-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule #10597
Conversation
* Fix regex in OVAL * Update ansible to match OVAL expectation in ol8, and update the lineinfile calls to use a regex, so it avoids adding unnecesary lines Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.%0A--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function%0A+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function%0A@@ -18,7 +18,7 @@%0A - restrict_strategy%0A %0A - name: Service facts%0A- service_facts: null%0A+ ansible.builtin.service_facts: null%0A when:%0A - '"audit" in ansible_facts.packages'%0A - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A@@ -39,7 +39,7 @@%0A - restrict_strategy%0A %0A - name: Check the rules script being used%0A- command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service%0A+ ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service%0A register: check_rules_scripts_result%0A changed_when: false%0A failed_when: false%0A@@ -63,12 +63,16 @@%0A - restrict_strategy%0A %0A - name: Set suid_audit_rules fact%0A- set_fact:%0A+ ansible.builtin.set_fact:%0A suid_audit_rules:%0A- - -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid%0A- - -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid%0A- - -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid%0A- - -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid%0A+ - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid%0A+ regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$%0A+ - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid%0A+ regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$%0A+ - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid%0A+ regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$%0A+ - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid%0A+ regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$%0A when:%0A - '"audit" in ansible_facts.packages'%0A - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A@@ -89,9 +93,10 @@%0A - restrict_strategy%0A %0A - name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions%0A- lineinfile:%0A+ ansible.builtin.lineinfile:%0A path: /etc/audit/rules.d/privileged.rules%0A- line: '{{ item }}'%0A+ line: '{{ item.rule }}'%0A+ regexp: '{{ item.regex }}'%0A create: true%0A when:%0A - '"audit" in ansible_facts.packages'%0A@@ -117,9 +122,10 @@%0A - restrict_strategy%0A %0A - name: Update Update /etc/audit/audit.rules to audit privileged functions%0A- lineinfile:%0A+ ansible.builtin.lineinfile:%0A path: /etc/audit/audit.rules%0A- line: '{{ item }}'%0A+ line: '{{ item.rule }}'%0A+ regexp: '{{ item.regex }}'%0A create: true%0A when:%0A - '"audit" in ansible_facts.packages'%0A@@ -145,7 +151,7 @@%0A - restrict_strategy%0A %0A - name: Restart Auditd%0A- command: /usr/sbin/service auditd restart%0A+ ansible.builtin.command: /usr/sbin/service auditd restart%0A when:%0A - '"audit" in ansible_facts.packages'%0A - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello, and thank you for the PR, it looks nice. Just a note... I see you converted some lineinfile tasks into ansible.builtin.lineinfile tasks... could you please do it for all other tasks in that remediation while you are at it?
Thank you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes LGTM.
Thanks for the efforts @Xeicker
Hello @Xeicker it is almost finished, please just modify the service_facts and set_facts to be also called absolutely with ansible.builtin. Thank you. |
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Code Climate has analyzed commit 055bfad and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.5% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good now, thank you.
Description:
audit_rules_suid_privilege_function
rule to not check ifeuid=0
oregid=0
in OL8Rationale:
Review Hints: