New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify banner text syntax and add utility to generate banner regular expression #5050
Conversation
The idea is this macro will be used in the variable definition. Unfortunately variables are parsed without jinja macro support. So I am stuck :D Help @yuumasato |
@dahaic The patch to expand macros during variable loading may be as simples as:
I haven't tested, :) |
e33d0bd
to
0fa9b95
Compare
It seems to work perfectly, thank you! <3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've noticed two artifacts.
- There is an extra
)
at the end of some banners. dod_short
banner generates an artifact when expanding the escape of a single quote.
linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
Outdated
Show resolved
Hide resolved
linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
Outdated
Show resolved
Hide resolved
0fa9b95
to
e406dd7
Compare
I've also changed the macro a little bit - there's no need to replace |
|
0a38efe
to
d03e590
Compare
Updated sources again, as There are still some changes - I have just checked the outputs, and there are following differences against master:
For the evaluation, I have used following command to generate stable output: |
Just an fyi, we will need to evaluate both space and newline in the macro. |
Huh, can you give me an example? Because macro replaces space with |
You have removed |
Again, I don't follow. Macro changes |
linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
Outdated
Show resolved
Hide resolved
d03e590
to
7395b9c
Compare
Fixed all stuff I found - no artifacts are known to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dahaic All banners are rendering correctly, except dod_banners
, it is used by the STIG profile and is not remediating correctly, both for el8 and el7.
This command:
oscap xccdf eval --remediate --profile profile_stig --rule xccdf_org.ssgproject.content_rule_banner_etc_issue ./ssg-rhel7-ds.xml
Renders the following banner:
^(You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services
by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User
Agreement for details.|I've read & consent to terms in IS user agreem't.)$
Note at the end the |
and the short banner.
Also, the new lines were a bit different before this patch
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services
by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User
Agreement for details.
The same variable Before the text rendered as:
With the macro it becomes:
The difference is the |
What is the point in substituting space for |
Actually, from https://github.com/ComplianceAsCode/content/blob/master/shared/references/disa-stig-rhel7-v2r5-xccdf-manual.xml#L134, it doesn't seem that double newlines are expected. |
I've made the banner variable usable by both rules The last commit 2384716 maybe feel out of place for this PR, but it helps with testing. To reviewer: I suggest you have |
@dahaic can you rebase? You are the owner of the branch. |
With banner texts having every whitespace replaced with more complex regular expression, it's not really readable in that form. This macro should provide way to write human readable text in source, and get machine readable text as the output.
Format of dod_banners changed a bit, and stripping of tailing short dod banner got broken. Goal of dod_banners is to check for either long or shord DoD, but default to remediating with the long banner.
Let the banner_regexify filter escape regex unsafe chars, no need for manual escaping.
Hello @dahaic! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:
Comment last updated at 2020-03-12 15:11:45 UTC |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tool utils/regexify_banner.py
generates a regex without anchoring such as: ^( )$
. When I use this output to tailor a profile and change the banner text variable, it will match the pattern even in the middle of a file, which is not the ideal case since we want to match only the expected text. One solution is to change the OVAL of banner_etc_issue
to have these anchors already in place so the user doesn't need to care about it.
I suggest creating a new test scenario that cover this case.
Also, please set execution mode for the file: utils/regexify_banner.py
and put the shebang similar to other files in utils
directory.
@ggbecker Isn't this scenario already covered by https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_double_banner.fail.sh, which has extra text at the end? |
Okay, I see the issue is when there is a newline before the extra content. |
I also think that makes sense to test having an extra content in the beginning of the file then a newline and then the content of a valid banner. So we can ensure that the anchoring is always in place. |
Added test scenario where the banner is followed by an extraneous line. This caused the rule to pass unexpectedly. Updated OVAL check to consider the all lines of /etc/issue the object to be evaluated and compared against a state. Also updated Bash remediation to not add extra newline at the end, and Asnbile remediation to remove any extraneous line in /etc/issue
In 5560180 I've changed approach to consider the whole
🤔 Do we really need this test? |
I thought it would be good. But I can't think of a strong argument to support the idea now that the problem is fixed. |
We need to be sure that the whole banners matches the banner variable. This commit includes a test scenario that reproduces the issue. All the harness around banners have been updated, regexify, deregexify and utility.
The scanning results are accurate now when using customized variable. But still the remediation is failing because of the regex filtering as it is described in this example (excerpt from bash remediation using custom variable generated by
The result of this is script is the following:
|
Anchor the opening parenthesis to beginning of banner, and add anchord closing parenthesis to pattern.
@ggbecker should be fixed now. The regex to strip multiple banner regex was too loose. |
Trying it again right now |
The ansible remediation is still failing to remediate for a custom variable. I'm attaching the tailoring file and pasting all the commands I ran to reproduce the failure. Here is the tailoring profile with the regex from the banner: This is the command I used to generate the ansible remediation:
And then I run with something like:
I'm executing only the ansible tasks that touch the rule Then the final scan in the machine:
If you compare the file The datastream |
@ggbecker I think you hit a dark corner case, :), the culprit is how Ansible This is how the banner should be;
The
The I think this happens mostly because your banner is very sparse. I tried some other approaches like breaking it by line and wordrwapping each "line", but that brings other issues. I suggest not to fix this particular issue, and see if people hit it. |
Ok, I agree that's a dark corner case and I won't be blocking the PR to be merged because of this. Overall the work done here is great and it should solve the longstanding problem with the banners and its crazy regexes. It also improves a LOT the usability. |
Description:
banner_regexify
filter. This filter should provide way to write human readable text in source, and get machine readable text as the output. Banner text can be written as if writing aprintf
statement.sed
calls in Bash remediationsRationale:
Fixes: #4574
Fixes: #4387
Fixes: RHBZ#1776780