Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

templates: file_permissions: Improve handling of directories in ansible remediation #10882

Merged
merged 2 commits into from
Jul 25, 2023
Merged

templates: file_permissions: Improve handling of directories in ansible remediation #10882

merged 2 commits into from
Jul 25, 2023

Conversation

dodys
Copy link
Contributor

@dodys dodys commented Jul 20, 2023

Description:

  • When we use the ansible file module to apply permissions only to directories and subdirectories, this ends up applying to the files. By using the find module we can prevent that and have a simple remediation that works both for directories and file_regex.
  • This fixes recursive file mode setting breaks sudo #10687.

Rationale:

  • This probably affects all distros

@dodys
shared: templates: file_permissions: ansible: Improve handling of
16d71cd 
directories in ansible remediation.
When we use the ansible file module to apply permissions only to
directories and subdirectories, this ends up applying to the files.
By using the find module we can prevent that and have a simple
remediation that works both for directories and file_regex.
This fixes ComplianceAsCode#10687.
@dodys dodys requested review from a team July 20, 2023 09:26
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@dodys
Copy link
Contributor Author

dodys commented Jul 20, 2023

@marcusburghardt @Mab879 can you check the testing-farm fail? The file_permissions_audit_configuration is a rule only rhel has and after taking a look I think the rule itself is not working as intended as the file_permissions template doesn't loop through the regexes. I also found it odd that this rule was created when we already had file_permissions_etc_audit_rulesd and file_permissions_etc_audit_auditd.

@jan-cerny jan-cerny changed the title templates: file_permissions: Improve handling of directories in ansible remediation. templates: file_permissions: Improve handling of directories in ansible remediation Jul 20, 2023
@marcusburghardt marcusburghardt self-assigned this Jul 21, 2023
@marcusburghardt marcusburghardt added this to the 0.1.70 milestone Jul 21, 2023
@marcusburghardt marcusburghardt added the Ansible Ansible remediation update. label Jul 21, 2023
@codeclimate
Copy link

codeclimate bot commented Jul 24, 2023

Code Climate has analyzed commit 8fcbb59 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

@marcusburghardt
Copy link
Member

@marcusburghardt @Mab879 can you check the testing-farm fail? The file_permissions_audit_configuration is a rule only rhel has and after taking a look I think the rule itself is not working as intended as the file_permissions template doesn't loop through the regexes. I also found it odd that this rule was created when we already had file_permissions_etc_audit_rulesd and file_permissions_etc_audit_auditd.

It works as expected. I just checked the resulting bash remediation and it includes these two lines:

find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '.*audit\(\.rules\|d\.conf\)$' -exec chmod u-xs,g-xws,o-xwrt {} \;
find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '.*\.rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;

Ansible follows the same approach.

marcusburghardt
marcusburghardt approved these changes Jul 25, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marcusburghardt marcusburghardt merged commit 423e654 into ComplianceAsCode:master Jul 25, 2023
33 of 34 checks passed
@dodys dodys deleted the bug-10687 branch October 10, 2023 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
Ansible Ansible remediation update.
Projects
None yet
Milestone
0.1.70
Development

Successfully merging this pull request may close these issues.

recursive file mode setting breaks sudo
2 participants
@dodys @marcusburghardt