-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] Implement universal replace_or_append() remediation function #611
Comments
This makes a lot of sense and would simplify the process of writing remediations. Two initial thoughts: #1: How would different name-pair values be set when the syntax is different, e.g.
vs ``` VARIABLE=${some_value}```` #2: WRT to symlinks, we should normalizing using --follow-symlinks with sed during initial version, else we risk breaking end points.
|
Was thinking of this and looks another optional
This way any of the output formats (supported by the bash's and then just replace any row in the "file.conf" containing "VARIABLE" with the value of
Agree with this approach too. Maybe when performing the remediation we could check if "$config_file" is actually a symlink via |
When fixing this ticket, #548 should be fixed as well. |
- Adds universal replace_or_append function to remediation_functions - Provide a couple of examples of usage in existing remediation scripts - Fixes ComplianceAsCode#611 - Fixes ComplianceAsCode#548
As already mentioned in:
#572 (comment)
the majority of existing remediation scripts is performing the following tasks:
we should probably unify on the effort that each remediation script would include a CCE-id comment before adding the new setting (for the case CCE id is known for that concrete rule).
Therefore this ticket is to propose introduction / implementation of new universal remediation function, which would hide the aforementioned tasks into its input arguments.
The proposed declaration is as follows (RFC):
with the explanation of arguments being as follows:
$config_file_location
- the concrete configuration / text file remediation script to act on,$key_to_search
- the configuration file key, that should be searched for,$new_value
- new value of that key in the config / text file (where new value could be either plain string or some already known variable content).After some review, there might be another optional parameters be necessary like:
$follow_symlinks
= (yes|no) for the cases when remediation target is just symlink, but instead of updating it, we should update the target of the symlink,Example calls of such a routine would be:
replace_or_append('/etc/sysconfig/prelink', 'PRELINKING', 'no')
for thedisable_prelink
remediation,replace_or_append('/etc/login.defs', PASS_MAX_DAYS, '$var_accounts_maximum_age_login_defs')
for theaccounts_maximum_age_login_defs
remediation script,replace_or_append('/etc/audit/auditd.conf', '^admin_space_left_action', "$var_auditd_admin_space_left_action")
for theauditd_data_retention_admin_space_left_action
remediation script...
IMHO this approach could simplify the way we currently develop and maintain remediation scripts (it's easier to fix bug in one function, than to fix multiple remediation scripts). Also it's scalable (by adding benchmarks for new products we could develop remediation scripts more quickly). And the proper work of the script is verifiable via upstream test (we could provide selected input file to it, and compare via
diff -s
with expected output).Comments / feedback / patches / PR welcome.
Thanks, Jan.
The text was updated successfully, but these errors were encountered: