content
content copied to clipboard
ComplianceAsCode
Add remediation ubtu 20 010060
Description:
- Add UBTU-20-010060
- Modify Ansible remediation to fit styling and add ubuntu support
Rationale:
- Part of Ubuntu 20.04 DISA STIG v1r9 profile upgrade
- https://github.com/ComplianceAsCode/content/pull/10738
Review Hints:
Build the product:
./build_product ubuntu2004
To test these changes with Ansible:
ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010060"
Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.
git checkout dexterle:add-manual-stig-ubtu-20-v1r9
This STIG can be tested with the latest Ubuntu 2004 Benchmark SCAP. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/
Hi @dexterle. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
sle12 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
New datastream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_smartcard_configure_ca'.
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_smartcard_configure_ca' differs.
--- xccdf_org.ssgproject.content_rule_smartcard_configure_ca
+++ xccdf_org.ssgproject.content_rule_smartcard_configure_ca
@@ -1,8 +1,6 @@
-- name: Package facts
- package_facts: null
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - ''
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-83198-2
- DISA-STIG-SLES-12-030530
@@ -17,14 +15,9 @@
- restrict_strategy
- smartcard_configure_ca
-- name: Replace 'none' from cert_policy
- replace:
- path: /etc/pam_pkcs11/pam_pkcs11.conf
- regexp: (^\s*cert_policy\s*=\s*)none\s*;(\s*$)
- replace: \g<1>ocsp_on,ca,signature;\g<2>
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '''pam_pkcs11'' in ansible_facts.packages'
+- name: Configure Smart Card Certificate Authority Validation - Gather Package Facts
+ ansible.builtin.package_facts: null
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83198-2
- DISA-STIG-SLES-12-030530
@@ -39,14 +32,14 @@
- restrict_strategy
- smartcard_configure_ca
-- name: Add 'ca' parameter for cert_policy in /etc/pam_pkcs11/pam_pkcs11.conf
- replace:
+- name: Configure Smart Card Certificate Authority Validation - Check That /etc/pam_pkcs11/pam_pkcs11.conf
+ Exists
+ ansible.builtin.stat:
path: /etc/pam_pkcs11/pam_pkcs11.conf
- regexp: (^\s*cert_policy\s*=\s*)(?!.*ca)(.*)
- replace: \g<1>ca,\g<2>
+ register: pam_pkcs11_conf
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '''pam_pkcs11'' in ansible_facts.packages'
+ - '"pam_pkcs11" in ansible_facts.packages'
tags:
- CCE-83198-2
- DISA-STIG-SLES-12-030530
@@ -60,3 +53,125 @@
- no_reboot_needed
- restrict_strategy
- smartcard_configure_ca
+
+- name: Configure Smart Card Certificate Authority Validation - Create /etc/pam_pkcs11/pam_pkcs11.conf
+ if It Does Not Exist
+ ansible.builtin.file:
+ path: /etc/pam_pkcs11/pam_pkcs11.conf
+ state: touch
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - pam_pkcs11_conf.stat.exists == false
+ - '"pam_pkcs11" in ansible_facts.packages'
+ tags:
+ - CCE-83198-2
+ - DISA-STIG-SLES-12-030530
+ - NIST-800-53-IA-5 (2)
+ - NIST-800-53-IA-5 (2).1
+ - NIST-800-53-IA-5(2)(a)
+ - NIST-800-53-IA-5(2)(d)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - smartcard_configure_ca
+
+- name: Configure Smart Card Certificate Authority Validation - Check if cert_policy
+ in /etc/pam_pkcs11/pam_pkcs11.conf Is Already Set
+ ansible.builtin.lineinfile:
+ path: /etc/pam_pkcs11/pam_pkcs11.conf
+ regexp: ^(\s*)cert_policy\s+.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: cert_policy_replace
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"pam_pkcs11" in ansible_facts.packages'
+ tags:
+ - CCE-83198-2
+ - DISA-STIG-SLES-12-030530
+ - NIST-800-53-IA-5 (2)
+ - NIST-800-53-IA-5 (2).1
+ - NIST-800-53-IA-5(2)(a)
+ - NIST-800-53-IA-5(2)(d)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - smartcard_configure_ca
+
+- name: Configure Smart Card Certificate Authority Validation - Ensure 'none' Parameter
+ for cert_policy in /etc/pam_pkcs11/pam_pkcs11.conf Is Removed
+ ansible.builtin.replace:
+ path: /etc/pam_pkcs11/pam_pkcs11.conf
+ regexp: (^\s*cert_policy\s*=\s*)none\s*;(\s*$)
+ replace: \g<1>ca,signature,ocsp_on;\g<2>
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - cert_policy_replace.found > 0
+ - '"pam_pkcs11" in ansible_facts.packages'
+ tags:
+ - CCE-83198-2
+ - DISA-STIG-SLES-12-030530
+ - NIST-800-53-IA-5 (2)
+ - NIST-800-53-IA-5 (2).1
+ - NIST-800-53-IA-5(2)(a)
+ - NIST-800-53-IA-5(2)(d)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - smartcard_configure_ca
+
+- name: Configure Smart Card Certificate Authority Validation - Add 'ca' Parameter
+ for cert_policy in /etc/pam_pkcs11/pam_pkcs11.conf
+ ansible.builtin.replace:
+ path: /etc/pam_pkcs11/pam_pkcs11.conf
+ regexp: (^\s*cert_policy\s*=\s*)(?!.*ca)(.*)
+ replace: \g<1>ca,\g<2>
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - cert_policy_replace.found > 0
+ - '"pam_pkcs11" in ansible_facts.packages'
+ tags:
+ - CCE-83198-2
+ - DISA-STIG-SLES-12-030530
+ - NIST-800-53-IA-5 (2)
+ - NIST-800-53-IA-5 (2).1
+ - NIST-800-53-IA-5(2)(a)
+ - NIST-800-53-IA-5(2)(d)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - smartcard_configure_ca
+
+- name: Configure Smart Card Certificate Authority Validation - Add cert_policy if
+ It Does Not Exist
+ ansible.builtin.lineinfile:
+ path: /etc/pam_pkcs11/pam_pkcs11.conf
+ line: cert_policy = ca,signature,ocsp_on;
+ state: present
+ create: true
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - cert_policy_replace.found == 0
+ - '"pam_pkcs11" in ansible_facts.packages'
+ tags:
+ - CCE-83198-2
+ - DISA-STIG-SLES-12-030530
+ - NIST-800-53-IA-5 (2)
+ - NIST-800-53-IA-5 (2).1
+ - NIST-800-53-IA-5(2)(a)
+ - NIST-800-53-IA-5(2)(d)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - smartcard_configure_ca
If /etc/pam_pkcs11/pam_pkcs11.conf does not exist, the tasks will error out as the registered variable: cert_policy_replace will not have the proper dict object for found. Will be adding in a task to touch the location and ensure a file exists.
Code Climate has analyzed commit d64b3a54 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 53.8% (0.0% change).
View more on Code Climate.
![codeclimate[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
dexterle reached out last week about continuing work on this PRs, and I've asked to open new ones for a clean state. Therefore closing this one.
