content
content copied to clipboard
ComplianceAsCode
fix ansible SLES stig remediations in check mode
Description:
- When run in check mode ansible remediation scripts should be more isolated and need extra checks instead of assumptions
Rationale:
-
Fix ansible remediations run in check mode for rules part of the SLE STIG profile
-
Add var_accounts_tmout variable definition for PCI profile used in accounts_tmout rule
Start a new ephemeral environment with changes proposed in this pull request:
rhel8 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools' differs.
--- xccdf_org.ssgproject.content_rule_aide_check_audit_tools
+++ xccdf_org.ssgproject.content_rule_aide_check_audit_tools
@@ -1,3 +1,20 @@
+- name: Configure AIDE to Verify the Audit Tools - Gather List of Packages
+ tags:
+ - CCE-85964-5
+ - DISA-STIG-RHEL-08-030650
+ - NIST-800-53-AU-9(3)
+ - NIST-800-53-AU-9(3).1
+ - aide_check_audit_tools
+ - aide_check_audit_tools
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ ansible.builtin.package_facts:
+ manager: auto
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+
- name: Ensure aide is installed
package:
name: '{{ item }}'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_verify_acls' differs.
--- xccdf_org.ssgproject.content_rule_aide_verify_acls
+++ xccdf_org.ssgproject.content_rule_aide_verify_acls
@@ -45,7 +45,7 @@
replace: \g<1>\g<2>+acl
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '''aide'' in ansible_facts.packages'
+ - find_rules_groups_results is not skipped and "'aide' in ansible_facts.packages"
with_items: '{{ find_rules_groups_results.stdout_lines | map(''trim'') | list }}'
tags:
- CCE-84220-3
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes' differs.
--- xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
+++ xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
@@ -45,7 +45,7 @@
replace: \g<1>\g<2>+xattrs
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '''aide'' in ansible_facts.packages'
+ - find_rules_groups_results is not skipped and "'aide' in ansible_facts.packages"
with_items: '{{ find_rules_groups_results.stdout_lines | map(''trim'') | list }}'
tags:
- CCE-83733-6
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
@@ -22,7 +22,7 @@
with_items: '{{ users_nopasswd.stdout_lines }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - users_nopasswd.stdout_lines | length > 0
+ - users_nopasswd is not skipped and users_nopasswd.stdout_lines | length > 0
tags:
- CCE-85953-8
- DISA-STIG-RHEL-08-010121
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -100,7 +100,7 @@
- no_reboot_needed
- restrict_strategy
-- name: Update Update /etc/audit/audit.rules to audit privileged functions
+- name: Update /etc/audit/audit.rules to audit privileged functions
ansible.builtin.lineinfile:
path: /etc/audit/audit.rules
line: '{{ item.rule }}'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled' differs.
--- xccdf_org.ssgproject.content_rule_network_sniffer_disabled
+++ xccdf_org.ssgproject.content_rule_network_sniffer_disabled
@@ -25,7 +25,7 @@
loop: '{{ network_interfaces.stdout_lines }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - item.split(':')
+ - network_interfaces.stdout_lines is defined and "item.split(':') | length == 3"
tags:
- CCE-82283-3
- DISA-STIG-RHEL-08-040330
@teacup-on-rockingchair , could you resolve the conflict in this PR, please?
@teacup-on-rockingchair , could you resolve the conflict in this PR, please?
Hi @marcusburghardt any issues with the PR that disturbs you?
In automatus tests for CS8, CS9 and Fedora this error is appearing:
ERROR - Rule 'network_sniffer_disabled' test setup script 'promisc_interface_exists.fail.sh' failed with exit code 2
It is likely related to restrictions in containers. Possibly enabling the CAP_NET_ADMIN capability should allow the network interfaces inside a container to be set to promiscuous mode but it is not necessary for testing purposes. In VMs, the test scenario works as expected. So the error for this specific test scenario can be safely waived here.
/packit test
Hi @marcusburghardt I cannot seem to understand how the changes made have connection to the failing tests, that are preventing the PR for merging can you give me some hints here, so we can push this one through?
/packit test
Hi @marcusburghardt I cannot seem to understand how the changes made have connection to the failing tests, that are preventing the PR for merging can you give me some hints here, so we can push this one through?
Hi @teacup-on-rockingchair , I noticed a weakness in network_sniffer_disabled rule that was causing the error while executing the Ansible Playbook in CI tests. It should be fixed by https://github.com/ComplianceAsCode/content/pull/11657
Once this PR is merged, I would recommend to rebase your PR.
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11248
This image was built from commit: 81add9c333ede0298c69f94d61b7cb1b8b110b0b
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11248
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11248 make deploy-local
I couldn't reproduce errors in check mode even before the changes. Some changes are interesting in this PR, but I believe most of the changes are not necessary since they have no effect. Maybe you could share more details on how to reproduce the errors in check mode, please?
Thanks for the help and feedback @marcusburghardt I rebased at 6abcf65a4740755f4de862e33c04f10a63cc39a5 and removed irrelevant changes, and applied the suggestion to use file instead of fileglob. In my setup the ansible playbooks in check mode now work ok for stig and pci-dss profiles. which was the initial intention.
@teacup-on-rockingchair , I am finishing some local tests but so far it is good. Could you only take a look in the "Automatus SLE15" failure, please? It seems legit:
ERROR - Terminating due to error: Couldn't install required packages: passwd.
Code Climate has analyzed commit 81add9c3 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.3% (0.0% change).
View more on Code Climate.
![codeclimate[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
Great. Now it is only necessary to update the references for stability tests and the required tests should pass.
Thanks @marcusburghardt :bow: I think the only issue in tests seemed to be network_sniffer_disabled test, which is container related if I understand it correctly
Overriding CODEOWNERS as @teacup-on-rockingchair can't approve his own PR.