-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace shell command with find for chrony.conf files on UBTU-20-010435 #11095
Replace shell command with find for chrony.conf files on UBTU-20-010435 #11095
Conversation
This commit will fix UBTU-20-010435 which crashes due to pipeline failure. Instead of using shell command, replace with find command which finds all .conf files within directory contained within chrony conf. Apply the maxpoll update and set operations on the files obtained from the find command. Overall, this will avoid the use of shell and ensure ansible modules are used.
Hi @dexterle. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll' differs.
--- xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
+++ xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
@@ -19,8 +19,8 @@
tags:
- always
-- name: Check that /etc/ntp.conf exist
- stat:
+- name: Configure Time Service Maxpoll Interval - Check That /etc/ntp.conf Exist
+ ansible.builtin.stat:
path: /etc/ntp.conf
register: ntp_conf_exist_result
when:
@@ -39,8 +39,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Update the maxpoll values in /etc/ntp.conf
- replace:
+- name: Configure Time Service Maxpoll Interval - Update the Maxpoll Values in /etc/ntp.conf
+ ansible.builtin.replace:
path: /etc/ntp.conf
regexp: ^(server.*maxpoll)[ ]+[0-9]+(.*)$
replace: \1 {{ var_time_service_set_maxpoll }}\2
@@ -61,8 +61,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Set the maxpoll values in /etc/ntp.conf
- replace:
+- name: Configure Time Service Maxpoll Interval - Set the Maxpoll Values in /etc/ntp.conf
+ ansible.builtin.replace:
path: /etc/ntp.conf
regexp: (^server\s+((?!maxpoll).)*)$
replace: \1 maxpoll {{ var_time_service_set_maxpoll }}\n
@@ -83,8 +83,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Check that /etc/chrony.conf exist
- stat:
+- name: Configure Time Service Maxpoll Interval - Check That /etc/chrony.conf Exist
+ ansible.builtin.stat:
path: /etc/chrony.conf
register: chrony_conf_exist_result
when:
@@ -103,18 +103,12 @@
- no_reboot_needed
- restrict_strategy
-- name: Get get conf files from /etc/chrony.conf
- shell: |
- set -o pipefail
- CHRONY_NAME=/etc/chrony.conf
- CHRONY_PATH=${CHRONY_NAME%%.*}
- find ${CHRONY_PATH}.* -type f -name '*.conf'
- register: update_chrony_files
+- name: Configure Time Service Maxpoll Interval - Set Chrony Path Facts
+ ansible.builtin.set_fact:
+ chrony_path: /etc/chrony.conf
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
- - chrony_conf_exist_result.stat.exists
- changed_when: false
tags:
- CCE-84059-5
- DISA-STIG-RHEL-08-030740
@@ -128,16 +122,16 @@
- no_reboot_needed
- restrict_strategy
-- name: Update the maxpoll values in /etc/chrony.conf
- replace:
- path: '{{ item }}'
- regexp: ^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$
- replace: \1 {{ var_time_service_set_maxpoll }}\2
- loop: '{{ update_chrony_files.stdout_lines|list|flatten|unique }}'
+- name: Configure Time Service Maxpoll Interval - Get Conf Files from {{ chrony_path
+ | dirname }}
+ ansible.builtin.find:
+ path: '{{ chrony_path | dirname }}'
+ patterns: '*.conf'
+ file_type: file
+ register: chrony_conf_files
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
- - chrony_conf_exist_result.stat.exists
tags:
- CCE-84059-5
- DISA-STIG-RHEL-08-030740
@@ -151,16 +145,16 @@
- no_reboot_needed
- restrict_strategy
-- name: Set the maxpoll values in /etc/chrony.conf
- replace:
- path: '{{ item }}'
- regexp: (^(?:server|pool|peer)\s+((?!maxpoll).)*)$
- replace: \1 maxpoll {{ var_time_service_set_maxpoll }}\n
- loop: '{{ update_chrony_files.stdout_lines|list|flatten|unique }}'
+- name: Configure Time Service Maxpoll Interval - Update the Maxpoll Values in /etc/chrony.conf
+ ansible.builtin.replace:
+ path: '{{ item.path }}'
+ regexp: ^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$
+ replace: \1 {{ var_time_service_set_maxpoll }}\2
+ loop: '{{ chrony_conf_files.files }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
- - chrony_conf_exist_result.stat.exists
+ - chrony_conf_files.matched
tags:
- CCE-84059-5
- DISA-STIG-RHEL-08-030740
@@ -173,3 +167,26 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+- name: Configure Time Service Maxpoll Interval - Set the Maxpoll Values in /etc/chrony.conf
+ ansible.builtin.replace:
+ path: '{{ item.path }}'
+ regexp: (^(?:server|pool|peer)\s+((?!maxpoll).)*)$
+ replace: \1 maxpoll {{ var_time_service_set_maxpoll }}\n
+ loop: '{{ chrony_conf_files.files }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "chrony" in ansible_facts.packages or "ntp" in ansible_facts.packages )
+ - chrony_conf_files.matched
+ tags:
+ - CCE-84059-5
+ - DISA-STIG-RHEL-08-030740
+ - NIST-800-53-AU-12(1)
+ - NIST-800-53-AU-8(1)(b)
+ - NIST-800-53-CM-6(a)
+ - chronyd_or_ntpd_set_maxpoll
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy |
Code Climate has analyzed commit 37f08d8 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.8% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great improvement. Thanks @dexterle
da283b9
into
ComplianceAsCode:master
Description:
shell
module callsRationale:
Review Hints:
Build the product:
To test these changes with Ansible:
Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.
This STIG can not be tested with the latest Ubuntu 2004 Benchmark SCAP. Please perform a manual check given the check text. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/