Remove similar test scenarios on rules templated by file_groupownership #8755
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: |
There was a problem hiding this comment.
It seems you forgot rule file_groupownership_audit_configuration.
I picked some rules randomly to test and of those, root_permissions_syslibrary_files and file_groupownership_audit_configuration are failing on incorrect_groupowner.fail.sh.
Could you check what is wrong with them?
|
Analysis results are not available for those commits View more on Code Climate. |
It was not forgotten. I won't include this rule in this PR. Its custom test scenarios install a package and this case will not be covered in this PR.
I investigated the |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs:
--- old datastream
+++ new datastream
@@ -1,13 +1,10 @@
-find /lib/ -maxdepth 1 -type f ! -gid 0 -regex '^.*$' -exec chgrp 0 {} \;
+find -H /lib/ -type d -exec chgrp 0 {} \;
+find -H /lib64/ -type d -exec chgrp 0 {} \;
-find /lib64/ -maxdepth 1 -type f ! -gid 0 -regex '^.*$' -exec chgrp 0 {} \;
+find -H /usr/lib/ -type d -exec chgrp 0 {} \;
-
-find /usr/lib/ -maxdepth 1 -type f ! -gid 0 -regex '^.*$' -exec chgrp 0 {} \;
-
-
-find /usr/lib64/ -maxdepth 1 -type f ! -gid 0 -regex '^.*$' -exec chgrp 0 {} \;
+find -H /usr/lib64/ -type d -exec chgrp 0 {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,9 @@
-- name: Find /lib/ file(s) matching ^.*$
- command: find -H /lib/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
- register: files_found
- changed_when: false
- failed_when: false
- check_mode: false
+- name: Ensure group owner on /lib/ recursively
+ file:
+ path: /lib/
+ state: directory
+ recurse: true
+ group: '0'
tags:
- CCE-86523-8
- DISA-STIG-RHEL-08-010350
@@ -16,13 +16,12 @@
- no_reboot_needed
- root_permissions_syslibrary_files
-- name: Ensure group owner on /lib/ file(s) matching ^.*$
+- name: Ensure group owner on /lib64/ recursively
file:
- path: '{{ item }}'
+ path: /lib64/
+ state: directory
+ recurse: true
group: '0'
- state: file
- with_items:
- - '{{ files_found.stdout_lines }}'
tags:
- CCE-86523-8
- DISA-STIG-RHEL-08-010350
@@ -35,12 +34,12 @@
- no_reboot_needed
- root_permissions_syslibrary_files
-- name: Find /lib64/ file(s) matching ^.*$
- command: find -H /lib64/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
- register: files_found
- changed_when: false
- failed_when: false
- check_mode: false
+- name: Ensure group owner on /usr/lib/ recursively
+ file:
+ path: /usr/lib/
+ state: directory
+ recurse: true
+ group: '0'
tags:
- CCE-86523-8
- DISA-STIG-RHEL-08-010350
@@ -53,13 +52,12 @@
- no_reboot_needed
- root_permissions_syslibrary_files
-- name: Ensure group owner on /lib64/ file(s) matching ^.*$
+- name: Ensure group owner on /usr/lib64/ recursively
file:
- path: '{{ item }}'
+ path: /usr/lib64/
+ state: directory
+ recurse: true
group: '0'
- state: file
- with_items:
- - '{{ files_found.stdout_lines }}'
tags:
- CCE-86523-8
- DISA-STIG-RHEL-08-010350
@@ -71,77 +69,3 @@
- medium_severity
- no_reboot_needed
- root_permissions_syslibrary_files
-
-- name: Find /usr/lib/ file(s) matching ^.*$
- command: find -H /usr/lib/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
- register: files_found
- changed_when: false
- failed_when: false
- check_mode: false
- tags:
- - CCE-86523-8
- - DISA-STIG-RHEL-08-010350
- - NIST-800-53-CM-5(6)
- - NIST-800-53-CM-5(6).1
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - root_permissions_syslibrary_files
-
-- name: Ensure group owner on /usr/lib/ file(s) matching ^.*$
- file:
- path: '{{ item }}'
- group: '0'
- state: file
- with_items:
- - '{{ files_found.stdout_lines }}'
- tags:
- - CCE-86523-8
- - DISA-STIG-RHEL-08-010350
- - NIST-800-53-CM-5(6)
- - NIST-800-53-CM-5(6).1
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - root_permissions_syslibrary_files
-
-- name: Find /usr/lib64/ file(s) matching ^.*$
- command: find -H /usr/lib64/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
- register: files_found
- changed_when: false
- failed_when: false
- check_mode: false
- tags:
- - CCE-86523-8
- - DISA-STIG-RHEL-08-010350
- - NIST-800-53-CM-5(6)
- - NIST-800-53-CM-5(6).1
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - root_permissions_syslibrary_files
-
-- name: Ensure group owner on /usr/lib64/ file(s) matching ^.*$
- file:
- path: '{{ item }}'
- group: '0'
- state: file
- with_items:
- - '{{ files_found.stdout_lines }}'
- tags:
- - CCE-86523-8
- - DISA-STIG-RHEL-08-010350
- - NIST-800-53-CM-5(6)
- - NIST-800-53-CM-5(6).1
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - root_permissions_syslibrary_files |
|
@marcusburghardt: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Thank you for the clarification |
Description:
The
file_groupowneralready has templated test scenarios.Reviewed and cleaned-up rules which use this template and have similar test scenarios.
Rationale:
Reduction of duplication.