_BUILD_BASH_VARS += CONFIG_ENABLE_FIREWALLD=$(strip $(CONFIG_ENABLE_FIREWALLD)) # Typically we are rolling builds on the target arch. Changing this may have dire consequences. # (read -> hasn't be tested at all and may result in broken builds and ultimately the end of the universe as we know it). @@ -92,4 +94,4 @@ TARGET_ARCH := $(shell uname -i) # Quiet down the build output a bit. QUIET := n -export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR ISO_VERSION CONFIG_BUILD_REMEDIATE CONFIG_BUILD_ENABLE_DHCP CONFIG_BUILD_VPN_ENABLE_TOOR CONFIG_BUILD_SELINUX_POL_TYPE CONFIG_BUILD_CHECK_KICKSTART CONFIG_BUILD_ENABLE_GUI CONFIG_BUILD_BREAK_GUI +export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR ISO_VERSION CONFIG_BUILD_REMEDIATE CONFIG_BUILD_ENABLE_DHCP CONFIG_BUILD_VPN_ENABLE_TOOR CONFIG_BUILD_SELINUX_POL_TYPE CONFIG_BUILD_CHECK_KICKSTART CONFIG_BUILD_ENABLE_GUI CONFIG_BUILD_BREAK_GUI CONFIG_ENABLE_FIREWALLD diff --git a/Help-firewalld.txt b/Help-firewalld.txt index 534324980..e5dba72a0 100644 --- a/Help-firewalld.txt +++ b/Help-firewalld.txt @@ -59,18 +59,26 @@ What does CLIP do? =========================================================================== How do you switch? - This _should_ be pretty painless. You need to update the kickstart file, - kickstart/clip-WHATEVER/clip-WHATEVER.ks, to add in the file that - configures firewalld and remove where CLIP disables the service in - kickstart/includes/fix-bad-scap. - - Add "%include includes/fix-firewalld" to the kickstart where all the - the other includes are. - - Remove where CLIP disables firewalld and enables iptables. Find - the lines below in the kickstart/includes/fix-bad-scap and delete them - or comment them out. - systemctl disable firewalld - systemctl mask firewalld - systemctl enable iptables - systemctl enable ip6tables + This _should_ be pretty painless. You can enable firewalld in all + variants or you can enable it up per variant. At present, CLIP disables + firewalld in all variants. + + To enable firewalld in a single variant you need to update that variants + kickstart file, kickstart/clip-VARIANTNAME/clip-VARIANTNAME.ks, to set the + environment variable CONFIG_ENABLE_FIREWALLD=y in the %post of the + kickstart. + + Ths must be done beloow the two lines where the build system adds in the + top level environment variables. An example of this is shown below. + " + # DO NOT REMOVE THE FOLLOWING LINE. NON-EXISTENT WARRANTY VOID IF REMOVED. + #CONFIG-BUILD-PLACEHOLDER + + export CONFIG_ENABLE_FIREWALLD=y + " + + To enable firewalld globally you need to modify the CONFIG_BUILD file + and switch the line + CONFIG_ENABLE_FIREWALLD := n + to + CONFIG_ENABLE_FIREWALLD := y diff --git a/kickstart/clip-apache/clip-apache.ks b/kickstart/clip-apache/clip-apache.ks index d2cef3ff0..3afefbd11 100644 --- a/kickstart/clip-apache/clip-apache.ks +++ b/kickstart/clip-apache/clip-apache.ks @@ -106,6 +106,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi # FIXME: Change the username and password. # If a hashed password is specified it will be used diff --git a/kickstart/clip-minimal/clip-minimal.ks b/kickstart/clip-minimal/clip-minimal.ks index 6de10bea6..d5220b628 100644 --- a/kickstart/clip-minimal/clip-minimal.ks +++ b/kickstart/clip-minimal/clip-minimal.ks @@ -84,6 +84,10 @@ set -x %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi # FIXME: Change the username and password. # If a hashed password is specified it will be used diff --git a/kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks b/kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks index eee5da3f1..f7cfdfad0 100644 --- a/kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks +++ b/kickstart/clip-sftp-dropbox/clip-sftp-dropbox.ks @@ -93,6 +93,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi # FIXME: Change the username and password. # If a hashed password is specified it will be used diff --git a/kickstart/includes/fix-bad-scap b/kickstart/includes/fix-bad-scap index ce81b9cbf..958836fd0 100644 --- a/kickstart/includes/fix-bad-scap +++ b/kickstart/includes/fix-bad-scap @@ -11,11 +11,13 @@ systemctl stop kdump.service systemctl disable kdump.service systemctl mask kdump.service -# And I have yet to figure out how to use SECMARK with firewalld. +# If we are not using firewalld, disable it and turn on iptables +if [ x"$CONFIG_ENABLE_FIREWALLD" != "xy" ]; then systemctl disable firewalld systemctl mask firewalld systemctl enable iptables systemctl enable ip6tables +fi # https://github.com/OpenSCAP/scap-security-guide/issues/1435 sed -i -e 's/cbcMACs/cbc\nMACS/' /etc/ssh/sshd_config diff --git a/kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks b/kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks index 46d2a4122..3b0f5cd7e 100644 --- a/kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks +++ b/kickstart/wip-clip-kubernetes/wip-clip-kubernetes.ks @@ -92,6 +92,10 @@ set -x %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi # FIXME: Change the username and password. # If a hashed password is specified it will be used diff --git a/kickstart/wip-clip-vpn/wip-clip-vpn.ks b/kickstart/wip-clip-vpn/wip-clip-vpn.ks index 8af055911..9154b2dd8 100644 --- a/kickstart/wip-clip-vpn/wip-clip-vpn.ks +++ b/kickstart/wip-clip-vpn/wip-clip-vpn.ks @@ -94,6 +94,10 @@ echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt %include includes/early-scap-audit %include includes/scap-remediate +# if we are using firewalld, enable the base settings +if [ x"$CONFIG_ENABLE_FIREWALLD" == "xy" ]; then +%include includes/fix-firewalld +fi if [ x"$CONFIG_BUILD_AWS" != "xy" -o x"$CONFIG_BUILD_VPN_ENABLE_TOOR" == "xy" ]; then # FIXME: Change the username and password.