-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove similar test scenarios on rules templated by file_groupownership #8755
Remove similar test scenarios on rules templated by file_groupownership #8755
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems you forgot rule file_groupownership_audit_configuration
.
I picked some rules randomly to test and of those, root_permissions_syslibrary_files
and file_groupownership_audit_configuration
are failing on incorrect_groupowner.fail.sh
.
Could you check what is wrong with them?
Analysis results are not available for those commits View more on Code Climate. |
It was not forgotten. I won't include this rule in this PR. Its custom test scenarios install a package and this case will not be covered in this PR.
I investigated the |
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs:
--- old datastream
+++ new datastream
@@ -1,13 +1,10 @@
-find /lib/ -maxdepth 1 -type f ! -gid 0 -regex '^.*$' -exec chgrp 0 {} \;
+find -H /lib/ -type d -exec chgrp 0 {} \;
+find -H /lib64/ -type d -exec chgrp 0 {} \;
-find /lib64/ -maxdepth 1 -type f ! -gid 0 -regex '^.*$' -exec chgrp 0 {} \;
+find -H /usr/lib/ -type d -exec chgrp 0 {} \;
-
-find /usr/lib/ -maxdepth 1 -type f ! -gid 0 -regex '^.*$' -exec chgrp 0 {} \;
-
-
-find /usr/lib64/ -maxdepth 1 -type f ! -gid 0 -regex '^.*$' -exec chgrp 0 {} \;
+find -H /usr/lib64/ -type d -exec chgrp 0 {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,9 @@
-- name: Find /lib/ file(s) matching ^.*$
- command: find -H /lib/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
- register: files_found
- changed_when: false
- failed_when: false
- check_mode: false
+- name: Ensure group owner on /lib/ recursively
+ file:
+ path: /lib/
+ state: directory
+ recurse: true
+ group: '0'
tags:
- CCE-86523-8
- DISA-STIG-RHEL-08-010350
@@ -16,13 +16,12 @@
- no_reboot_needed
- root_permissions_syslibrary_files
-- name: Ensure group owner on /lib/ file(s) matching ^.*$
+- name: Ensure group owner on /lib64/ recursively
file:
- path: '{{ item }}'
+ path: /lib64/
+ state: directory
+ recurse: true
group: '0'
- state: file
- with_items:
- - '{{ files_found.stdout_lines }}'
tags:
- CCE-86523-8
- DISA-STIG-RHEL-08-010350
@@ -35,12 +34,12 @@
- no_reboot_needed
- root_permissions_syslibrary_files
-- name: Find /lib64/ file(s) matching ^.*$
- command: find -H /lib64/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
- register: files_found
- changed_when: false
- failed_when: false
- check_mode: false
+- name: Ensure group owner on /usr/lib/ recursively
+ file:
+ path: /usr/lib/
+ state: directory
+ recurse: true
+ group: '0'
tags:
- CCE-86523-8
- DISA-STIG-RHEL-08-010350
@@ -53,13 +52,12 @@
- no_reboot_needed
- root_permissions_syslibrary_files
-- name: Ensure group owner on /lib64/ file(s) matching ^.*$
+- name: Ensure group owner on /usr/lib64/ recursively
file:
- path: '{{ item }}'
+ path: /usr/lib64/
+ state: directory
+ recurse: true
group: '0'
- state: file
- with_items:
- - '{{ files_found.stdout_lines }}'
tags:
- CCE-86523-8
- DISA-STIG-RHEL-08-010350
@@ -71,77 +69,3 @@
- medium_severity
- no_reboot_needed
- root_permissions_syslibrary_files
-
-- name: Find /usr/lib/ file(s) matching ^.*$
- command: find -H /usr/lib/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
- register: files_found
- changed_when: false
- failed_when: false
- check_mode: false
- tags:
- - CCE-86523-8
- - DISA-STIG-RHEL-08-010350
- - NIST-800-53-CM-5(6)
- - NIST-800-53-CM-5(6).1
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - root_permissions_syslibrary_files
-
-- name: Ensure group owner on /usr/lib/ file(s) matching ^.*$
- file:
- path: '{{ item }}'
- group: '0'
- state: file
- with_items:
- - '{{ files_found.stdout_lines }}'
- tags:
- - CCE-86523-8
- - DISA-STIG-RHEL-08-010350
- - NIST-800-53-CM-5(6)
- - NIST-800-53-CM-5(6).1
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - root_permissions_syslibrary_files
-
-- name: Find /usr/lib64/ file(s) matching ^.*$
- command: find -H /usr/lib64/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
- register: files_found
- changed_when: false
- failed_when: false
- check_mode: false
- tags:
- - CCE-86523-8
- - DISA-STIG-RHEL-08-010350
- - NIST-800-53-CM-5(6)
- - NIST-800-53-CM-5(6).1
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - root_permissions_syslibrary_files
-
-- name: Ensure group owner on /usr/lib64/ file(s) matching ^.*$
- file:
- path: '{{ item }}'
- group: '0'
- state: file
- with_items:
- - '{{ files_found.stdout_lines }}'
- tags:
- - CCE-86523-8
- - DISA-STIG-RHEL-08-010350
- - NIST-800-53-CM-5(6)
- - NIST-800-53-CM-5(6).1
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - root_permissions_syslibrary_files |
@marcusburghardt: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Thank you for the clarification |
Description:
The
file_groupowner
already has templated test scenarios.Reviewed and cleaned-up rules which use this template and have similar test scenarios.
Rationale:
Reduction of duplication.