Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible remediations are using not permitted shell commands #10852

Closed
cortesana opened this issue Jul 17, 2023 · 4 comments · Fixed by #10887
Closed

Ansible remediations are using not permitted shell commands #10852

cortesana opened this issue Jul 17, 2023 · 4 comments · Fixed by #10887
Assignees
@marcusburghardt
Labels
productization-issue Issue found in upstream stabilization process.

Comments

@cortesana
Copy link
Contributor

cortesana commented Jul 17, 2023
edited
Loading

Description of problem:

Ansible remediations are using shell commands that are not allowed.

SCAP Security Guide Version:

master branch as of 2023-07-14

Operating System Version:

RHEL 9.2, RHEL 8.8, RHEL 7.9

Steps to Reproduce:

  1. Generate Ansible playbook.
  2. Run
python3 get_shell_modules_content.py playbook.yml > playbook_shell_commands
  1. Check that playbook (playbook.yml) contains only allowed shell commands by running:
python3 files_lines_diff.py ./allowed_rhel_shell_commands playbook_shell_commands'

Actual Results:

[  BEGIN   ] :: Playbook playbook.yml contains only allowed shell commands :: actually running 'python2 files_lines_diff.py ./allowed_rhel_shell_commands playbook_shell_commands'
dconf update
df --local | awk '{print $6}' | grep -v Mounted | grep -v '^/dev' || true
LC_ALL=C grep "^[A-Z][A-Za-z_]*" /etc/aide.conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u || true
[   FAIL   ] :: Playbook playbook.yml contains only allowed shell commands (Expected 0, got 1)

Expected Results:

[   PASS   ] :: Playbook /tmp/tmp.AOkbClcQWH/playbook.yml contains only allowed shell commands (Expected 0, got 0)

Additional Information/Debugging Steps:
@cortesana cortesana added the productization-issue Issue found in upstream stabilization process. label Jul 17, 2023
@ggbecker
Copy link
Member

Do you have the list of commands that are being executed and in which files they are present?

@cortesana
Copy link
Contributor Author

Do you have the list of commands that are being executed and in which files they are present?

Added the list of commands executed to the Actual Results section.

@marcusburghardt marcusburghardt self-assigned this Jul 18, 2023
@marcusburghardt marcusburghardt mentioned this issue Jul 20, 2023
Merged
@marcusburghardt
Copy link
Member

I sent the #10887 PR to fix the following two lines:

dconf update
df --local | awk '{print $6}' | grep -v Mounted | grep -v '^/dev' || true

The third line:

LC_ALL=C grep "^[A-Z][A-Za-z_]*" /etc/aide.conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u || true

is used by these two rules:

  • aide_verify_acls
  • aide_verify_ext_attributes

But I didn't find any simple way to replace the respective Ansible task. It is possible, but would require a refactoring of the Playbook and more detailed tests to ensure most of the cases are covered. My proposal is to include this line in the exceptions at the moment. Would you agree @cortesana and @mildas ?

@marcusburghardt marcusburghardt mentioned this issue Jul 21, 2023
Merged
@mildas
Copy link
Contributor

mildas commented Jul 21, 2023

@marcusburghardt Yes, I agree. Thank you for fix!

@jan-cerny jan-cerny mentioned this issue Jul 24, 2023
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusburghardt marcusburghardt

Labels
productization-issue Issue found in upstream stabilization process.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Avoid Ansible shell module if not necessary marcusburghardt/content
4 participants
@marcusburghardt @mildas @ggbecker @cortesana