Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve ANSSI R28 #11626

Merged
merged 7 commits into from
Mar 15, 2024
Merged

Improve ANSSI R28 #11626

merged 7 commits into from
Mar 15, 2024

Conversation

jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Feb 26, 2024
edited

Description:

Create new rule systemd_tmp_mount that checks if the systemd tmp.mount mount unit is enabled.

This rule uses a new template that is also added by this PR.

This rule conflicts with the current implementation of the rule accounts_polyinstantiated_tmp because rule accounts_polyinstantiated_tmp requires the existence of the /tmp/tmp-inst directory and this directory is removed by systemd tmp.mount mount unit during reboot. We will address this conflict by removal of the requirement for the existence of
/tmp/tmp-inst. We can do this because this directory is created automatically by pam if it doesn't exist. We will only check that if the directory exists it has correct mode to prevent fails of the polyinstantiation.

For more details, please read commit messages of all commits.

Rationale:

We will add this rule to ANSSI R28 because it aligns with the requirement to clean after reboot or be preferably type tmpfs.

@jan-cerny jan-cerny added New Rule Issues or pull requests related to new Rules. Update Profile Issues or pull requests related to Profiles updates. ANSSI ANSSI Benchmark related. New Template Issues or pull requests related to new Templates. labels Feb 26, 2024
@jan-cerny jan-cerny added this to the 0.1.73 milestone Feb 26, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 26, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 26, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 26, 2024
edited

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -80,9 +80,6 @@
 RHEL-08-010543
 
 [reference]:
-R28
-
-[reference]:
 1.1.2.1.1
 
 [reference]:

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 26, 2024
edited

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11626
This image was built from commit: 0aa4ad7

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11626

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11626 make deploy-local

@jan-cerny
Copy link
Collaborator Author

From the CI results we can see that the new rule conflicts with accounts_polyinstantiated_tmp which is also a part of the ANSSI profile.

@jan-cerny
Create new template systemd_mount_enabled
f14e6f0 
This teamplate generates check for a systemd mount unit enablement.
@jan-cerny
Create new rule systemd_tmp_mount_enabled
6d3d0cc 
This rule will check that the systemd tmp.mount unit is enabled.
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/

We will add this rule to ANSSI R28 because it aligns with the
requirement to clean after reboot or be preferably type tmpfs.
@jan-cerny
Add docs for the systemd_mount_enabled template
dca0041
@jan-cerny
Stop requiring the directory
13d2d86 
We will not require the parent directory to exist, the OVAL test will
pass also if the directory doesn't exist.  It isn't mandatory to create
the parent directory because when the directory doesn't exist, it gets
created automatically by pam. However, if the parent directory exists,
it must have correct mode, otherwise the polyinstantiation will fail.
@jan-cerny jan-cerny marked this pull request as ready for review March 7, 2024 08:45
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Mar 7, 2024
@jan-cerny
Copy link
Collaborator Author

/packit retest-failed

@Mab879 Mab879 self-assigned this Mar 8, 2024
Mab879
Mab879 requested changes Mar 8, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor item.

shared/macros/10-ocil.jinja Outdated Show resolved Hide resolved
linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml Outdated Show resolved Hide resolved
@jan-cerny
Copy link
Collaborator Author

I have renamed the OCIL macro.

Mab879
Mab879 requested changes Mar 11, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, just a few more things I noticed.

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/oval/shared.xml Outdated Show resolved Hide resolved
linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml Outdated Show resolved Hide resolved
shared/templates/systemd_mount_enabled/ansible.template Outdated Show resolved Hide resolved
jan-cerny and others added 2 commits March 12, 2024 08:39
@jan-cerny @Mab879
Apply suggestions from code review
6823965 
Co-authored-by: Matthew Burket <m@tthewburket.com>
@jan-cerny
Fix Ansible systemd module name
0aa4ad7
@codeclimate CodeClimate
Copy link

codeclimate bot commented Mar 12, 2024

Code Climate has analyzed commit 0aa4ad7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Collaborator Author

/packit retest-failed

@Mab879
Copy link
Member

Mab879 commented Mar 14, 2024

Automatus passes locally

$ ./automatus.py rule --datastream ../build/ssg-rhel8-ds.xml --libvirt qemu:///system automatus_rhel8_10 systemd_tmp_mount_enabled,accounts_polyinstantiated_tmp
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/review/ComplianceAsCode/content3/tests/logs/rule-custom-2024-03-14-0924/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_mode.fail.sh using profile (all) OK
INFO - Script directory_doesnt_exist.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
INFO - Script mount_enabled.pass.sh using profile (all) OK
INFO - Script mount_disabled.fail.sh using profile (all) OK
$ ./automatus.py rule --datastream ../build/ssg-rhel8-ds.xml --libvirt qemu:///system automatus_rhel8_10 systemd_tmp_mount_enabled,accounts_polyinstantiated_tmp
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/review/ComplianceAsCode/content3/tests/logs/rule-custom-2024-03-14-0924/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_mode.fail.sh using profile (all) OK
INFO - Script directory_doesnt_exist.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
INFO - Script mount_enabled.pass.sh using profile (all) OK
INFO - Script mount_disabled.fail.sh using profile (all) OK

@jan-cerny
Copy link
Collaborator Author

great!

@Mab879 Mab879 merged commit b2693b4 into ComplianceAsCode:master Mar 15, 2024
40 of 44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
ANSSI ANSSI Benchmark related. New Rule Issues or pull requests related to new Rules. New Template Issues or pull requests related to new Templates. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jan-cerny @Mab879