Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add variable support to auditd_name_format rule #11019

Merged
merged 8 commits into from
Sep 14, 2023
Merged

Add variable support to auditd_name_format rule #11019

merged 8 commits into from
Sep 14, 2023

Conversation

ggbecker
Copy link
Member

@ggbecker ggbecker commented Aug 23, 2023
edited

Description:

  • Add variable support to auditd_name_format rule

Rationale:

@ggbecker ggbecker added RHEL Red Hat Enterprise Linux product related. Update Rule Issues or pull requests related to Rules updates. STIG STIG Benchmark related. labels Aug 23, 2023
@ggbecker ggbecker added this to the 0.1.70 milestone Aug 23, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@ggbecker ggbecker force-pushed the name_format_variable branch 4 times, most recently from 470a352 to e1c6eab Compare August 23, 2023 15:13
@github-actions
Copy link

github-actions bot commented Aug 23, 2023
edited

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_auditd_name_format'.
--- xccdf_org.ssgproject.content_rule_auditd_name_format
+++ xccdf_org.ssgproject.content_rule_auditd_name_format
@@ -1,12 +1,16 @@
 
 [title]:
-Set hostname as computer node name in audit logs
+Set type of computer node name logging in audit logs
 
 [description]:
-To configure Audit daemon to use value returned by gethostname
-syscall as computer node name in the audit events,
-set name_format to hostname
+To configure Audit daemon to use a unique identifier
+as computer node name in the audit events,
+set name_format to 'xccdf_org.ssgproject.content_value_var_auditd_name_format'
 in /etc/audit/auditd.conf.
+
+[warning]:
+Whenever the variable var_auditd_name_format uses a multiple value option, for example
+A|B|C, the first value will be used when remediating this rule.
 
 [reference]:
 CCI-001851

OCIL for rule 'xccdf_org.ssgproject.content_rule_auditd_name_format' differs.
--- ocil:ssg-auditd_name_format_ocil:questionnaire:1
+++ ocil:ssg-auditd_name_format_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To verify that Audit Daemon is configured to record the hostname
-in audit events, run the following command:
+To verify that Audit Daemon is configured to record the computer node
+name in the audit events, run the following command:
 $ sudo grep name_format /etc/audit/auditd.conf
 The output should return the following:
-name_format = hostname
-      Is it the case that name_format isn't set to hostname?
+name_format = 
+      Is it the case that name_format isn't set to <sub idref="var_auditd_name_format" />?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_name_format' differs.
--- xccdf_org.ssgproject.content_rule_auditd_name_format
+++ xccdf_org.ssgproject.content_rule_auditd_name_format
@@ -1,5 +1,10 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+var_auditd_name_format=''
+
+
+var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
 
 if [ -e "/etc/audit/auditd.conf" ] ; then
     
@@ -12,7 +17,7 @@
 
 cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
 # Insert at the end of the file
-printf '%s\n' "name_format = hostname" >> "/etc/audit/auditd.conf"
+printf '%s\n' "name_format = $var_auditd_name_format" >> "/etc/audit/auditd.conf"
 # Clean up after ourselves.
 rm "/etc/audit/auditd.conf.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_name_format' differs.
--- xccdf_org.ssgproject.content_rule_auditd_name_format
+++ xccdf_org.ssgproject.content_rule_auditd_name_format
@@ -12,8 +12,32 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+- name: XCCDF Value var_auditd_name_format # promote to variable
+  set_fact:
+    var_auditd_name_format: !!str 
+  tags:
+    - always
 
-- name: Set hostname as computer node name in audit logs
+- name: Set type of computer node name logging in audit logs - Define Value to Be
+    Used in the Remediation
+  ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0]
+    }}"
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-82897-0
+  - DISA-STIG-RHEL-08-030062
+  - NIST-800-53-AU-3
+  - NIST-800-53-CM-6
+  - auditd_name_format
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Set type of computer node name logging in audit logs
   block:
 
   - name: Check for duplicate values
@@ -39,7 +63,7 @@
       path: /etc/audit/auditd.conf
       create: true
       regexp: (?i)^\s*name_format\s*=\s*
-      line: name_format = hostname
+      line: name_format = {{ auditd_name_format_split }}
       state: present
   when:
   - '"audit" in ansible_facts.packages'

@ggbecker
Copy link
Member Author

ggbecker commented Aug 23, 2023
edited

@ComplianceAsCode/suse-maintainers FYI: ad31112

@rumch-se

Fixes:

Run tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream $DATASTREAM auditd_name_format
  tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream $DATASTREAM auditd_name_format
  shell: /usr/bin/bash -e {0}
  env:
    DATASTREAM: ssg-sle15-ds.xml
    ADDITIONAL_TEST_OPTIONS: --duplicate-templates --add-product-to-fips-certified sle15 --product sle15
Setting console output to log level INFO
INFO - The base image option has been specified, choosing Podman-based test environment.
INFO - Logging into logs_bash/test_suite.log
WARNING - Nothing has been tested!
Traceback (most recent call last):
  File "/home/runner/work/content/content/tests/automatus.py", line 511, in <module>
    main()
  File "/home/runner/work/content/content/tests/automatus.py", line 507, in main
    options.func(options)
  File "/home/runner/work/content/content/tests/ssg_test_suite/rule.py", line 689, in perform_rule_check
    checker.test_target()
  File "/home/runner/work/content/content/tests/ssg_test_suite/oscap.py", line 683, in test_target
    self._test_target()
  File "/home/runner/work/content/content/tests/ssg_test_suite/rule.py", line 458, in _test_target
    self._prepare_environment(test_content_by_rule_id)
  File "/home/runner/work/content/content/tests/ssg_test_suite/rule.py", line 275, in _prepare_environment
    self._ensure_package_present_for_all_scenarios(test_content_by_rule_id)
  File "/home/runner/work/content/content/tests/ssg_test_suite/rule.py", line 265, in _ensure_package_present_for_all_scenarios
    common.install_packages(self.test_env, packages_to_install)
  File "/home/runner/work/content/content/tests/ssg_test_suite/common.py", line 592, in install_packages
    platform = cpes_to_platform([platform_cpe])
  File "/home/runner/work/content/content/tests/ssg_test_suite/common.py", line 623, in cpes_to_platform
    raise ValueError(msg)
ValueError: Unable to deduce a platform from these CPEs: ['cpe:/o:suse:sles:15:sp5']

From https://github.com/ComplianceAsCode/content/actions/runs/5953199333/job/16147057044

@marcusburghardt marcusburghardt self-assigned this Aug 24, 2023
@ggbecker ggbecker marked this pull request as draft August 24, 2023 12:31
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 24, 2023
@ggbecker ggbecker marked this pull request as ready for review August 30, 2023 11:54
@ggbecker ggbecker requested a review from a team as a code owner August 30, 2023 11:54
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 30, 2023
@ggbecker ggbecker force-pushed the name_format_variable branch 2 times, most recently from 6fe28b7 to d393c7a Compare August 30, 2023 22:27
marcusburghardt
marcusburghardt requested changes Aug 31, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have some comments about Ansible Style Guide and remediation approach.

.../guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml Outdated Show resolved Hide resolved
.../guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml Outdated Show resolved Hide resolved
.../guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml Outdated Show resolved Hide resolved
@ggbecker ggbecker changed the title Add variable support to configure_auditd_data_retention rule Add variable support to auditd_name_format rule Aug 31, 2023
@ggbecker ggbecker changed the title Add variable support to auditd_name_format rule Add variable support to auditd_name_format rule Aug 31, 2023
@marcusburghardt
Copy link
Member

@ggbecker , the pending itens are basically about Style Guide and an small improvement in Ansible remediation approach, to make it aligned with Bash. Could you take a look, please?

@ggbecker
Copy link
Member Author

I am testing the proposed changes from: #11111

To see if they actually work since this pull request should trigger the same situation.

@marcusburghardt
Copy link
Member

The PR worked fine in my local VMs, but the errors in Automatus tests should be investigated.

@ggbecker
Copy link
Member Author

The PR worked fine in my local VMs, but the errors in Automatus tests should be investigated.

Yes, I agree. I will take a look.

@ggbecker
Copy link
Member Author

The issue with automatus CI is related to: notiz-dev/github-action-json-property#6

I'm trying the approach suggested there to see what happens.

@ggbecker
Add variable support to configure_auditd_data_retention rule.
80a5a97
@ggbecker
Make auditd_name_format accept multiple valid values.
fe13218 
This multiple values can be defined in the variable as a regex for
multiple options. The first item in the regex will be used for
remediation.
@ggbecker
Select STIG variable for auditd_name_format in STIG profiles.
71454e8
@ggbecker
Add warning to auditd_name_format.
aa27f80 
This warning lets users know that the first value of the variable will
be used when remediating the rule whenever the value selected is a
multiple choice value.
@ggbecker
Make sure value none is double quoted in variables.
adb215e
@ggbecker
Fix ansible remediation style.
f1f4827
@ggbecker
Simplify ansible remediation of auditd_name_format.
41006cf
@ggbecker
Copy link
Member Author

It seemed to work. It should be now ready for merge IMO.

@codeclimate
Copy link

codeclimate bot commented Sep 13, 2023

Code Climate has analyzed commit 5ffe39f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.8% (0.0% change).

View more on Code Climate.

@ggbecker
Copy link
Member Author

The issue with automatus CI is related to: notiz-dev/github-action-json-property#6

I'm trying the approach suggested there to see what happens.

@jan-cerny 5ffe39f seemed to fix the problem with the json single value array attribute

marcusburghardt
marcusburghardt approved these changes Sep 14, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great. Thanks for the investigation in this PR @ggbecker .

@marcusburghardt marcusburghardt merged commit fcbf0fd into ComplianceAsCode:master Sep 14, 2023
38 checks passed
@jan-cerny jan-cerny added the RHEL9 Red Hat Enterprise Linux 9 product related. label Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
RHEL Red Hat Enterprise Linux product related. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.70
3 participants
@ggbecker @marcusburghardt @jan-cerny