dod-compliance-and-automation
dod-compliance-and-automation copied to clipboard
vmware
[vSphere][7.0][VCLD-70-000013] Is not properly enforced when enabled in the Ansible playbook
Hi,
Vuln: VCLD-70-000013 Issue: There is a logic issue, stemming from the way lineinfile is used to enforce STIG requirements. Fix: This can be fixed by first leveraging the lineinfile module to find and remove the entire block:
- name: VCLD-70-000013 - VAMI must remove all mappings to unused scripts - Part 1 of 2
lineinfile:
path: '{{ var_conf_path }}'
state: absent
regex: '{{ item }}'
with_items:
- 'cgi.assign = \( \".pl\" => \"/usr/bin/perl\",'
- '\".cgi\" => \"/usr/bin/perl\",'
- '\".rb\" => \"/usr/bin/ruby\",'
- '\".erb\" => \"/usr/bin/eruby\",'
- '\".py\" => \"/usr/bin/python\" \)'
tags:
- VCLD-70-000013
- conf
notify:
- restart vami
when:
- run_conf_set_cgi_assign | bool
Note: In the event this block of code changes, each item (or line) of code would need to be updated. Or this block could be dynamically put in place by first running a cat of the file and finding this block of code, registering the output then placing it in line by line.
Then once the block is removed add in required items:
- name: VCLD-70-000013 - VAMI must remove all mappings to unused scripts - Part 2 of 2
blockinfile:
path: '{{ var_conf_path }}'
state: present
insertafter: "## For PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini."
block: |
cgi.assign = (
".py" => "/usr/bin/python",
".cgi" => "/usr/bin/python",
# 2
)
tags:
- VCLD-70-000013
- conf
notify:
- restart vami
when:
- run_conf_set_cgi_assign | bool
This code has already been implemented into the forked branch I created: https://github.com/HerbBoy/dod-compliance-and-automation
I think we need a new way to handle this one without so many assumptions being made. For example the lines you are trying to remove we are assuming are the only possible options and then we are assuming that comment exists and is exactly that.
Not sure of the best way to handle this.
@rlakey I agree. This is to me was a patch job as the existing logic did not work.
I have been exploring potential options but still no solution.
To your point though, what are the potential options? if we knew what they were it would make solving this quite simple. iterate through potential lines and for those that exist, remove them.
Second issue, i do not know but i doubt the location in which this statement is placed within the file matters, therefore a solution could be implemented that simply placed these commands at the bottom of the file - after deleting the previous part.
@HerbBoy can you test the below to see if it handles all your use cases? It includes tab characters, as that is how the original values appear in the vCenter config file.
# Title: VCLD-70-000013 - VAMI must remove all mappings to unused scripts (requires Ansible >= 2.4)
- name: See if cgi.assign exists in file
shell: cat '{{ var_conf_path }}' | grep -e "^cgi\.assign\b" | wc -l
register: exists
changed_when: false
- name: Replace all between parens if it does not match (tabs match original vCenter value)
ansible.builtin.replace:
path: '{{ var_conf_path }}'
after: 'cgi\.assign(\s*)=(\s*)\('
before: '\)'
regexp: '([^\)]+)'
replace: ' ".py" => "/usr/bin/python",\n\t\t\t ".cgi" =>"/usr/bin/python" '
tags:
- VCLD-70-000013
- conf
notify:
- restart vami
when:
- exists.stdout == "1"
- run_conf_set_cgi_assign | bool
- name: Add cgi.assign setting to end of file if it is not there, with two values (tabs match original vCenter value)
ansible.builtin.lineinfile:
path: '{{ var_conf_path }}'
line: "{{ item }}"
create: yes
with_items:
- "cgi.assign = ( \".py\" => \"/usr/bin/python\","
- "\t\t\t \".cgi\" =>\"/usr/bin/python\" )"
tags:
- VCLD-70-000013
- conf
notify:
- restart vami
when:
- exists.stdout == "0"
- run_conf_set_cgi_assign | bool
@freddyfeelgood This will work for the use cases i have tested. Apologies on the delay.
Values changed for this one again in U3d so need to see if those new entries can be removed.