Skip to content

SLE15 add use_kerberos_security_all_exports rule to HIPAA profile #7905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jan-cerny merged 3 commits into from
Nov 23, 2021
Merged

SLE15 add use_kerberos_security_all_exports rule to HIPAA profile #7905

jan-cerny merged 3 commits into from
Nov 23, 2021

Conversation

@teacup-on-rockingchair
Copy link
Contributor

@teacup-on-rockingchair teacup-on-rockingchair commented Nov 22, 2021

Description:

Add use_kerberos_security_all_exports to SLE15 HIPAA profile

Rationale:

Add ansible,bash remediation and tests for use_kerberos_security_all_exports

@openshift-ci
Copy link

openshift-ci bot commented Nov 22, 2021

Hi @teacup-on-rockingchair. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Nov 22, 2021
@github-actions
Copy link

github-actions bot commented Nov 22, 2021

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New datastream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports'.
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports'.

@jan-cerny jan-cerny self-assigned this Nov 22, 2021
jan-cerny
jan-cerny requested changes Nov 22, 2021
View reviewed changes
...ervices/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/bash/shared.sh Outdated
do
correct_export=""
if [ "$(grep -c "sec=" <<<"$nfs_export")" -eq 0 ]; then
correct_export="$(echo $nfs_export|sed -e 's/sec=[^\,\)]*/sec=krb5\:krb5i\:krbp5/')"
Copy link
Collaborator

@jan-cerny jan-cerny Nov 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be krb5p, not krbp5.

Copy link
Contributor Author

@teacup-on-rockingchair teacup-on-rockingchair Nov 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be fixed in should be fixed in a59ed41

...ervices/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/bash/shared.sh
for nfs_export in "${nfs_exports[@]}"
do
correct_export=""
if [ "$(grep -c "sec=" <<<"$nfs_export")" -eq 0 ]; then
Copy link
Collaborator

@jan-cerny jan-cerny Nov 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably swap the command in the if branch with the command in the else branch. If the count of sec= in the string is 0, it won't make sense to try replacing sec= by sed.

Copy link
Contributor Author

@teacup-on-rockingchair teacup-on-rockingchair Nov 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be fixed in a59ed41

jan-cerny
jan-cerny reviewed Nov 22, 2021
View reviewed changes
...nd_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/tests/no_sec_export.fail.sh
@@ -0,0 +1,3 @@
# platform = multi_platform_all

Copy link
Collaborator

@jan-cerny jan-cerny Nov 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many test scenarios fail when bash remediation is used.

Copy link
Contributor Author

@teacup-on-rockingchair teacup-on-rockingchair Nov 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx, obviously there was some bad copy-pasting from my test machine, should be fixed in a59ed41

@teacup-on-rockingchair
Fix bash remediation
a59ed41 
- Confused logic fixed when to replace sec parameter and when to add
- Fixed type on krb5p value

Thanks to @jan-cerny for the feedback
@jan-cerny jan-cerny added this to the 0.1.60 milestone Nov 23, 2021
@jan-cerny jan-cerny merged commit 6c3aece into ComplianceAsCode:master Nov 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.60

Development

Successfully merging this pull request may close these issues.

2 participants

@teacup-on-rockingchair @jan-cerny