content
content copied to clipboard
Published
20 hours ago •
ComplianceAsCode
ComplianceAsCode
Update select rules for RHEL not to modify systemd units in /usr
Description:
- Update
require_singleuser_authto use drop in files - Update
require_emergency_target_authto use drop in files
Rationale:
Help with RPM verify pass.
Start a new ephemeral environment with changes proposed in this pull request:
rhel8 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
OVAL for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs.
--- oval:ssg-require_emergency_target_auth:def:1
+++ oval:ssg-require_emergency_target_auth:def:1
@@ -1,5 +1,9 @@
+criteria OR
criteria AND
criterion oval:ssg-test_require_emergency_service:tst:1
criterion oval:ssg-test_require_emergency_service_emergency_target:tst:1
criterion oval:ssg-test_no_custom_emergency_target:tst:1
criterion oval:ssg-test_no_custom_emergency_service:tst:1
+criterion oval:ssg-test_require_emergency_target_auth_drop_in_config_exist:tst:1
+criteria ONE
+criterion oval:ssg-test_require_emergency_service_drop_in:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
+++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth
@@ -1,17 +1,16 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-service_file="/usr/lib/systemd/system/emergency.service"
+service_dropin_cfg_dir="/etc/systemd/system/emergency.service.d"
+service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf"
sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency"
-if grep "^ExecStart=.*" "$service_file" ; then
- sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
-else
- echo "ExecStart=-$sulogin" >> "$service_file"
-fi
+mkdir -p "${service_dropin_cfg_dir}"
+echo "[Service]" >> "${service_dropin_file}"
+echo "ExecStart=-$sulogin" >> "${service_dropin_file}"
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
+++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth
@@ -17,11 +17,12 @@
- restrict_strategy
- name: Require emergency mode password
- lineinfile:
+ ansible.builtin.blockinfile:
create: true
- dest: /usr/lib/systemd/system/emergency.service
- regexp: ^#?ExecStart=
- line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+ dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
+ block: |-
+ [Service]
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-82186-8
bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -1,14 +1,37 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-service_file="/usr/lib/systemd/system/rescue.service"
+found=false
-sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue"
+# set value in all files if they contain section or key
+for f in $(echo -n "/etc/systemd/system/rescue.service.d/10-oscap.conf"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
-if grep "^ExecStart=.*" "$service_file" ; then
- sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
-else
- echo "ExecStart=-$sulogin" >> "$service_file"
+ # find key in section and change value
+ if grep -qzosP "[[:space:]]*\[Service\]([^\n\[]*\n+)+?[[:space:]]*ExecStart" "$f"; then
+
+ sed -i "s/ExecStart[^(\n)]*/ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue/" "$f"
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "[[:space:]]*\[Service\]" "$f"; then
+
+ sed -i "/[[:space:]]*\[Service\]/a ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" "$f"
+
+ found=true
+ fi
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "/etc/systemd/system/rescue.service.d/10-oscap.conf" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[Service]\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> "$file"
+
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -16,12 +16,13 @@
- require_singleuser_auth
- restrict_strategy
-- name: Require single user mode password
- lineinfile:
- create: true
- dest: /usr/lib/systemd/system/rescue.service
- regexp: ^#?ExecStart=
- line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+- name: Require Authentication for Single User Mode - Require emergency user mode
+ password
+ community.general.ini_file:
+ path: /etc/systemd/system/rescue.service.d/10-oscap.conf
+ section: Service
+ option: ExecStart
+ value: -/usr/lib/systemd/systemd-sulogin-shell rescue
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-80855-0
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12486
This image was built from commit: b560bc10eb7f6a7aa79bb877c5f5922c501cbd12
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12486
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12486 make deploy-local
Code Climate has analyzed commit 903b8519 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 60.9% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
@Mab879 Test doesn't accept community.general/ansible.posix modules FQCN. I have proposed a fix for the test and will re-run CI when it's merged.
This looks fine now:
jcerny@fedora:~/work/git/scap-security-guide (pr/12486)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 require_singleuser_auth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-10-31-1442/test_suite.log
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
WARNING - Script correct_value.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_require_singleuser_auth
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_dropin.pass.sh using profile (all) OK
INFO - Script wrong_dropin.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12486)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible require_singleuser_auth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-10-31-1443/test_suite.log
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
WARNING - Script correct_value.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_require_singleuser_auth
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_dropin.pass.sh using profile (all) OK
INFO - Script wrong_dropin.fail.sh using profile (all) OK
