content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Fix #11910

Open marcofortina opened this issue 9 months ago • 16 comments

Description:

  • Revert (only on Ubuntu and SLES) changes to CIS v1.0.0 "5.5.2 Ensure system accounts are secured"

Rationale:

  • In PR #11896, valid login /bin/false was removed, generating false failed check for rule "5.5.2 Ensure system accounts are secured" on Ubuntu 22.04 LTS.

  • Fixes #11910

marcofortina avatar May 02 '24 09:05 marcofortina

Hi @marcofortina. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar May 02 '24 09:05 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar May 02 '24 09:05 github-actions[bot]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:11927 This image was built from commit: ca7d5b2200980ee2412ed024993eeb6c115fef41

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11927

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11927 make deploy-local

github-actions[bot] avatar May 02 '24 09:05 github-actions[bot]

@marcofortina I don't think reverting here is an option. You should work on a specific ubuntu fix, rather than changing other products

dodys avatar May 02 '24 09:05 dodys

@marcofortina I don't think reverting here is an option. You should work on a specific ubuntu fix, rather than changing other products

done

marcofortina avatar May 02 '24 10:05 marcofortina

without this PR:

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result  fail

with this PR:

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result  pass

marcofortina avatar May 02 '24 10:05 marcofortina

@teacup-on-rockingchair could you check the failing test? Not sure it is a new issue or not.

dodys avatar May 06 '24 08:05 dodys

@teacup-on-rockingchair could you check the failing test? Not sure it is a new issue or not.

I'm not sure, but it seams that rule evaluation for xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts fails on SLES15 (may be also on SLES /bin/false is used?)

marcofortina avatar May 06 '24 09:05 marcofortina

I confirm. Also SLES15 uses /bin/false:

image

marcofortina avatar May 06 '24 11:05 marcofortina

I confirm. Also SLES15 uses /bin/false:

image

Could you include sle15 in the condition, please? FYI @teacup-on-rockingchair

marcusburghardt avatar May 06 '24 11:05 marcusburghardt

I confirm. Also SLES15 uses /bin/false: image

Could you include sle15 in the condition, please? FYI @teacup-on-rockingchair

done, but I included SLE because also in releases before SLES15 /bin/false is used

marcofortina avatar May 06 '24 11:05 marcofortina

Code Climate has analyzed commit ca7d5b22 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

codeclimate[bot] avatar May 06 '24 11:05 codeclimate[bot]

@marcofortina there is still one test failing on sles

dodys avatar May 06 '24 12:05 dodys

@marcofortina there is still one test failing on sles

Yes :(

I'm installing a SLES15 vm right now to check the patched rule.

marcofortina avatar May 06 '24 13:05 marcofortina

Checked manually on SLES15 vm.

With this PR:

localhost:~/scap-security-guide/build # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts ssg-sle15-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2' points out to the remote 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Ident   CCE-85672-4
Result  pass

Without this PR:

localhost:~/scap-security-guide/build # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts ssg-sle15-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2' points out to the remote 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Ensure that System Accounts Do Not Run a Shell Upon Login
Rule    xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Ident   CCE-85672-4
Result  fail

I don't understand why "Automatus SLE15 / Run Tests (pull_request) " fails.

marcofortina avatar May 06 '24 13:05 marcofortina 

ERROR - Rule 'no_shelllogin_for_systemaccounts' test setup script 'system_user_with_shell.fail.sh' failed with exit code 6
ERROR - Environment failed to prepare, skipping test
INFO - Script last_uid_min.pass.sh using profile (all) OK
Error: Process completed with exit code 1.

I'm not sure this is related to my changes. Any idea?

marcofortina avatar May 06 '24 13:05 marcofortina 

ERROR - Rule 'no_shelllogin_for_systemaccounts' test setup script 'system_user_with_shell.fail.sh' failed with exit code 6
ERROR - Environment failed to prepare, skipping test
INFO - Script last_uid_min.pass.sh using profile (all) OK
Error: Process completed with exit code 1.

I'm not sure this is related to my changes. Any idea?

@teacup-on-rockingchair could you please take a look at this?

dodys avatar May 10 '24 07:05 dodys