Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use opening parenthesis in the switch case condition of RHEL-08-020041 #10472

Merged
merged 1 commit into from
Jul 11, 2023
Merged

Use opening parenthesis in the switch case condition of RHEL-08-020041 #10472

merged 1 commit into from
Jul 11, 2023

Conversation

ggbecker
Copy link
Member

@ggbecker ggbecker commented Apr 19, 2023
edited
Loading

Description:

  • Use opening parenthesis in the switch case condition of RHEL-08-020041.

Rationale:

  • This change is to align with DISA STIG since it's also a valid syntax and they have not changed their SCAP content. The OVAL file should still accept a configuration without the opening parenthesis by making it optional in the regex.

With this change we will be able to remove the waiver from the STIG alignment test: https://gitlab.com/redhat/rhel/tests/scap-security-guide/-/blob/master/Library/ssg-test-suite/disa_alignment_waivers/rhel8#L2

@mildas See the above.

Fixes: #9309

@ggbecker ggbecker added the STIG STIG Benchmark related. label Apr 19, 2023
@ggbecker ggbecker added this to the 0.1.68 milestone Apr 19, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux' differs.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
@@ -1,12 +1,12 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q tmux; then
 
-if ! grep -x ' case "$name" in sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then
+if ! grep -x ' case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then
 cat >> /etc/profile.d/tmux.sh <<'EOF'
 if [ "$PS1" ]; then
 parent=$(ps -o ppid= -p $$)
 name=$(ps -o comm= -p $parent)
- case "$name" in sshd|login) tmux ;; esac
+ case "$name" in (sshd|login) tmux ;; esac
 fi
 EOF
 chmod 0644 /etc/profile.d/tmux.sh

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux' differs.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
@@ -16,7 +16,7 @@
 ansible.builtin.find:
 paths: /etc
 patterns: bashrc
- contains: .*case "$name" in sshd|login) tmux ;; esac.*
+ contains: .*case "$name" in (sshd|login) tmux ;; esac.*
 register: tmux_in_bashrc
 when: '"tmux" in ansible_facts.packages'
 tags:
@@ -34,7 +34,7 @@
 ansible.builtin.find:
 paths: /etc/profile.d
 patterns: '*.sh'
- contains: .*case "$name" in sshd|login) tmux ;; esac.*
+ contains: .*case "$name" in (sshd|login) tmux ;; esac.*
 register: tmux_in_profile_d
 when: '"tmux" in ansible_facts.packages'
 tags:
@@ -55,7 +55,7 @@
 if [ "$PS1" ]; then
 parent=$(ps -o ppid= -p $$)
 name=$(ps -o comm= -p $parent)
- case "$name" in sshd|login) tmux ;; esac
+ case "$name" in (sshd|login) tmux ;; esac
 fi
 create: true
 when:

@mildas mildas self-assigned this Apr 19, 2023
@mildas
Copy link
Contributor

mildas commented Apr 20, 2023

@ggbecker After testing, it's unfortunately still misaligned. Not because the string, but because of not running tmux, which is not part of our check/remediation.

OVAL test results details

/etc/profile.d/*.sh contains a shell script to initialize the tmux terminal multiplexer as each shell is called.  oval:mil.disa.stig.rhel8:tst:19400  true

Following items have been found on the system:
Path Content
/etc/profile.d/tmux.sh if [ "$PS1" ]; then parent=$(ps -o ppid= -p $) name=$(ps -o comm= -p $parent) case "$name" in (sshd|login) tmux ;; esac fi

The tmux process is running.  oval:mil.disa.stig.rhel8:tst:19401  false

No items have been found conforming to the following objects:
Object oval:mil.disa.stig.rhel8:obj:19401 of type process58_object
Command line Pid
^(/usr/bin/)?tmux\b 1

@ggbecker
Copy link
Member Author

@ggbecker After testing, it's unfortunately still misaligned. Not because the string, but because of not running tmux, which is not part of our check/remediation.
OVAL test results details

Okay, but I'm not sure if running tmux in the remediation would be the correct approach. Furthermore, the only change we requested DISA was to change the parenthesis thing, I don't recall anything about the running tmux, so I'm not sure exactly what to do here.

Is it the case that a reboot would fix the misalignment? Because new shells would spawn tmux and then the requirement would be met for example.

@ggbecker
Use opening parenthesis in the switch case condition.
97fa904 
This change is to align with DISA STIG since it's also a valid syntax
and they have not changed their SCAP content. The OVAL file should still
accept a configuration without the opening parenthesis by making it
optional in the regex.
@codeclimate
Copy link

codeclimate bot commented May 2, 2023

Code Climate has analyzed commit 97fa904 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

@ggbecker
Copy link
Member Author

ggbecker commented May 2, 2023

The Automatus CS9 fails because the rule is not part of the RHEL9 DS:

content/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml

Line 3 in 3d9b19c

prodtype: ol8,rhel8

So it should be safe to ignore.

@ggbecker ggbecker requested a review from yuumasato May 2, 2023 09:21
@jan-cerny jan-cerny modified the milestones: 0.1.68, 0.1.69 May 29, 2023
@jan-cerny
Copy link
Collaborator

@mildas @yuumasato PING

@ggbecker
Copy link
Member Author

ggbecker commented Jul 6, 2023

@mildas @yuumasato PING

This should be quite safe to merge IMO.

@yuumasato yuumasato self-assigned this Jul 11, 2023
yuumasato
yuumasato approved these changes Jul 11, 2023
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this patch, indeed the opening parenthesis is allowed:
https://www.gnu.org/software/bash/manual/bash.html#index-case

@yuumasato yuumasato merged commit 77f4277 into ComplianceAsCode:master Jul 11, 2023
28 of 29 checks passed
@yuumasato
Copy link
Member

@ggbecker After testing, it's unfortunately still misaligned. Not because the string, but because of not running tmux, which is not part of our check/remediation.
OVAL test results details

We had a check for "tmux running" before and decided to remove it:
#8246

@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label Jul 11, 2023
@BenoitGui BenoitGui mentioned this pull request Jan 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

@mildas mildas Awaiting requested review from mildas

Assignees

@yuumasato yuumasato

@mildas mildas

Labels
STIG STIG Benchmark related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.69
Development

Successfully merging this pull request may close these issues.

Rule configure_bashrc_tmux is misaligned with DISA
5 participants
@ggbecker @mildas @jan-cerny @yuumasato @Mab879