Firewall technology related rules per service and package change logic according to interactive profile variable

[teacup-on-rockingchair]

Description:

• Make sure that behaviour of rules about nftables,iptables and firewalld are mutually exclusive and the default behaviour of the checks and remediations is based on external interactive variable, that is part of the profile definition

Rationale:

• Add oval macro to check external variable vs expected value
• Add variable to set default firewall technology used
• Set relevant values for SLE platforms
• Templates for pkg installed/removed and svc enabled/disabled, guarded by ext varaiable
• The idea is the oval checks and remediation to check provided external variable, and thus honour if really to check/install/remove certain package or service
• Enable nftable service on SLE only if active firewall technology is set to be nftables
• Disable nftable service on SLE only if active firewall technology is set to be firewalld or iptables
• Removing nftable package on SLE makes sense only if active firewall technology is set to be firewalld or iptables
• Installing iptables package on SLE only if active firewall technology is set to be iptables
• Enable iptables service on SLE only if active firewall technology is set to be iptables
• Disable firewalld service on SLE only if active firewall technology is set to be nftables or iptables
• Removing package on SLE makes sense only if active firewall technology is set to be nftables or iptables
• Enable firewalld service on SLE only if active firewall technology is set to be firewalld
• Installing firewalld package on SLE only if active firewall technology is set to be firewalld

Review Hints:

• For now the proposed change is applied to SLE platforms only, and if proves to be a good approach can distribute to other platforms also
• The use case would be that the user will have in its profile defined default firewall technology, one of iptables,nftables,ufw, firewalld ,and if the system has been modified a non-default option for that, one can use scap-workbench or similar tool, or define a new alternative profile to the original one (CIS is currently the one having conflicting rules ) , or via command line arguments of the oscap tool, if that is the weapon of choice to run checks and remediations.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11818
This image was built from commit: f2480f3

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11818

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11818 make deploy-local

[teacup-on-rockingchair]

/test all

[marcusburghardt]

/packit build

[dodys]

should we change this pr to work across different vendors?
@marcusburghardt @Mab879 @Xeicker

[Xeicker]

should we change this pr to work across different vendors? @marcusburghardt @Mab879 @Xeicker

For the moment it is not necessary for Oracle Linux

[marcusburghardt]

I removed myself as assignee as, unfortunately, I won't be able to review/test it again for the next few weeks.

[Mab879]

Sorry, for the late review.

Hopefully we can get this moving along again.

[codeclimate]

Code Climate has analyzed commit 8f0fdfe and detected 6 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Duplication	6

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

[Mab879]

Waving the Automatus Tests as they pass locally.

Waving the Code Climate issues as I don't think they are worth solving.

Overriding CODEOWNERS since @teacup-on-rockingchair cannot merge his own PRs.

Thanks @teacup-on-rockingchair working on this for all this time.