Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate #6049

Merged
merged 3 commits into from Sep 10, 2020
Merged

Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate #6049

merged 3 commits into from Sep 10, 2020

Conversation

ggbecker
Copy link
Member

@ggbecker ggbecker commented Sep 4, 2020
edited

Description:

The first question is, does it make sense to have remediation for this rule even though the file /etc/sudoers is supposed to be read-only? and to be changed only through visudo utility

  • Add ansible remediation for sudo_remove_nopasswd.
  • Add test scenarios for sudo_remove_nopasswd.

Rationale:

@openshift-ci-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 4, 2020
@redhatrises
Copy link
Contributor

Description:

The first question is, does it make sense to have remediation for this rule even though the file /etc/sudoers is supposed to be read-only? and to be changed only through visudo utility

  • Add ansible remediation for sudo_remove_nopasswd.
  • Add test scenarios for sudo_remove_nopasswd.

Rationale:

Visudo is for manually editing sudoers files. Most scripts modify the sudoers file, so yes, it makes sense.

@ggbecker
Copy link
Member Author

ggbecker commented Sep 7, 2020
edited

Description:

The first question is, does it make sense to have remediation for this rule even though the file /etc/sudoers is supposed to be read-only? and to be changed only through visudo utility

  • Add ansible remediation for sudo_remove_nopasswd.
  • Add test scenarios for sudo_remove_nopasswd.

Rationale:

Visudo is for manually editing sudoers files. Most scripts modify the sudoers file, so yes, it makes sense.

Ok, turning PR ready for review.

@ggbecker ggbecker marked this pull request as ready for review September 7, 2020 09:55
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 7, 2020
@ggbecker ggbecker force-pushed the update-stig-RHEL-07-010340 branch 4 times, most recently from a92bd92 to 9fb91ad Compare September 7, 2020 14:25
@ggbecker ggbecker changed the title Add ansible remediation for sudo_remove_nopasswd. Add bash and ansible remediation for sudo_remove_nopasswd. Sep 8, 2020
@ggbecker ggbecker changed the title Add bash and ansible remediation for sudo_remove_nopasswd. Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate Sep 8, 2020
redhatrises
redhatrises reviewed Sep 8, 2020
View reviewed changes
linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/ansible/shared.yml Outdated
# complexity = low
# disruption = low

{{{ ansible_sudo_remove_config("not authenticate", "!authenticate") }}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{{{ ansible_sudo_remove_config("not authenticate", "!authenticate") }}}
{{{ ansible_sudo_remove_config("!authenticate", "!authenticate") }}}

I'd make all instances of "not authenticate" as "!authenticate". The use of quotes in the name tasks should make "!" a string vs something executable by shell.

@openshift-ci-robot openshift-ci-robot added the needs-rebase Used by openshift-ci bot. label Sep 10, 2020
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Used by openshift-ci bot. label Sep 10, 2020
@mildas
Copy link
Contributor

mildas commented Sep 10, 2020

Changes identified:
Rule sudo_remove_no_authenticate:
 Templatization usage changed.
 Ansible remediation newly added.
 Bash remediation is newly added.
Rule sudo_remove_nopasswd:
 Templatization usage changed.
 Ansible remediation newly added.
 Bash remediation is newly added.
Rule sudo_require_authentication:
 Templatization usage changed.
 Ansible remediation newly added.
 Bash remediation is newly added.
Macro ansible_sudo_remove_config:
 In Ansible remediation for sudo_remove_nopasswd.
 In Ansible remediation for sudo_require_authentication.
 In Ansible remediation for sudo_remove_no_authenticate.
Macro bash_sudo_remove_config:
 In Bash remediation for sudo_remove_nopasswd.
 In Bash remediation for sudo_require_authentication.
 In Bash remediation for sudo_remove_no_authenticate.

Recommended tests to execute:
 build_product ol8
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-ol8-ds.xml sudo_remove_no_authenticate
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-ol8-ds.xml sudo_remove_no_authenticate
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-ol8-ds.xml sudo_remove_nopasswd
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-ol8-ds.xml sudo_remove_nopasswd
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-ol8-ds.xml sudo_require_authentication
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-ol8-ds.xml sudo_require_authentication

@openshift-ci-robot
Copy link
Collaborator

@ggbecker: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-rhcos4-e8 e6ebab4 link /test e2e-aws-rhcos4-e8

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@redhatrises
Copy link
Contributor

/lgtm

@redhatrises redhatrises merged commit 4d8701f into ComplianceAsCode:master Sep 10, 2020
@matejak matejak added this to the 0.1.53 milestone Sep 15, 2020
@mrabe142 mrabe142 mentioned this pull request Apr 2, 2021
Closed
@marcusburghardt marcusburghardt added the RHEL7 Red Hat Enterprise Linux 7 product related. label Jun 23, 2022
@marcusburghardt marcusburghardt added the STIG STIG Benchmark related. label Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redhatrises redhatrises Awaiting requested review from redhatrises

Assignees
No one assigned
Labels
RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.53
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ggbecker @openshift-ci-robot @redhatrises @mildas @marcusburghardt @matejak