fix ansible SLES stig remediations in check mode#11248
Conversation
teacup-on-rockingchair
added
Ansible
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools' differs.
--- xccdf_org.ssgproject.content_rule_aide_check_audit_tools
+++ xccdf_org.ssgproject.content_rule_aide_check_audit_tools
@@ -1,3 +1,20 @@
+- name: Configure AIDE to Verify the Audit Tools - Gather List of Packages
+ tags:
+ - CCE-85964-5
+ - DISA-STIG-RHEL-08-030650
+ - NIST-800-53-AU-9(3)
+ - NIST-800-53-AU-9(3).1
+ - aide_check_audit_tools
+ - aide_check_audit_tools
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ ansible.builtin.package_facts:
+ manager: auto
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+
- name: Ensure aide is installed
package:
name: '{{ item }}'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_verify_acls' differs.
--- xccdf_org.ssgproject.content_rule_aide_verify_acls
+++ xccdf_org.ssgproject.content_rule_aide_verify_acls
@@ -45,7 +45,7 @@
replace: \g<1>\g<2>+acl
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '''aide'' in ansible_facts.packages'
+ - find_rules_groups_results is not skipped and "'aide' in ansible_facts.packages"
with_items: '{{ find_rules_groups_results.stdout_lines | map(''trim'') | list }}'
tags:
- CCE-84220-3
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes' differs.
--- xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
+++ xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
@@ -45,7 +45,7 @@
replace: \g<1>\g<2>+xattrs
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '''aide'' in ansible_facts.packages'
+ - find_rules_groups_results is not skipped and "'aide' in ansible_facts.packages"
with_items: '{{ find_rules_groups_results.stdout_lines | map(''trim'') | list }}'
tags:
- CCE-83733-6
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
@@ -22,7 +22,7 @@
with_items: '{{ users_nopasswd.stdout_lines }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - users_nopasswd.stdout_lines | length > 0
+ - users_nopasswd is not skipped and users_nopasswd.stdout_lines | length > 0
tags:
- CCE-85953-8
- DISA-STIG-RHEL-08-010121
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -100,7 +100,7 @@
- no_reboot_needed
- restrict_strategy
-- name: Update Update /etc/audit/audit.rules to audit privileged functions
+- name: Update /etc/audit/audit.rules to audit privileged functions
ansible.builtin.lineinfile:
path: /etc/audit/audit.rules
line: '{{ item.rule }}'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled' differs.
--- xccdf_org.ssgproject.content_rule_network_sniffer_disabled
+++ xccdf_org.ssgproject.content_rule_network_sniffer_disabled
@@ -25,7 +25,7 @@
loop: '{{ network_interfaces.stdout_lines }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - item.split(':')
+ - network_interfaces.stdout_lines is defined and "item.split(':') | length == 3"
tags:
- CCE-82283-3
- DISA-STIG-RHEL-08-040330 |
|
@teacup-on-rockingchair , could you resolve the conflict in this PR, please? |
teacup-on-rockingchair
force-pushed
the
sle15_fix_ansible_stig_remediations
branch
from
6b6929a to
dfd5a13
Compare
Hi @marcusburghardt any issues with the PR that disturbs you? |
marcusburghardt
left a comment
marcusburghardt
left a comment
There was a problem hiding this comment.
I have some comments about the new criteria included in the conditionals. Could you take a look, please?
|
In automatus tests for CS8, CS9 and Fedora this error is appearing: |
teacup-on-rockingchair
force-pushed
the
sle15_fix_ansible_stig_remediations
branch
from
542df1f to
ff4f931
Compare
|
/packit retest-failed |
|
/packit test |
Hi @marcusburghardt I cannot seem to understand how the changes made have connection to the failing tests, that are preventing the PR for merging can you give me some hints here, so we can push this one through? |
Hi @teacup-on-rockingchair , I noticed a weakness in Once this PR is merged, I would recommend to rebase your PR. |
teacup-on-rockingchair
force-pushed
the
sle15_fix_ansible_stig_remediations
branch
from
ff4f931 to
e2d1e21
Compare
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
marcusburghardt
left a comment
marcusburghardt
left a comment
There was a problem hiding this comment.
I couldn't reproduce errors in check mode even before the changes. Some changes are interesting in this PR, but I believe most of the changes are not necessary since they have no effect. Maybe you could share more details on how to reproduce the errors in check mode, please?
teacup-on-rockingchair
force-pushed
the
sle15_fix_ansible_stig_remediations
branch
from
e2d1e21 to
a563a54
Compare
Thanks for the help and feedback @marcusburghardt I rebased at 6abcf65 and removed irrelevant changes, and applied the suggestion to use file instead of fileglob. In my setup the ansible playbooks in check mode now work ok for stig and pci-dss profiles. which was the initial intention. |
|
@teacup-on-rockingchair , I am finishing some local tests but so far it is good. |
Make sure that dependencies on passwd package are interpreted for that platform. Thanks to @marcusburghardt for raising the flag on that 🙇
teacup-on-rockingchair
force-pushed
the
sle15_fix_ansible_stig_remediations
branch
from
9ed6012 to
beafb08
Compare
marcusburghardt
left a comment
marcusburghardt
left a comment
There was a problem hiding this comment.
Great. Now it is only necessary to update the references for stability tests and the required tests should pass.
|
Code Climate has analyzed commit 81add9c and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.3% (0.0% change). View more on Code Climate. |
Thanks @marcusburghardt 🙇 I think the only issue in tests seemed to be network_sniffer_disabled test, which is container related if I understand it correctly |
|
Overriding CODEOWNERS as @teacup-on-rockingchair can't approve his own PR. |
5 participants
Description:
Rationale:
Fix ansible remediations run in check mode for rules part of the SLE STIG profile
Add var_accounts_tmout variable definition for PCI profile used in accounts_tmout rule