[BUG] When remediating/validating with "stig" profile, Default firewalld Zone for Incoming Packets not properly set

[ferricoxide]

Describe the bug

After running relevant formula-content, DefaultZone value in /etc/firewalld/firewalld.conf still set to public

Note: may be consequence of #247

To Reproduce
Steps to reproduce the behavior:

1. Launch fresh spel AMI (etc.)
2. Run watchmaker using "stig" profile for remediation
3. Reboot system
4. Run oscap utility using "stig" profile for scan
5. Validate reported error is legitimate (execute grep DefaultZone /etc/firewalld/firewalld.conf)

Expected behavior
Running oscap utility using "stig" profile for scan should not produce error for named-test; executing grep DefaultZone /etc/firewalld/firewalld.conf should return drop

Fix Suggestions

Add a post-oscap remediation to prevent finding. No RHEL STIG ID has been yet assigned. Add handler to ash-linux-formula/ash-linux/el7/Miscellaneous/ content-directory.

[ferricoxide]

When either ash-linux.el7.stig or ash-linux,el7.VendorSTIG are invoked, ash-linux.el7.Miscellaneous.firewalld_safeties gets invoked. The firewalld_safeties state was written to ensure that 22/tcp access would be preserved if the "Drop" policy was selected, but, looks like actual selection isn't being done, anywhere: need to add a policy-selector state and make the desired state site-selectable (since switching to Drop, across the board, will break any sites' scanners that rely on ping-sweeps to identify scan-targets).