New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add audit_rules_unsuccessful_file_modification_detailed remediation scripts #4058
Conversation
Hello @redhatrises! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:
Comment last updated at 2019-03-06 17:06:01 UTC |
Why is this labeled as a "blocker"? AFAIK pull requests with "blocker" label are impediments to upstream release like failure to build content, or content built is out of standard syntax. Your patch only adds new remediation scripts. I think it isn't a blocker then. What am I missing here? |
shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification_o_trunc_write
Outdated
Show resolved
Hide resolved
shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py
Show resolved
Hide resolved
shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py
Show resolved
Hide resolved
9175016
to
7f7dd38
Compare
The inspection completed: 2 new issues, 1 updated code elements |
Regarding the bash remediations, for RHEL and OL this PR has been replaced by https://github.com/ComplianceAsCode/content/pull/4107/files. What about other platforms? Wouldn't it be better to just add platforms to list of platforms to remediation scripts introduced in #4107 ? Should we use the Ansible template introduced here to have Ansible remediations for those rules? |
Any opinions? |
bump @redhatrises |
Not sure what the ask is here. I consider #4107 as an interim fix, and the fixes should be updated to not rely on having |
AFAIK using I see #4107 was introduced as a "provisional" fix. @matejak or @yuumasato , do you remember what is a proper fix for audit_rules_unsuccessful_file_modification_detailed?
We don't rely on the file installed, we have included the contents of the file in the remediation. https://github.com/ComplianceAsCode/content/blob/master/shared/bash_remediation_functions/create_audit_remediation_unsuccessful_file_modification_detailed.sh |
Well...The proper fix is to have Bash and Ansible scripts that can re-order the audit rules if all of them are present. By all of them, consider all of the audit rules specific for a syscall. |
I'm removing Blocker label from this PR, as we have an interim fix #4107. |
All the affected rules already have remediations, and this one doesn't address the problem of ordering rules anyway, so I suggest closing it.
|
Current rules are interim, copy a config file, and need to be replaced without requiring a config file. Ordering happens through a different rule. |
Yes, I know, I also agree that copying a file is wrong approach.
The rules @yuumasato said that:
@redhatrises It isn't clear to me how this PR improves the situation. How does it ensure that the remediation puts the audit rule in the right place in the audit config file? |
Could you please rebase on the latest master? |
Closing this PR for now. This is going to have to be done anyways for all audit rules. |
No description provided.