-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update accounts_umask_interactive_users to ignore .bash_history #9826
Conversation
This rule is intended to search for umask setting in init files under home directories. Update to ignore the file .bash_history, since this is not an init file Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
This to validate the rule indeed ignores .bash_history Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
+++ xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
@@ -1,6 +1,8 @@
while IFS= read -r dir; do
while IFS= read -r -d '' file; do
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
+ if [[ $(basename "$file") != ".bash_history" ]]; then
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
+ fi
done < <(find $dir -maxdepth 1 -type f -name ".*" -print0)
done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd)
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
+++ xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
@@ -4,7 +4,9 @@
cmd: |-
for dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd); do
for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
+ if [[ $(basename "$file") != ".bash_history" ]]; then
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
+ fi
done
done
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chgrp 0 /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -20,8 +20,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85915-7
@@ -42,8 +42,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
group: '0'
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chgrp 0 /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -20,8 +20,8 @@
path: /boot/efi/EFI/redhat/user.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86012-2
@@ -42,8 +42,8 @@
path: /boot/efi/EFI/redhat/user.cfg
group: '0'
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chown 0 /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -20,8 +20,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85913-2
@@ -42,8 +42,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
owner: '0'
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chown 0 /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -20,8 +20,8 @@
path: /boot/efi/EFI/redhat/user.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86021-3
@@ -42,8 +42,8 @@
path: /boot/efi/EFI/redhat/user.cfg
owner: '0'
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -18,8 +18,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85912-4
@@ -38,8 +38,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
mode: u-s,g-xwrs,o-xwrt
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chmod u-xs,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -18,8 +18,8 @@
path: /boot/efi/EFI/redhat/user.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86028-8
@@ -38,8 +38,8 @@
path: /boot/efi/EFI/redhat/user.cfg
mode: u-xs,g-xwrs,o-xwrt
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
var_sssd_ldap_tls_ca_dir=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -25,8 +25,8 @@
changed_when: false
check_mode: false
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82456-5
- NIST-800-53-CM-6(a)
@@ -45,8 +45,8 @@
changed_when: false
check_mode: false
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82456-5
- NIST-800-53-CM-6(a)
@@ -73,8 +73,8 @@
option: ldap_tls_cacertdir
value: '{{ var_sssd_ldap_tls_ca_dir }}'
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- test_id_provider.stdout is defined
@@ -97,8 +97,8 @@
option: ldap_tls_cacertdir
value: '{{ var_sssd_ldap_tls_ca_dir }}'
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- test_id_provider.stdout is defined
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -20,8 +20,8 @@
changed_when: false
check_mode: false
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-84062-9
- NIST-800-53-CM-6(a)
@@ -40,8 +40,8 @@
changed_when: false
check_mode: false
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-84062-9
- NIST-800-53-CM-6(a)
@@ -68,8 +68,8 @@
option: ldap_tls_reqcert
value: demand
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- test_id_provider.stdout is defined
@@ -92,8 +92,8 @@
option: ldap_tls_reqcert
value: demand
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- test_id_provider.stdout is defined
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -21,8 +21,8 @@
changed_when: false
check_mode: false
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82437-5
- NIST-800-53-CM-6(a)
@@ -42,8 +42,8 @@
changed_when: false
check_mode: false
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82437-5
- NIST-800-53-CM-6(a)
@@ -71,8 +71,8 @@
option: ldap_id_use_start_tls
value: 'true'
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- test_id_provider.stdout is defined
@@ -96,8 +96,8 @@
option: ldap_id_use_start_tls
value: 'true'
when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- test_id_provider.stdout is defined |
Code Climate has analyzed commit 53bdd97 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 47.2% (0.0% change). View more on Code Climate. |
Hi, this is mostly a duplicate of #9816. |
Description:
accounts_umask_interactive_users
rule's OVAL, bash and ansible to ignore bash command historyRationale:
.bash_history
, but this file has no effect in actual system configuration.Review Hints:
.bash_history
it could be necessary to run scripts mannually