Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix several audit-related ignition remediations #5651

Merged
merged 3 commits into from
Apr 24, 2020
Merged

Fix several audit-related ignition remediations #5651

merged 3 commits into from
Apr 24, 2020

Conversation

jhrozek
Copy link
Collaborator

@jhrozek jhrozek commented Apr 21, 2020

Description:

The OVAL checks use the filetextcontent54 probe and check against a blob
defined in the DS, so any divergence from the blob fails the rule. In these
remediations, the ignition files rendered trailing whitespace. Also,
some characters like ">=" were already encoded when the resulting file
was urlencoded.

Rationale:

Applying the remediations was still resulting in a failed check during a
subsequent run.

@jhrozek
Fix the audit_modify_failed ignition remediation
f888330 
Removed a trailing whitespace and changed the ignition to properly
include characters that were double-urlencoded.

The result now looks like this:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification

The above can be displayed with:
    $ python3 utils/ignition-remediation.py decode --rule=audit_modify_failed
@jhrozek
Fix the audit_module_load ignition remediation
045404f 
Just removes a trailing line which was tripping up the OVAL check as it
checks for equal file contents.
@jhrozek
Fix the audit_ospp_general ignition remediation
bc9849a 
There was a trailing whitespace that was tripping up the OVAL check,
plus some characters were double-encoded (such as >=).

The result can be viewed with:
$ python3 utils/ignition-remediation.py decode --rule=audit_ospp_general
@openshift-ci-robot
Copy link
Collaborator

Hi @jhrozek. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the needs-ok-to-test Used by openshift-ci bot. label Apr 21, 2020
@JAORMX
Copy link
Contributor

JAORMX commented Apr 21, 2020

/ok-to-test

@openshift-ci-robot openshift-ci-robot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Apr 21, 2020
@JAORMX JAORMX self-requested a review April 21, 2020 13:48
@shawndwells
Copy link
Member

@jhrozek how are you URL encoding the data?

We used the python snippet from @JAORMX's blog at https://jaosorior.dev/2019/modifying-node-configurations-in-openshift-4.x/:

$ cat "string to encode" | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))"

@shawndwells
Copy link
Member

@openscap-ci retest this please

@jhrozek
Copy link
Collaborator Author

jhrozek commented Apr 22, 2020

@jhrozek how are you URL encoding the data?

We used the python snippet from @JAORMX's blog at https://jaosorior.dev/2019/modifying-node-configurations-in-openshift-4.x/:

$ cat "string to encode" | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))"

For quick and dirty one-liners I'm using a script from the CaC repo:

$ python3 utils/ignition-remediation.py encode --mode=0600 --infile=/tmp/etc/audit/rules.d/30-ospp-v42.rules --target=/etc/audit/rules.d/30-ospp-v42.rules --rule=audit_ospp_general --platform=multi_platform_rhel,multi_platform_fedora,multi_platform_ocp

I've been also developing this other tool where you keep a chroot-like tree of all files you want to encode together with metadata in the files about which rule they apply to and then you just run a single command which generates all the ignitions for you. This way, you can view, grep and inspect the raw files and also it's easier to then keep tabs on a single file used for multiple rules. I'm not sure if it's usable for anyone else, the tool is definitely very raw, but it's been handy for me.

@jhrozek
Copy link
Collaborator Author

jhrozek commented Apr 22, 2020

btw for review of the PR, the ingition-remediation.py script can also be used. e.g. calling:

python3 utils/ignition-remediation.py decode --rule=audit_modify_failed

before and after the applying the patch could clearly show what are the differences.

@yuumasato
Copy link
Member

/retest

shawndwells
shawndwells approved these changes Apr 24, 2020
View reviewed changes
Copy link
Member

@shawndwells shawndwells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Decoded & compared against the *.rules files.

@shawndwells shawndwells merged commit 47d96eb into ComplianceAsCode:master Apr 24, 2020
@shawndwells
Copy link
Member

@jhrozek how are you URL encoding the data?
We used the python snippet from @JAORMX's blog at https://jaosorior.dev/2019/modifying-node-configurations-in-openshift-4.x/:

$ cat "string to encode" | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))"

For quick and dirty one-liners I'm using a script from the CaC repo:

$ python3 utils/ignition-remediation.py encode --mode=0600 --infile=/tmp/etc/audit/rules.d/30-ospp-v42.rules --target=/etc/audit/rules.d/30-ospp-v42.rules --rule=audit_ospp_general --platform=multi_platform_rhel,multi_platform_fedora,multi_platform_ocp

I've been also developing this other tool where you keep a chroot-like tree of all files you want to encode together with metadata in the files about which rule they apply to and then you just run a single command which generates all the ignitions for you. This way, you can view, grep and inspect the raw files and also it's easier to then keep tabs on a single file used for multiple rules. I'm not sure if it's usable for anyone else, the tool is definitely very raw, but it's been handy for me.

Thanks! There doesn't seem to be mention of this in the docs. Will work on adding it.

@yuumasato yuumasato added this to the 0.1.50 milestone May 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shawndwells shawndwells shawndwells approved these changes

@JAORMX JAORMX Awaiting requested review from JAORMX

Assignees
No one assigned
Labels
ok-to-test Used by openshift-ci bot.
Projects
None yet
Milestone
0.1.50
Development

Successfully merging this pull request may close these issues.
5 participants
@jhrozek @openshift-ci-robot @JAORMX @shawndwells @yuumasato