Fix rule firewalld_sshd_port_enabled OVAL check

[evgenyz]

Description:

• OVAL: Do not check for zone assignment in network connections

Rationale:

• Since any interface is implicitly assigned to the default zone (if not configured differently) we just have to make sure that SSH is allowed in the default zone (and we do that).

• Fixes rule firewalld_sshd_port_enabled fails to remediate with imagebuilder #11625

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs.
--- oval:ssg-firewalld_sshd_port_enabled:def:1
+++ oval:ssg-firewalld_sshd_port_enabled:def:1
@@ -1,5 +1,4 @@
 criteria AND
-criterion oval:ssg-test_firewalld_sshd_port_enabled_all_nics_in_zones:tst:1
 criteria OR
 criteria AND
 criterion oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr:tst:1

[codeclimate]

Code Climate has analyzed commit 4d4eb7c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

[Mab879]

Waving Automatus tests as they pass locally.

Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/Developer/ComplianceAsCode/content/tests/logs/rule-custom-2025-01-28-1012/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
INFO - Script customized_zone_configured.pass.sh using profile (all) OK
INFO - Script customized_zone_without_ssh.fail.sh using profile (all) OK
INFO - Script new_zone_configured.pass.sh using profile (all) OK
INFO - Script new_zone_without_ssh.fail.sh using profile (all) OK
INFO - Script only_nics_configured.fail.sh using profile (all) OK
INFO - Script zones_and_nics_configured.pass.sh using profile (all) OK
INFO - Script zones_and_nics_ok_no_custom_files.pass.sh using profile (all) OK
INFO - Script zones_and_nics_ok_port_changed.pass.sh using profile (all) OK
INFO - Script only_zones_configured.pass.sh using profile (all) OK

[marcusburghardt]

I am afraid the removal of these checks will bring back issues that were solved by them in the past. I don't remember from top of my head now, but they were there for good a reason. Lets keep watching.

In case you see something @matusmarhefka @jan-cerny @ggbecker @vojtapolasek @comps

[marcusburghardt]

You can check all the history of the refactoring here: #9712
There were corner cases covered that are no longer covered after this PR. They are also hard to catch with automated tests but they are legit. So I strongly recommend to revert this PR and try a different approach to fix #11625 without regression.

[evgenyz]

You can check all the history of the refactoring here: #9712 There were corner cases covered that are no longer covered after this PR. They are also hard to catch with automated tests but they are legit. So I strongly recommend to revert this PR and try a different approach to fix #11625 without regression.

What exactly regressed after this change?