Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule

[Xeicker]

Description:

• Change audit_rules_suid_privilege_function rule to not check if euid=0 or egid=0 in OL8
• Update ansible for this rule

Rationale:

• This is to be better aligned with OL8 DISA STIG
• Ansible update objective is to avoid adding extra lines when the audit rules are in place but not written exactly equal

Review Hints:

• Automatus tests should cover these changes

[openshift-ci]

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.%0A--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function%0A+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function%0A@@ -18,7 +18,7 @@%0A   - restrict_strategy%0A %0A - name: Service facts%0A-  service_facts: null%0A+  ansible.builtin.service_facts: null%0A   when:%0A   - '"audit" in ansible_facts.packages'%0A   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A@@ -39,7 +39,7 @@%0A   - restrict_strategy%0A %0A - name: Check the rules script being used%0A-  command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service%0A+  ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service%0A   register: check_rules_scripts_result%0A   changed_when: false%0A   failed_when: false%0A@@ -63,12 +63,16 @@%0A   - restrict_strategy%0A %0A - name: Set suid_audit_rules fact%0A-  set_fact:%0A+  ansible.builtin.set_fact:%0A     suid_audit_rules:%0A-    - -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid%0A-    - -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid%0A-    - -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid%0A-    - -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid%0A+    - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid%0A+      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$%0A+    - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid%0A+      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$%0A+    - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid%0A+      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$%0A+    - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid%0A+      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$%0A   when:%0A   - '"audit" in ansible_facts.packages'%0A   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A@@ -89,9 +93,10 @@%0A   - restrict_strategy%0A %0A - name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions%0A-  lineinfile:%0A+  ansible.builtin.lineinfile:%0A     path: /etc/audit/rules.d/privileged.rules%0A-    line: '{{  item  }}'%0A+    line: '{{  item.rule  }}'%0A+    regexp: '{{ item.regex }}'%0A     create: true%0A   when:%0A   - '"audit" in ansible_facts.packages'%0A@@ -117,9 +122,10 @@%0A   - restrict_strategy%0A %0A - name: Update Update /etc/audit/audit.rules to audit privileged functions%0A-  lineinfile:%0A+  ansible.builtin.lineinfile:%0A     path: /etc/audit/audit.rules%0A-    line: '{{  item  }}'%0A+    line: '{{  item.rule  }}'%0A+    regexp: '{{ item.regex }}'%0A     create: true%0A   when:%0A   - '"audit" in ansible_facts.packages'%0A@@ -145,7 +151,7 @@%0A   - restrict_strategy%0A %0A - name: Restart Auditd%0A-  command: /usr/sbin/service auditd restart%0A+  ansible.builtin.command: /usr/sbin/service auditd restart%0A   when:%0A   - '"audit" in ansible_facts.packages'%0A   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

[freddieRv]

Changes LGTM

[vojtapolasek]

Hello, and thank you for the PR, it looks nice. Just a note... I see you converted some lineinfile tasks into ansible.builtin.lineinfile tasks... could you please do it for all other tasks in that remediation while you are at it?
Thank you.

[freddieRv]

Changes LGTM.

Thanks for the efforts @Xeicker

[vojtapolasek]

Hello @Xeicker it is almost finished, please just modify the service_facts and set_facts to be also called absolutely with ansible.builtin. Thank you.

[codeclimate]

Code Climate has analyzed commit 055bfad and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.5% (0.0% change).

View more on Code Climate.

[vojtapolasek]

Looks good now, thank you.