Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow spaces in SSSD certificate_verification option #11728

Merged
merged 1 commit into from
Mar 20, 2024
Merged

Disallow spaces in SSSD certificate_verification option #11728

merged 1 commit into from
Mar 20, 2024

Conversation

jan-cerny
Copy link
Collaborator

We will not allow spaces around the equal sign in the value of the certificate_verification option in SSSD configuration. This will align our content with RHEL 9 STIG requirements.

Fixes: #11708

@jan-cerny
Disallow spaces in SSSD certificate_verification option
2e4027b 
We will not allow spaces around the equal sign in the value of the
certificate_verification option in SSSD configuration.
This will align our content with RHEL 9 STIG requirements.

Fixes: ComplianceAsCode#11708
@jan-cerny jan-cerny added bugfix Fixes to reported bugs. Ansible Ansible remediation update. Test Suite Update in Test Suite. OVAL OVAL update. Related to the systems assessments. Bash Bash remediation update. STIG STIG Benchmark related. labels Mar 19, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -21,12 +21,12 @@
 
     # find key in section and change value
     if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
-            sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
+            sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"
             found=true
 
     # find section and add key = value to it
     elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then
-            sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" "$f"
+            sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"
             found=true
     fi
 done
@@ -35,7 +35,7 @@
 if ! $found ; then
     file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
-    echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file"
+    echo -e "[sssd]\ncertificate_verification = ocsp_dgst=$var_sssd_certificate_verification_digest_function" >> "$file"
 fi
 
 umask $OLD_UMASK

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -60,7 +60,7 @@
     path: /etc/sssd/conf.d/certificate_verification.conf
     section: sssd
     option: certificate_verification
-    value: ocsp_dgst = {{ var_sssd_certificate_verification_digest_function }}
+    value: ocsp_dgst={{ var_sssd_certificate_verification_digest_function }}
     state: present
     mode: 384
   when: '"sssd-common" in ansible_facts.packages'

@github-actions GitHub Actions
Copy link

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11728
This image was built from commit: 2e4027b

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11728

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11728 make deploy-local

@codeclimate CodeClimate
Copy link

codeclimate bot commented Mar 19, 2024

Code Climate has analyzed commit 2e4027b and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.3% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 self-assigned this Mar 19, 2024
@Mab879
Copy link
Member

Mab879 commented Mar 19, 2024 

$ ./automatus.py rule --datastream ../build/ssg-rhel9-ds.xml --libvirt qemu:///system automatus_rhel9_4 sssd_certificate_verification
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/Developer/ComplianceAsCode/content/tests/logs/rule-custom-2024-03-19-1415/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sssd_certificate_verification
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_with_others_before.pass.sh using profile (all) OK
INFO - Script not_configured.fail.sh using profile (all) OK
INFO - Script partial_config.fail.sh using profile (all) OK
INFO - Script wrong_section.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script wrong_value_not_default.fail.sh using profile (all) OK
ERROR - Script spaces.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage

On VM the tests fail.

@jan-cerny
Copy link
Collaborator Author

@Mab879 Interesting. But I can't reproduce the fail locally. Are you on a correct branch? I tried it multiple times both on RHEL 8 and RHEL 9.

@Mab879
Copy link
Member

Mab879 commented Mar 20, 2024

@Mab879 Interesting. But I can't reproduce the fail locally. Are you on a correct branch? I tried it multiple times both on RHEL 8 and RHEL 9.

Seems it was an issue on my side. The tests pass now.

@Mab879
Copy link
Member

Mab879 commented Mar 20, 2024

The failure of SLE15 Automatus is expected as this rule isn't in the benchmark.

@Mab879 Mab879 merged commit 963f14b into ComplianceAsCode:master Mar 20, 2024
43 of 44 checks passed
@Mab879 Mab879 added this to the 0.1.73 milestone May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
Ansible Ansible remediation update. Bash Bash remediation update. bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments. STIG STIG Benchmark related. Test Suite Update in Test Suite.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.

sssd_certificate_verification is misaligned with DISA
2 participants
@jan-cerny @Mab879