-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix several audit-related ignition remediations #5651
Conversation
Removed a trailing whitespace and changed the ignition to properly include characters that were double-urlencoded. The result now looks like this: -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification The above can be displayed with: $ python3 utils/ignition-remediation.py decode --rule=audit_modify_failed
Just removes a trailing line which was tripping up the OVAL check as it checks for equal file contents.
There was a trailing whitespace that was tripping up the OVAL check, plus some characters were double-encoded (such as >=). The result can be viewed with: $ python3 utils/ignition-remediation.py decode --rule=audit_ospp_general
Hi @jhrozek. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
@jhrozek how are you URL encoding the data? We used the python snippet from @JAORMX's blog at https://jaosorior.dev/2019/modifying-node-configurations-in-openshift-4.x/: $ cat "string to encode" | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))" |
@openscap-ci retest this please |
For quick and dirty one-liners I'm using a script from the CaC repo:
I've been also developing this other tool where you keep a chroot-like tree of all files you want to encode together with metadata in the files about which rule they apply to and then you just run a single command which generates all the ignitions for you. This way, you can view, grep and inspect the raw files and also it's easier to then keep tabs on a single file used for multiple rules. I'm not sure if it's usable for anyone else, the tool is definitely very raw, but it's been handy for me. |
btw for review of the PR, the
before and after the applying the patch could clearly show what are the differences. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Decoded & compared against the *.rules files.
Thanks! There doesn't seem to be mention of this in the docs. Will work on adding it. |
Description:
The OVAL checks use the filetextcontent54 probe and check against a blob
defined in the DS, so any divergence from the blob fails the rule. In these
remediations, the ignition files rendered trailing whitespace. Also,
some characters like ">=" were already encoded when the resulting file
was urlencoded.
Rationale:
Applying the remediations was still resulting in a failed check during a
subsequent run.