various small fixes to RHEL 7 and RHEL 8 CIS #11487
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vojtapolasek
added
Update Profile
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
/packit retest-failed |
jan-cerny
approved these changes
Jan 26, 2024
jan-cerny
requested changes
Jan 26, 2024
| @@ -2490,7 +2499,7 @@ controls: | |||
| - auditd_data_retention_action_mail_acct | |||
| - var_auditd_action_mail_acct=root | |||
| - auditd_data_retention_admin_space_left_action | |||
| - var_auditd_admin_space_left_action=halt | |||
| - var_auditd_admin_space_left_action=cis_rhel7 | |||
There was a problem hiding this comment.
Unfortunately, the rule auditd_data_retention_admin_space_left_action isn't able to accept a multiple value variable. I believe this is the reason of the CI fail, the rule service_auditd_enabled fails because auditd can't start because its configuration is broken because the remediation of this rule inserts both values there which is an invalid config. The OVAL, Bash and Ansible need to be changed to handle this. We have done a similar change in auditd_data_retention_space_left_action , so you can do the same thing here
|
@vojtapolasek please rebase this. |
used in CIS for RHEL 7
the policy is the same for RHEL 7 and RHEL 8
it is the same as the section for RHEL 8
it is the same as RHEL 7
currently the configuration expressed in the control file is suggesting using rsyslog with journald forwarded to rsyslog
it is like that in RHEL 8 policy. I think it makes sense to automate this control since it is applicable only to level 2 server profile.
The configuration is similar to RHEL 7 policy. The way in which it is done in RHEL 7 is more flexible. It allows multiple values to be accepted, e.g. both halt and single. In case of remediation, halt is used.
aligns better with the policy
it is more flexible and aligned with the policy
vojtapolasek
force-pushed
the
cis_fixes
branch
from
b51dc83
to
58be005
Compare
|
Hello, @jan-cerny I modified the rule |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -179,6 +179,9 @@
RHEL-08-010370
[reference]:
+1.2.2
+
+[reference]:
SV-230264r880711_rule
[rationale]:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
@@ -3,6 +3,8 @@
var_auditd_admin_space_left_action=''
+
+var_auditd_admin_space_left_action="$(echo $var_auditd_admin_space_left_action | cut -d \| -f 1)"
AUDITCONFIG=/etc/audit/auditd.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
@@ -27,7 +27,8 @@
- name: Configure auditd admin_space_left Action on Low Disk Space
lineinfile:
dest: /etc/audit/auditd.conf
- line: admin_space_left_action = {{ var_auditd_admin_space_left_action }}
+ line: admin_space_left_action = {{ var_auditd_admin_space_left_action .split('|')[0]
+ }}
regexp: ^\s*admin_space_left_action\s*=\s*.*$
state: present
create: true |
|
@vojtapolasek thanks |
|
Code Climate has analyzed commit 58be005 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.3% (0.0% change). View more on Code Climate. |
|
/packit retest-failed |
jan-cerny
approved these changes
Jan 26, 2024
There was a problem hiding this comment.
The Automatus test scenarios pass locally when executed against a RHEL 8 virtual machine back end:
jcerny@fedora:~/work/git/scap-security-guide (pr/11487)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 auditd_data_retention_admin_space_left_action
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-01-26-1703/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
INFO - Script admin_space_left_action_email.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_exec.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_halt.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_halt_cis.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script admin_space_left_action_ignore.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_not_there.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_rotate.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_single.pass.sh using profile (all) OK
INFO - Script admin_space_left_action_suspend.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_syslog.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_email_cis.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
jcerny@fedora:~/work/git/scap-security-guide (pr/11487)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --remediate-using ansible auditd_data_retention_admin_space_left_action
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-01-26-1710/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
INFO - Script admin_space_left_action_email.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_exec.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_halt.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_halt_cis.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script admin_space_left_action_ignore.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_not_there.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_rotate.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_single.pass.sh using profile (all) OK
INFO - Script admin_space_left_action_suspend.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_syslog.fail.sh using profile (all) OK
INFO - Script admin_space_left_action_email_cis.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
I believe the fail we can see in the GitHub Actions Automatus job is caused by a collision with the removal of prodtype, specifically, the automatus's option --add-product-to-fips-certified fedora that is used by the GitHub Actions job is broken. However, this problem isn't caused by the contents of this PR.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Review Hints: