content
content copied to clipboard
ComplianceAsCode
update debian12 anssi bp28 minimal profile
Description:
- Add some rules that were previously deactivated because they had a prodtype incompatible with the debian12 product
- This work applies to debian12 anssi bp 28 profile.
Hi @a-skr. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
rhel8 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -2,6 +2,10 @@
if rpm --quiet -q pam; then
var_password_pam_unix_remember=''
+
+
+
+
if [ -f /usr/bin/authselect ]; then
OVAL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- oval:ssg-accounts_passwords_pam_faillock_interval:def:1
+++ oval:ssg-accounts_passwords_pam_faillock_interval:def:1
@@ -1,19 +1,19 @@
criteria AND
criteria AND
criteria AND
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:tst:1
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system_pam_unix_auth:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password_pam_unix_auth:tst:1
criteria AND
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:tst:1
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:tst:1
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:tst:1
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system_pam_faillock_auth:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system_pam_faillock_account:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password_pam_faillock_auth:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password_pam_faillock_account:tst:1
criteria OR
criteria AND
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_system:tst:1
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_password:tst:1
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_system:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_password:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_no_faillock_conf:tst:1
criteria AND
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system:tst:1
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password:tst:1
-criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_no_pamd_system:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_no_pamd_password:tst:1
+criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_faillock_conf:tst:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
@@ -10,8 +10,10 @@
In file /etc/pam.d/password-auth append rounds='xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds'
to the pam_unix.so entry, as shown below:
+
password sufficient pam_unix.so ...existing_options... rounds='xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds'
+
The system's default number of rounds is 5000.
[warning]:
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs.
--- ocil:ssg-accounts_password_pam_unix_rounds_password_auth_ocil:questionnaire:1
+++ ocil:ssg-accounts_password_pam_unix_rounds_password_auth_ocil:questionnaire:1
@@ -1,6 +1,7 @@
To verify the number of rounds for the password hashing algorithm is configured, run the following command:
$ sudo grep rounds /etc/pam.d/password-auth
The output should show the following match:
+
password sufficient pam_unix.so sha512 rounds=
Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out?
Note: PR updated with similar updates for intermediate, enhanced, and high profiles.
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11592
This image was built from commit: f44e383effeaacd7997408ace5dd45ab61a286d8
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11592
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11592 make deploy-local
The platform value can be simplified in some rules. I also saw that some OVAL and Remediation files were duplicated from Ubuntu. It is not wrong how it was done and probably doesn't fit in the scope of this PR, but we should think in a way reduce duplication in situations like this. @dodys , could you take a look on this PR too, please?
I believe for all those we could create/use a template instead to avoid having separate files. Would you like this to be addressed in this PR?
The platform value can be simplified in some rules. I also saw that some OVAL and Remediation files were duplicated from Ubuntu. It is not wrong how it was done and probably doesn't fit in the scope of this PR, but we should think in a way reduce duplication in situations like this. @dodys , could you take a look on this PR too, please?
I believe for all those we could create/use a template instead to avoid having separate files. Would you like this to be addressed in this PR?
@a-skr , did you have an opportunity to see this comment from @dodys ?
@marcusburghardt : I've seen @dodys comment, but as the comment was interrogative, I wasn't sure something more was expected in this PR. I will look into templates this week.
@marcusburghardt : I've seen @dodys comment, but as the comment was interrogative, I wasn't sure something more was expected in this PR. I will look into templates this week.
By the way the "duplication" of ubuntu oval tests are actually symlinks, so there is no code duplication. If symlinks are an acceptable solution, I can factor the code more without ressorting to templates. Just tell me what you prefer.
@marcusburghardt , @dodys : could you please review the last commit? As it is my first template, I would like a review before adding more templates to get rid of the oval symlinks and remaining code duplication.
@marcusburghardt , @dodys : could you please review the last commit? As it is my first template, I would like a review before adding more templates to get rid of the oval symlinks and remaining code duplication.
@a-skr, I believe the direction is to always have templates under shared/templates/, just like you did for the tests
a minor comment on the templates is just to keep the space indentation as it was. Your editor might be changing it automatically.
Thanks for working on it on this PR :)
@marcusburghardt , @dodys : could you please review the last commit? As it is my first template, I would like a review before adding more templates to get rid of the oval symlinks and remaining code duplication.
@a-skr, I believe the direction is to always have templates under
shared/templates/, just like you did for the tests a minor comment on the templates is just to keep the space indentation as it was. Your editor might be changing it automatically.Thanks for working on it on this PR :)
@dodys : can you be more specific with the indentation issue? xml and yaml are indented with two spaces, which seems similar to original files. I think I'm missing something.
@dodys, @marcusburghardt : I think the PR is now in good shape to be merged.
A pam_account_password_faillock template has been added. So far, only the rules used by Debian use the new template.
If you don't mind, I prefer to refactor the remaining faillock rules in another PR.
@marcusburghardt I just rebased on master, commit 44b81ca8e3085b8452d8. Looks like there isn't any conflict anymore (no fix needed).
@a-skr some tests you touched are failing on some platforms. Do you know if that was the case already?
@a-skr some tests you touched are failing on some platforms. Do you know if that was the case already?
Some platform (fedora, ...) were already failing before this PR. I'm not sure wether this PR add more errors (I did keep the old tests).
Is there is a way to run the test suite on commit bd9ef20a1050268a30856afa5 ? (That's the one I rebased on).
If so, we will now if I introduced issues.
@a-skr some tests you touched are failing on some platforms. Do you know if that was the case already?
Some platform (fedora, ...) were already failing before this PR. I'm not sure wether this PR add more errors (I did keep the old tests).
Is there is a way to run the test suite on commit bd9ef20 ? (That's the one I rebased on).
If so, we will now if I introduced issues.
@marcusburghardt is it something you can help?
Code Climate has analyzed commit f44e383e and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.4% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
The CI tests failing for pam_faillock related rules seem legit. I have tested the rules with the master and with the changes in this PR. Only after these changes these rules are failing. These PAM related rules are complex and some rules differ a little bit based on the specific pam_faillock configuration. We should investigate if the issue is with the assessment or with the test scenarios.
I did keep the old tests unmodified. I found some bugs in the new OVAL faillock template (commit has been amended).
I also found something that may be an issue with the tests:
I focus on fedora to test and debug. I have this error on the test suite report:
ERROR - Script conflicting_settings_authselect.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
But according to platform definitions in the test, this script should not be used with fedora?
#!/bin/bash
# packages = authselect,pam
# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
pam_files=("password-auth" "system-auth")
authselect create-profile testingProfile --base-on minimal
# --- snip ---
(by the way, minimal is not a profile shipped with fedora, so the script can only fail).
Is the platform definition valid?
The CI job "Automatus Fedora" runs tests using RHEL 8 content on a Fedora container, the test suite does some special modification to make the tests executable. That usually works but not always. Sometimes, there are problems caused by different nature of containers - for example, there is no running dbus. Sometimes, the problem is that Fedora is different than RHEL 8. In these situations, it is necessary to run the tests locally using a virtual machine back end to determine if the fail is caused by the fedora container environment or by the actual contents of the PR.
I have executed some of the tests on a RHEL 9 virtual machine backed using content built from this PR and they all pass.
jcerny@fedora content]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 accounts_password_pam_retry
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/content/logs/rule-custom-2024-05-20-2119/test_suite.log
WARNING - Script correct_value.pass.sh is not applicable on given platform
WARNING - Script wrong_value.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
INFO - Script argument_missing.fail.sh using profile (all) OK
INFO - Script pwquality_conf_commented.fail.sh using profile (all) OK
INFO - Script pwquality_conf_conflicting_values.fail.sh using profile (all) OK
INFO - Script pwquality_conf_correct.pass.sh using profile (all) OK
INFO - Script pwquality_conf_correct_with_space.pass.sh using profile (all) OK
INFO - Script pwquality_conf_duplicate_values.pass.sh using profile (all) OK
INFO - Script pwquality_conf_overriden.fail.sh using profile (all) OK
INFO - Script pwquality_conf_wrong.fail.sh using profile (all) OK
[jcerny@fedora content]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 accounts_passwords_pam_faillock_dir
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/content/logs/rule-custom-2024-05-20-2126/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
INFO - Script conflicting_settings_authselect.fail.sh using profile (all) OK
INFO - Script expected_faillock_conf.pass.sh using profile (all) OK
INFO - Script expected_pam_files.pass.sh using profile (all) OK
INFO - Script missing_dir_in_authfail.fail.sh using profile (all) OK
INFO - Script missing_dir_in_preauth.fail.sh using profile (all) OK
INFO - Script wrong_faillock_conf.fail.sh using profile (all) OK
INFO - Script wrong_pam_files.fail.sh using profile (all) OK
[jcerny@fedora content]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 accounts_passwords_pam_faillock_deny
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/content/logs/rule-custom-2024-05-20-2130/test_suite.log
WARNING - Script pam_faillock_expected_pam_files.pass.sh is not applicable on given platform
WARNING - Script pam_faillock_lenient_pam_files.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_multiple_pam_unix_pam_files.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_stricter_pam_files.pass.sh is not applicable on given platform
WARNING - Script ubuntu_commented_values.fail.sh is not applicable on given platform
WARNING - Script ubuntu_correct.pass.sh is not applicable on given platform
WARNING - Script ubuntu_correct_pamd.pass.sh is not applicable on given platform
WARNING - Script ubuntu_empty_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script ubuntu_missing_pamd.fail.sh is not applicable on given platform
WARNING - Script ubuntu_multiple_pam_unix.fail.sh is not applicable on given platform
WARNING - Script ubuntu_wrong_value.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script conflicting_settings_authselect.fail.sh using profile (all) OK
INFO - Script pam_faillock_conflicting_settings.fail.sh using profile (all) OK
INFO - Script pam_faillock_disabled.fail.sh using profile (all) OK
INFO - Script pam_faillock_expected_faillock_conf.pass.sh using profile (all) OK
INFO - Script pam_faillock_lenient_faillock_conf.fail.sh using profile (all) OK
INFO - Script pam_faillock_multiple_pam_unix_faillock_conf.fail.sh using profile (all) OK
INFO - Script pam_faillock_not_required_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_stricter_faillock_conf.pass.sh using profile (all) OK
Also in the logs from the GitHub job I can see this which I can't see locally
+ authselect create-profile testingProfile --base-on minimal
[error] Unable to read base profile [minimal] [2]: No such file or directory
[error] Unable to create profile [2]: No such file or directory
Unable to create new profile [2]: No such file or directory
++ for file in ${configuration_files[@]}
++ sed -i --follow-symlinks '/pam_pwquality\.so/d' /etc/authselect/custom/testingProfile/password-auth
sed: couldn't readlink /etc/authselect/custom/testingProfile/password-auth: No such file or directory
++ for file in ${configuration_files[@]}
So I assume the fails aren't caused by this PR but are caused by the environment in the CI job.