Improve ansible remediation of accounts_umask_etc_login_defs #9490
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
@@ -4,11 +4,13 @@
tags:
- always
-- name: Replace user umask in /etc/bashrc
- replace:
+- name: Check if umask in /etc/bashrc is already set
+ ansible.builtin.lineinfile:
path: /etc/bashrc
- regexp: umask.*
- replace: umask {{ var_accounts_user_umask }}
+ regexp: ^(\s*)umask\s+.*
+ state: absent
+ check_mode: true
+ changed_when: false
register: umask_replace
tags:
- CCE-81036-6
@@ -22,12 +24,12 @@
- no_reboot_needed
- restrict_strategy
-- name: Append user umask in /etc/bashrc
- lineinfile:
- create: true
+- name: Replace user umask in /etc/bashrc
+ ansible.builtin.replace:
path: /etc/bashrc
- line: umask {{ var_accounts_user_umask }}
- when: umask_replace is not changed
+ regexp: ^(\s*)umask(\s+).*
+ replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
+ when: umask_replace.found > 0
tags:
- CCE-81036-6
- DISA-STIG-RHEL-08-020353
@@ -39,3 +41,21 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+- name: Ensure the Default umask is Appended Correctly
+ ansible.builtin.lineinfile:
+ create: true
+ path: /etc/bashrc
+ line: umask {{ var_accounts_user_umask }}
+ when: umask_replace.found == 0
+ tags:
+ - CCE-81036-6
+ - DISA-STIG-RHEL-08-020353
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - accounts_umask_etc_bashrc
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc
@@ -4,11 +4,13 @@
tags:
- always
-- name: Replace user umask in /etc/csh.cshrc
- replace:
+- name: Check if umask in /etc/csh.cshrc is already set
+ ansible.builtin.lineinfile:
path: /etc/csh.cshrc
- regexp: umask.*
- replace: umask {{ var_accounts_user_umask }}
+ regexp: ^(\s*)umask\s+.*
+ state: absent
+ check_mode: true
+ changed_when: false
register: umask_replace
tags:
- CCE-81037-4
@@ -22,12 +24,12 @@
- no_reboot_needed
- restrict_strategy
-- name: Append user umask in /etc/csh.cshrc
- lineinfile:
- create: true
+- name: Replace user umask in /etc/csh.cshrc
+ ansible.builtin.replace:
path: /etc/csh.cshrc
- line: umask {{ var_accounts_user_umask }}
- when: umask_replace is not changed
+ regexp: ^(\s*)umask(\s+).*
+ replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
+ when: umask_replace.found > 0
tags:
- CCE-81037-4
- DISA-STIG-RHEL-08-020353
@@ -39,3 +41,21 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+- name: Ensure the Default umask is Appended Correctly
+ ansible.builtin.lineinfile:
+ create: true
+ path: /etc/csh.cshrc
+ line: umask {{ var_accounts_user_umask }}
+ when: umask_replace.found == 0
+ tags:
+ - CCE-81037-4
+ - DISA-STIG-RHEL-08-020353
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - accounts_umask_etc_csh_cshrc
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
@@ -18,12 +18,14 @@
tags:
- always
-- name: Ensure the Default UMASK is Set Correctly
- replace:
+- name: Check if UMASK is already set
+ ansible.builtin.lineinfile:
path: /etc/login.defs
- regexp: ^UMASK
- replace: UMASK {{ var_accounts_user_umask }}
- register: umask_replace
+ regexp: ^(\s*)UMASK\s+.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_umask_is_set
when: '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-82888-9
@@ -37,14 +39,14 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the Default UMASK is Appended Correctly
- lineinfile:
- create: true
+- name: Replace user UMASK in /etc/login.defs
+ ansible.builtin.replace:
path: /etc/login.defs
- line: UMASK {{ var_accounts_user_umask }}
+ regexp: ^(\s*)UMASK(\s+).*
+ replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }}
when:
- '"shadow-utils" in ansible_facts.packages'
- - umask_replace is not changed
+ - result_umask_is_set.found > 0
tags:
- CCE-82888-9
- DISA-STIG-RHEL-08-020351
@@ -56,3 +58,23 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+- name: Ensure the Default UMASK is Appended Correctly
+ ansible.builtin.lineinfile:
+ create: true
+ path: /etc/login.defs
+ line: UMASK {{ var_accounts_user_umask }}
+ when:
+ - '"shadow-utils" in ansible_facts.packages'
+ - result_umask_is_set.found == 0
+ tags:
+ - CCE-82888-9
+ - DISA-STIG-RHEL-08-020351
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - accounts_umask_etc_login_defs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy |
ggbecker
force-pushed
the
fix-umask-regex
branch
from
1b4a7ee
to
e13fa3b
Compare
|
one extra fix was needed in the line (check if the variable was defined first:
|
...system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
Outdated
Show resolved
Hide resolved
| changed_when: false | ||
| register: result_umask_is_set | ||
|
|
||
| - name: Check if UMASK is already correctly set |
There was a problem hiding this comment.
Using the lineinfile module you can check and fix the parameter at once. You can use the combination of backrefs, line and regexp options. At this point you already know that UMASK is defined there. So, using this approach, the lineinfile module will only change the line if it is different from the desired line.
There is something similar here: https://github.com/ComplianceAsCode/content/blob/master/shared/macros/10-ansible.jinja#L914-L929
There was a problem hiding this comment.
I'm struggling to make it work, maybe I need some more help here. Also, it may not align with multiple occurrences if found as stated below.
There was a problem hiding this comment.
Correct. The lineinfile module only changes one single line per time. If more lines are expected to be changed, the replace module is indeed the best option. Let me test the playbook locally here.
There was a problem hiding this comment.
@ggbecker , I could only check this now. So, basically the playbook can be simplified. You don't need to check of the parameter is already correct in a separate task. The replace and lineinfile modules will already do that. Here is an example of a simplified playbook:
- name: Check if UMASK is already set
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: ^(\s*)UMASK\s+.*
state: absent
check_mode: true
changed_when: false
register: result_umask_is_set
- name: Replace user UMASK in /etc/login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: ^(\s*)UMASK(\s+).*
replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }}
when:
- result_umask_is_set.found > 0
- name: Ensure the Default UMASK is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/login.defs
line: UMASK {{ var_accounts_user_umask }}
when:
- result_umask_is_set.found == 0
...system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
Show resolved
Hide resolved
...system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
Outdated
Show resolved
Hide resolved
ggbecker
force-pushed
the
fix-umask-regex
branch
from
e13fa3b
to
be2a4c8
Compare
| changed_when: false | ||
| register: result_umask_is_set | ||
|
|
||
| - name: Check if UMASK is already correctly set |
There was a problem hiding this comment.
@ggbecker , I could only check this now. So, basically the playbook can be simplified. You don't need to check of the parameter is already correct in a separate task. The replace and lineinfile modules will already do that. Here is an example of a simplified playbook:
- name: Check if UMASK is already set
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: ^(\s*)UMASK\s+.*
state: absent
check_mode: true
changed_when: false
register: result_umask_is_set
- name: Replace user UMASK in /etc/login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: ^(\s*)UMASK(\s+).*
replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }}
when:
- result_umask_is_set.found > 0
- name: Ensure the Default UMASK is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/login.defs
line: UMASK {{ var_accounts_user_umask }}
when:
- result_umask_is_set.found == 0
Remediation improved to consider existing data in the files and replace only when there is no configuration or misconfigured.
|
@ggbecker: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Code Climate has analyzed commit b2b2a8d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 40.4% (0.0% change). View more on Code Climate. |
Description:
Rationale:
Regex 101 Example: https://regex101.com/r/T0xVnu/1
Fixes: UMASK is not set correctly for /etc/login.defs #9456
This PR can inspire fixes for other similar rules as well. #9456 (comment)