Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating macros to support idempotency when deduplicating values #6953

Merged
merged 4 commits into from May 12, 2021
Merged

Updating macros to support idempotency when deduplicating values #6953

merged 4 commits into from May 12, 2021

Conversation

carlosmmatos
Copy link
Contributor

@carlosmmatos carlosmmatos commented May 5, 2021
edited

Description:

  • Current ansible lineinfile macros do not support idempotent behavior when invoking the ansible_only_lineinfile macro.

Rationale:

  • If we're using Ansible, might as well use it better. Ensure that the rules that use these macros provide the end-user with a better Ansible experience.

@openscap-ci
Copy link
Collaborator

openscap-ci commented May 5, 2021
edited

Changes identified:
Rules:
 sshd_allow_only_protocol2
 sshd_use_priv_separation
 sshd_rekey_limit
 sshd_use_approved_macs
 selinux_state
 coredump_disable_backtraces
 accounts_tmout
 coredump_disable_storage
 sshd_set_idle_timeout
 accounts_have_homedir_login_defs
 sshd_use_approved_ciphers
 sshd_set_max_sessions
 configure_openssl_tls_crypto_policy
 selinux_policytype
 configure_tmux_lock_after_time
 sshd_disable_rhosts_rsa
 sshd_disable_compression
 sshd_set_keepalive
 sshd_set_max_auth_tries
 configure_tmux_lock_command
Macros:
 ansible_lineinfile
 ansible_only_lineinfile

Show details

Rule sshd_allow_only_protocol2:
 Ansible remediation changed.
Rule sshd_use_priv_separation:
 Ansible remediation changed.
Rule sshd_rekey_limit:
 Ansible remediation changed.
Rule sshd_use_approved_macs:
 Ansible remediation changed.
Rule selinux_state:
 Ansible remediation changed.
Rule coredump_disable_backtraces:
 Ansible remediation changed.
Rule accounts_tmout:
 Ansible remediation changed.
Rule coredump_disable_storage:
 Ansible remediation changed.
Rule sshd_set_idle_timeout:
 Ansible remediation changed.
Rule accounts_have_homedir_login_defs:
 Ansible remediation changed.
Rule sshd_use_approved_ciphers:
 Ansible remediation changed.
Rule sshd_set_max_sessions:
 Ansible remediation changed.
Rule configure_openssl_tls_crypto_policy:
 Ansible remediation changed.
Rule selinux_policytype:
 Ansible remediation changed.
Rule configure_tmux_lock_after_time:
 Ansible remediation changed.
Rule sshd_disable_rhosts_rsa:
 Ansible remediation changed.
Rule sshd_disable_compression:
 Ansible remediation changed.
Rule sshd_set_keepalive:
 Ansible remediation changed.
Rule sshd_set_max_auth_tries:
 Ansible remediation changed.
Rule configure_tmux_lock_command:
 Ansible remediation changed.
Macro ansible_lineinfile:
 In Ansible remediation for accounts_polyinstantiated_tmp.
 In Ansible remediation for sshd_allow_only_protocol2.
 In Ansible remediation for configure_tmux_lock_after_time.
 In Ansible remediation for sshd_rekey_limit.
 In Ansible remediation for configure_openssl_tls_crypto_policy.
 In Ansible remediation for sshd_set_max_sessions.
 In Ansible remediation for file_permissions_local_var_log_messages.
 In Ansible remediation for sshd_use_approved_macs.
 In Ansible remediation for configure_tmux_lock_command.
 In Ansible remediation for sshd_set_max_auth_tries.
 In Ansible remediation for sshd_set_idle_timeout.
 In Ansible remediation for sshd_disable_rhosts_rsa.
 In Ansible remediation for enable_pam_namespace.
 In Ansible remediation for sshd_disable_compression.
 In Ansible remediation for accounts_have_homedir_login_defs.
 In Ansible remediation for selinux_state.
 In Ansible remediation for accounts_polyinstantiated_var_tmp.
 In Ansible remediation for sshd_use_approved_ciphers.
 In Ansible remediation for accounts_tmout.
 In Ansible remediation for sudoers_validate_passwd.
 In Ansible remediation for ntpd_configure_restrictions.
 In Ansible remediation for selinux_policytype.
 In Ansible remediation for coredump_disable_storage.
 In Ansible remediation for sshd_set_keepalive.
 In Ansible remediation for postfix_network_listening_disabled.
 In Ansible remediation for ssh_client_rekey_limit.
 In Ansible remediation for sshd_use_priv_separation.
 In Ansible remediation for coredump_disable_backtraces.
Macro ansible_only_lineinfile:
 In Ansible remediation for sshd_allow_only_protocol2.
 In Ansible remediation for configure_tmux_lock_after_time.
 In Ansible remediation for sshd_rekey_limit.
 In Ansible remediation for configure_openssl_tls_crypto_policy.
 In Ansible remediation for sshd_set_max_sessions.
 In Ansible remediation for sshd_use_approved_macs.
 In Ansible remediation for configure_tmux_lock_command.
 In Ansible remediation for sshd_set_max_auth_tries.
 In Ansible remediation for sshd_set_idle_timeout.
 In Ansible remediation for sshd_disable_rhosts_rsa.
 In Ansible remediation for sshd_disable_compression.
 In Ansible remediation for accounts_have_homedir_login_defs.
 In Ansible remediation for selinux_state.
 In Ansible remediation for sshd_use_approved_ciphers.
 In Ansible remediation for accounts_tmout.
 In Ansible remediation for selinux_policytype.
 In Ansible remediation for coredump_disable_storage.
 In Ansible remediation for sshd_set_keepalive.
 In Ansible remediation for sshd_use_priv_separation.
 In Ansible remediation for coredump_disable_backtraces.

Recommended tests to execute:
 build_product rhel7
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel7-ds.xml sshd_use_priv_separation
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel7-ds.xml sshd_use_approved_macs
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel7-ds.xml sshd_use_approved_ciphers
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel7-ds.xml sshd_disable_rhosts_rsa
 build_product rhel8
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml sshd_allow_only_protocol2
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml sshd_rekey_limit
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml selinux_state
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml coredump_disable_backtraces
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml accounts_tmout
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml coredump_disable_storage
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml sshd_set_idle_timeout
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml accounts_have_homedir_login_defs
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml sshd_set_max_sessions
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml configure_openssl_tls_crypto_policy
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml selinux_policytype
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml configure_tmux_lock_after_time
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml sshd_disable_compression
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml sshd_set_max_auth_tries
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml configure_tmux_lock_command
 build_product fedora
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-fedora-ds.xml sshd_set_keepalive

@carlosmmatos carlosmmatos mentioned this pull request May 5, 2021
Merged
@jan-cerny
Copy link
Collaborator

The change looks fine but we need some test scenarios that test this macro. For example in rule accounts_tmout.

@carlosmmatos
Copy link
Contributor Author

The change looks fine but we need some test scenarios that test this macro. For example in rule accounts_tmout.

Sounds good.. I'll look into adding these this morning.

@vojtapolasek vojtapolasek added this to the 0.1.56 milestone May 6, 2021
@carlosmmatos carlosmmatos marked this pull request as draft May 6, 2021 18:55
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label May 6, 2021
@carlosmmatos carlosmmatos force-pushed the update-ansible_set_config_file-macro branch from 43eb263 to 75c3509 Compare May 10, 2021 14:24
@carlosmmatos carlosmmatos force-pushed the update-ansible_set_config_file-macro branch from 72b0875 to c7ed84b Compare May 10, 2021 18:12
@carlosmmatos carlosmmatos marked this pull request as ready for review May 10, 2021 20:47
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label May 10, 2021
@vojtapolasek vojtapolasek modified the milestones: 0.1.56, 0.1.57 May 11, 2021
@jan-cerny
Copy link
Collaborator

/retest

@jan-cerny jan-cerny self-assigned this May 11, 2021
@jan-cerny jan-cerny merged commit c6e0b81 into ComplianceAsCode:master May 12, 2021
@vojtapolasek vojtapolasek added the backported-into-stabilization PRs which were cherry-picked during stabilization process. label May 14, 2021
@vojtapolasek vojtapolasek modified the milestones: 0.1.57, 0.1.56 May 14, 2021
vojtapolasek pushed a commit that referenced this pull request May 14, 2021
@jan-cerny @vojtapolasek
Merge pull request #6953 from carlosmmatos/update-ansible_set_config_…
1cebff7 
…file-macro

Updating macros to support idempotency when deduplicating values

(cherry picked from commit c6e0b81)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jan-cerny jan-cerny

Labels
backported-into-stabilization PRs which were cherry-picked during stabilization process.
Projects
None yet
Milestone
0.1.56
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@carlosmmatos @openscap-ci @jan-cerny @vojtapolasek @openshift-ci-robot