Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix aide_build_database rule and remediation to work with sles 12 and 15 #8287

Merged
merged 2 commits into from
Mar 7, 2022
Merged

fix aide_build_database rule and remediation to work with sles 12 and 15 #8287

merged 2 commits into from
Mar 7, 2022

Conversation

brett060102
Copy link
Contributor

aide_build_database check and remediation which is in the cis profile for sle12 and sle15 does not work for SLE 12/15.

Description:

  • There were a number of issues:

  • oval/shared.xml
    assumeed aide.conf had:
    @@define DBDIR /path
    database_out=file:@@{DBDIR}/filename
    database=file:@@{DBDIR}/filename
    SLE 12 and 15 does not use: :@@{DBDIR} it just has:
    database_out=file:/pathfile
    database=file:/path/file

  • in remediation
    1: bash was not enabled for sle
    2: sle uses /var/lib/aide/aide.db.new and /var/lib/aide/aide.db not /var/lib/aide/aide.db.new.gz and /var/lib/aide/aide.db.gz
    3: path to aide is /usr/bin/aide as opposed to /usr/sbin/aide --init

  • in the rule.yml:
    Need to make sle aware for file name and path differences.
    Since .gx nv not gz also applied to ubuntu needed to re-code some
    {{% if not in product %}} to
    {{% if 'ubuntu' in product or 'sle' in product %}}

Rationale:

  • get aide_build_database working for sle 12/15

@brett060102
fix aide_build_database rule and remediation to work with sles 12 and 15
3cf860a 
There were a number of issues:
oval/shared.xml
assumed aide.conf had:
@@define DBDIR /path
database_out=file:@@{DBDIR}/filename
database=file:@@{DBDIR}/filename
SLE 12 and 15 does not use: :@@{DBDIR}

in remediation bash was not enabled for sle
and sle uses /var/lib/aide/aide.db.new and /var/lib/aide/aide.db not
/var/lib/aide/aide.db.new.gz and /var/lib/aide/aide.db.gz

and path to aide is /usr/bin/aide as oppsed to /usr/sbin/aide --init

in the rule.yml
Need to make sle aware for file name and path differences.
@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Mar 3, 2022
@openshift-ci
Copy link

openshift-ci bot commented Mar 3, 2022

Hi @brett060102. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

github-actions bot commented Mar 3, 2022

Start a new ephemeral environment with changes proposed in this pull request:

Open in Gitpod

@jan-cerny
Copy link
Collaborator

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Mar 4, 2022
@Mab879 Mab879 added SLES SUSE Linux Enterprise Server product related. Update Rule Issues or pull requests related to Rules updates. labels Mar 4, 2022
@Mab879 Mab879 self-assigned this Mar 4, 2022
Mab879
Mab879 requested changes Mar 4, 2022
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. Just one minor change to keep everything consistent.

...ide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml Outdated Show resolved Hide resolved
@brett060102 @Mab879
Update linux_os/guide/system/software/integrity/software-integrity/ai…
7cd7fbf 
…de/aide_build_database/ansible/shared.yml

Co-authored-by: Matthew Burket <m@tthewburket.com>
@brett060102
Copy link
Contributor Author

Accepted suggestion. Thought about that initially, but don't like changing behavior for releases that I am not working on.

@brett060102
Copy link
Contributor Author

@Mab879 requested change has been made.

Mab879
Mab879 approved these changes Mar 7, 2022
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@Mab879 Mab879 added this to the 0.1.61 milestone Mar 7, 2022
@Mab879 Mab879 merged commit bf82c95 into ComplianceAsCode:master Mar 7, 2022
@brett060102 brett060102 deleted the suse-fix-aide_build_database branch June 28, 2023 20:51
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
ok-to-test Used by openshift-ci bot. SLES SUSE Linux Enterprise Server product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.61
Development

Successfully merging this pull request may close these issues.
3 participants
@brett060102 @jan-cerny @Mab879