-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix audit_rules_privileged_commands_kmod rule in RHEL7 #9477
Conversation
Address minor issues in the rule and similar templates, for example the \w+ doesn't accept the hyphen character which could be a problem when the key is "module-change" for example, with the \S+ it should correctly match the whole line. A couple of tests scenario were added for this rule as well.
@ggbecker The changes look good to me. But, I have noticed some weird error during the Ansible remediation on RHEL7. This causes the AutoMatus tests to fail when the
the logs in audit_rules_privileged_commands_kmod-wrong_value.fail.sh-remediation.verbose.log contain this:
|
Agree with @jan-cerny . I am actually looking into the same thing. The problem is the task which restarts Audit. it won't work: |
The restart is probably based on this text in fixtext: The audit daemon must be restarted for the changes to take effect. |
I've updated the PR with a different approach to reload the audit service which was being used on a different place as well. |
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs:
--- old datastream
+++ new datastream
@@ -142,8 +142,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Reload Auditd
- command: /usr/sbin/service auditd reload
+- name: Restart Auditd
+ command: /usr/sbin/service auditd restart
args:
warn: false
when: |
Code Climate has analyzed commit 35b70d1 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 40.4% (0.0% change). View more on Code Climate. |
@ggbecker: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It has fixed the problems with running test scenarios on RHEL 7 now and it fixed also the RHEL 9.
Description:
\w+ doesn't accept the hyphen character which could be a problem when
the key is "module-change" for example, with the \S+ it should correctly
match the whole line. A couple of tests scenario were added for this
rule as well.
Rationale: