Skip to content

Include dracut filter to audit_rules_privileged_commands#11246

Merged
jan-cerny merged 4 commits into
ComplianceAsCode:masterfrom
marcusburghardt:audit_rules_privileged_commands_dracut
Nov 6, 2023
Merged

Include dracut filter to audit_rules_privileged_commands#11246
jan-cerny merged 4 commits into
ComplianceAsCode:masterfrom
marcusburghardt:audit_rules_privileged_commands_dracut

Conversation

@marcusburghardt
Copy link
Copy Markdown
Member

@marcusburghardt marcusburghardt commented Nov 3, 2023

Description:

During tests it was noticed that dracut creates random temporary files which impacts the OVAL assessment during the system installation or after rebooting the system.

The OVAL was extended to filter out dracut temporary files.
New test scenarios were included.

Rationale:

Review Hints:

Automatus tests should be enough.

@marcusburghardt
Include test scenario for extra rules
f443331 
The logic implemented in OVAL already prevent failures when there are
more audit rules than privileged commands in the system. One valid case
is when a package including privileged commands is removed from the
system. The audit rule will remain there, but the commands are no longer
present in the system. This is a valid case and the check should not
fail. It was included a test scenario for this case.
@marcusburghardt
Minor update to remove extra empty line
5dd3bfc
@marcusburghardt
Include test scenario for dracut temp files
f31bafe 
During tests it was noticed that dracut creates random temporary files
which impacts the OVAL assessment during the system installation or
after rebooting the system. This test scenario simulates a situation
where the audit rules are properly created and then some dracut files
are included in the system.
@marcusburghardt
Extend OVAL filters to exclude dracut temp files
17edecc
@marcusburghardt marcusburghardt added bugfix Fixes to reported bugs. Test Suite Update in Test Suite. OVAL OVAL update. Related to the systems assessments. labels Nov 3, 2023
@marcusburghardt marcusburghardt added this to the 0.1.71 milestone Nov 3, 2023
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 3, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Nov 3, 2023

Code Climate has analyzed commit 17edecc and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5%.

View more on Code Climate.

@jan-cerny jan-cerny self-assigned this Nov 6, 2023
@jan-cerny
Copy link
Copy Markdown
Collaborator

jan-cerny commented Nov 6, 2023

/packit build

jan-cerny
jan-cerny approved these changes Nov 6, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Automatus CI jobs run all the scenarios as notapplicable, therefore I executed them locally against a virtual machine back end and they pass.

jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-0949/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1034/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1055/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --remediate-using ansible audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1116/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1136/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 --remediate-using ansible audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1151/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK

@jan-cerny jan-cerny merged commit 0e95e92 into ComplianceAsCode:master Nov 6, 2023
@marcusburghardt marcusburghardt deleted the audit_rules_privileged_commands_dracut branch November 6, 2023 14:57
jan-cerny added a commit to jan-cerny/contest that referenced this pull request Nov 9, 2023
@jan-cerny
Remove a waiver of audit_rules_privileged_commands
b5c7161 
This strange fail has been caused by Dracut temporary files
but in ComplianceAsCode/content#11246
we blocked these files in the OVAL, so now the rule won't
fail randomly and therefore we don't need the waiver.

Related to: https://issues.redhat.com/browse/RHEL-11938
@jan-cerny jan-cerny mentioned this pull request Nov 9, 2023
Merged
jan-cerny added a commit to jan-cerny/contest that referenced this pull request Nov 9, 2023
@jan-cerny
Remove a waiver of audit_rules_privileged_commands
8ff7ada 
This strange fail has been caused by Dracut temporary files
but in ComplianceAsCode/content#11246
we blocked these files in the OVAL, so now the rule won't
fail randomly and therefore we don't need the waiver.

Related to: https://issues.redhat.com/browse/RHEL-11938
matusmarhefka pushed a commit to RHSecurityCompliance/contest that referenced this pull request Nov 9, 2023
@jan-cerny @matusmarhefka
Remove a waiver of audit_rules_privileged_commands
c71f629 
This strange fail has been caused by Dracut temporary files
but in ComplianceAsCode/content#11246
we blocked these files in the OVAL, so now the rule won't
fail randomly and therefore we don't need the waiver.

Related to: https://issues.redhat.com/browse/RHEL-11938
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@jan-cerny jan-cerny

Labels

bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments. Test Suite Update in Test Suite.

Projects

None yet

Milestone

0.1.71

Development

Successfully merging this pull request may close these issues.

Rules failing after hardening anssi_high profile on RHEL 7 on ppc64le

2 participants

@marcusburghardt @jan-cerny