Recognize 64bit architectures in Ansible remediations #9887

mildas · 2022-11-25T14:11:53Z

Description:

Change identifying 64bit architectures - use exact architecture names and don't do some regex_replaces, because that doesn't work for architectures like s390x.

Rationale:

Fixes #9856

Review Hints:

You can do x86_64 testing on Automatus, but for the rest architectures I recommend having the machine with non-x86_64 arch (ideally s390x or ppc64le) and testing it right on it.

github-actions · 2022-11-25T14:12:42Z

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

github-actions · 2022-11-25T14:17:13Z

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit open tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80927-7
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open for x86 platform
+- name: Perform remediation of Audit rules for open for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80927-7
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open for x86_64 platform
+- name: Perform remediation of Audit rules for open for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80927-7

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit open_by_handle_at tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80929-3
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open_by_handle_at for x86 platform
+- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80929-3
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open_by_handle_at for x86_64 platform
+- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80929-3

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit openat tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80928-5
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for openat for x86 platform
+- name: Perform remediation of Audit rules for openat for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80928-5
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for openat for x86_64 platform
+- name: Perform remediation of Audit rules for openat for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80928-5

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit open tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80959-0
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open for x86 platform
+- name: Perform remediation of Audit rules for open for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80959-0
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open for x86_64 platform
+- name: Perform remediation of Audit rules for open for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80959-0

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit open_by_handle_at tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80960-8
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open_by_handle_at for x86 platform
+- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80960-8
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open_by_handle_at for x86_64 platform
+- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80960-8

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit openat tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80961-6
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for openat for x86 platform
+- name: Perform remediation of Audit rules for openat for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80961-6
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for openat for x86_64 platform
+- name: Perform remediation of Audit rules for openat for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80961-6

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit open tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80930-1
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open for x86 platform
+- name: Perform remediation of Audit rules for open for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80930-1
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open for x86_64 platform
+- name: Perform remediation of Audit rules for open for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80930-1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit open_by_handle_at tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80932-7
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open_by_handle_at for x86 platform
+- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80932-7
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open_by_handle_at for x86_64 platform
+- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80932-7

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit openat tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80931-9
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for openat for x86 platform
+- name: Perform remediation of Audit rules for openat for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80931-9
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for openat for x86_64 platform
+- name: Perform remediation of Audit rules for openat for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80931-9

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit open tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80956-6
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open for x86 platform
+- name: Perform remediation of Audit rules for open for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80956-6
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open for x86_64 platform
+- name: Perform remediation of Audit rules for open for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80956-6

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit open_by_handle_at tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80957-4
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open_by_handle_at for x86 platform
+- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80957-4
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for open_by_handle_at for x86_64 platform
+- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80957-4

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -17,10 +17,12 @@
 
 - name: Set architecture for audit openat tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80958-2
 - NIST-800-53-AC-2(4)
@@ -35,7 +37,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for openat for x86 platform
+- name: Perform remediation of Audit rules for openat for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -156,8 +158,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80958-2
 - NIST-800-53-AC-2(4)
@@ -172,7 +174,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for openat for x86_64 platform
+- name: Perform remediation of Audit rules for openat for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -293,8 +295,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80958-2

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Traverse all of:
 #

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -23,8 +23,8 @@
 patterns: '*.rules'
 register: find_rules_d
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80708-1
 - CJIS-5.4.1.1
@@ -49,8 +49,8 @@
 loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules'']
 }}'
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80708-1
 - CJIS-5.4.1.1
@@ -77,8 +77,8 @@
 - /etc/audit/audit.rules
 - /etc/audit/rules.d/immutable.rules
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80708-1
 - CJIS-5.4.1.1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 # Create a list of audit *.rules files that should be inspected for presence and correctness

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -23,8 +23,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80721-4
 - CJIS-5.4.1.1
@@ -47,8 +47,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -71,8 +71,8 @@
 all_files:
 - /etc/audit/rules.d/MAC-policy.rules
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -95,8 +95,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -121,8 +121,8 @@
 create: true
 mode: '0640'
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -147,8 +147,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80721-4
 - CJIS-5.4.1.1
@@ -172,8 +172,8 @@
 create: true
 mode: '0640'
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -20,10 +20,12 @@
 
 - name: Set architecture for audit mount tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
+ audit_arch: b64
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
 tags:
 - CCE-80722-2
 - CJIS-5.4.1.1
@@ -41,7 +43,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for mount for x86 platform
+- name: Perform remediation of Audit rules for mount for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -162,8 +164,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-80722-2
 - CJIS-5.4.1.1
@@ -181,7 +183,7 @@
 - reboot_required
 - restrict_strategy
 
-- name: Perform remediation of Audit rules for mount for x86_64 platform
+- name: Perform remediation of Audit rules for mount for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -302,8 +304,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-80722-2

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -19,27 +19,29 @@
 
 - name: Set architecture for audit tasks
 set_fact:
- audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- tags:
- - CCE-80723-0
- - CJIS-5.4.1.1
- - NIST-800-171-3.1.7
- - NIST-800-53-AC-6(9)
- - NIST-800-53-AU-12(c)
- - NIST-800-53-AU-2(d)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-10.5.5
- - audit_rules_networkconfig_modification
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Remediate audit rules for network configuration for x86
+ audit_arch: b64
+ when:
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CCE-80723-0
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_networkconfig_modification
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Remediate audit rules for network configuration for 32bit platform
 block:
 
 - name: Declare list of syscalls
@@ -162,25 +164,25 @@
 state: present
 when: syscalls_found | length == 0
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- tags:
- - CCE-80723-0
- - CJIS-5.4.1.1
- - NIST-800-171-3.1.7
- - NIST-800-53-AC-6(9)
- - NIST-800-53-AU-12(c)
- - NIST-800-53-AU-2(d)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-10.5.5
- - audit_rules_networkconfig_modification
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Remediate audit rules for network configuration for x86_64
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80723-0
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_networkconfig_modification
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Remediate audit rules for network configuration for 64bit platform
 block:
 
 - name: Declare list of syscalls
@@ -303,8 +305,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - audit_arch == "b64"
 tags:
 - CCE-80723-0
@@ -329,8 +331,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80723-0
 - CJIS-5.4.1.1
@@ -354,8 +356,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -380,8 +382,8 @@
 all_files:
 - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -405,8 +407,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -432,8 +434,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -459,8 +461,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80723-0
 - CJIS-5.4.1.1
@@ -485,8 +487,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -512,8 +514,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80723-0
 - CJIS-5.4.1.1
@@ -537,8 +539,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -563,8 +565,8 @@
 all_files:
 - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -588,8 +590,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -615,8 +617,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -642,8 +644,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80723-0
 - CJIS-5.4.1.1
@@ -668,8 +670,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -695,8 +697,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80723-0
 - CJIS-5.4.1.1
@@ -720,8 +722,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -746,8 +748,8 @@
 all_files:
 - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -771,8 +773,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -798,8 +800,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -825,8 +827,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80723-0
 - CJIS-5.4.1.1
@@ -851,8 +853,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -878,8 +880,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80723-0
 - CJIS-5.4.1.1
@@ -903,8 +905,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -929,8 +931,8 @@
 all_files:
 - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -954,8 +956,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -981,8 +983,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -1008,8 +1010,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80723-0
 - CJIS-5.4.1.1
@@ -1034,8 +1036,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 # Create a list of audit *.rules files that should be inspected for presence and correctness

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -23,8 +23,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80742-0
 - CJIS-5.4.1.1
@@ -47,8 +47,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -71,8 +71,8 @@
 all_files:
 - /etc/audit/rules.d/session.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -95,8 +95,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -121,8 +121,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -147,8 +147,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80742-0
 - CJIS-5.4.1.1
@@ -172,8 +172,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -198,8 +198,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80742-0
 - CJIS-5.4.1.1
@@ -222,8 +222,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -246,8 +246,8 @@
 all_files:
 - /etc/audit/rules.d/session.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_wa

... The diff is trimmed here ...

openshift-ci · 2022-11-25T16:55:27Z

@mildas: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-high	`01fee3c`	link	true	`/test e2e-aws-rhcos4-high`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

codeclimate · 2022-11-25T17:09:53Z

Code Climate has analyzed commit 01fee3c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 48.6% (0.0% change).

View more on Code Climate.

marcusburghardt · 2022-11-28T08:30:13Z

The Automatus CS8, CS9 and Fedora CI tests are failing because the audit_rules_kernel_module_loading_create rule is restricted to prodtype: rhel7.

marcusburghardt

LGTM. Thanks @mildas .

marcusburghardt · 2022-11-28T09:32:16Z

@mildas , could you also send this patch for the stabilization branch, please?

mildas added 2 commits November 25, 2022 12:12

Recognize all 64bit architectures in audit_rules templates

925c672

Recognize all 64bit architectures in audit rules

15abac6

mildas requested a review from marcusburghardt November 25, 2022 14:12

Recognize all 64bit architectures in sysctl_kernel_exec_shield rule

01fee3c

mildas force-pushed the audit_template_archs branch from 4b3658e to 01fee3c Compare November 25, 2022 16:20

marcusburghardt approved these changes Nov 28, 2022

View reviewed changes

marcusburghardt merged commit 4eb7e4a into ComplianceAsCode:master Nov 28, 2022

marcusburghardt added the Ansible Ansible remediation update. label Nov 28, 2022

marcusburghardt added this to the 0.1.65 milestone Nov 28, 2022

mildas mentioned this pull request Nov 28, 2022

Stabilization: Recognize 64bit architectures in Ansible remediations #9899

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Recognize 64bit architectures in Ansible remediations #9887

Recognize 64bit architectures in Ansible remediations #9887

mildas commented Nov 25, 2022 •

edited

github-actions bot commented Nov 25, 2022

github-actions bot commented Nov 25, 2022 •

edited

openshift-ci bot commented Nov 25, 2022

codeclimate bot commented Nov 25, 2022

marcusburghardt commented Nov 28, 2022

marcusburghardt left a comment

marcusburghardt commented Nov 28, 2022

Recognize 64bit architectures in Ansible remediations #9887

Recognize 64bit architectures in Ansible remediations #9887

Conversation

mildas commented Nov 25, 2022 • edited

Description:

Rationale:

Review Hints:

github-actions bot commented Nov 25, 2022

github-actions bot commented Nov 25, 2022 • edited

openshift-ci bot commented Nov 25, 2022

codeclimate bot commented Nov 25, 2022

marcusburghardt commented Nov 28, 2022

marcusburghardt left a comment

Choose a reason for hiding this comment

marcusburghardt commented Nov 28, 2022

mildas commented Nov 25, 2022 •

edited

github-actions bot commented Nov 25, 2022 •

edited