-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add automatic detection of platform_package_overrides when using automatus #9897
Conversation
Hi @litios. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Traverse all of:
#
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -22,8 +22,8 @@
patterns: '*.rules'
register: find_rules_d
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27097-5
- CJIS-5.4.1.1
@@ -47,8 +47,8 @@
loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules'']
}}'
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27097-5
- CJIS-5.4.1.1
@@ -74,8 +74,8 @@
- /etc/audit/audit.rules
- /etc/audit/rules.d/immutable.rules
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27097-5
- CJIS-5.4.1.1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -23,8 +23,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27168-4
- CJIS-5.4.1.1
@@ -47,8 +47,8 @@
patterns: '*.rules'
register: find_watch_key
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -71,8 +71,8 @@
all_files:
- /etc/audit/rules.d/MAC-policy.rules
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -95,8 +95,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -121,8 +121,8 @@
create: true
mode: '0640'
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -147,8 +147,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27168-4
- CJIS-5.4.1.1
@@ -172,8 +172,8 @@
create: true
mode: '0640'
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -22,8 +22,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27447-2
- CJIS-5.4.1.1
@@ -162,8 +162,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27447-2
- CJIS-5.4.1.1
@@ -302,8 +302,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-27447-2
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -21,8 +21,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -162,8 +162,8 @@
state: present
when: syscalls_found | length == 0
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -303,8 +303,8 @@
state: present
when: syscalls_found | length == 0
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-27076-9
@@ -329,8 +329,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -354,8 +354,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -380,8 +380,8 @@
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -405,8 +405,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -432,8 +432,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -459,8 +459,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -485,8 +485,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -512,8 +512,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -537,8 +537,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -563,8 +563,8 @@
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -588,8 +588,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -615,8 +615,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -642,8 +642,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -668,8 +668,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -695,8 +695,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -720,8 +720,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -746,8 +746,8 @@
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -771,8 +771,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -798,8 +798,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -825,8 +825,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -851,8 +851,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -878,8 +878,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -903,8 +903,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -929,8 +929,8 @@
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -954,8 +954,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -981,8 +981,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -1008,8 +1008,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -1034,8 +1034,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -23,8 +23,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -47,8 +47,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -71,8 +71,8 @@
all_files:
- /etc/audit/rules.d/session.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -95,8 +95,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -121,8 +121,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -147,8 +147,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -172,8 +172,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -198,8 +198,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -222,8 +222,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -246,8 +246,8 @@
all_files:
- /etc/audit/rules.d/session.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -270,8 +270,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -296,8 +296,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -322,8 +322,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -347,8 +347,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -373,8 +373,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -397,8 +397,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -421,8 +421,8 @@
all_files:
- /etc/audit/rules.d/session.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -445,8 +445,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -471,8 +471,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -497,8 +497,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -522,8 +522,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -20,8 +20,8 @@
- name: Service facts
service_facts: null
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-83555-3
- DISA-STIG-RHEL-07-030360
@@ -42,8 +42,8 @@
command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
register: check_rules_scripts_result
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-83555-3
- DISA-STIG-RHEL-07-030360
@@ -68,8 +68,8 @@
- -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
- -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-83555-3
- DISA-STIG-RHEL-07-030360
@@ -92,8 +92,8 @@
line: '{{ item }}'
create: true
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- '"auditd.service" in ansible_facts.services'
- '"augenrules" in check_rules_scripts_result.stdout'
register: augenrules_audit_rules_privilege_function_update_result
@@ -120,8 +120,8 @@
line: '{{ item }}'
create: true
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- '"auditd.service" in ansible_facts.services'
- '"auditctl" in check_rules_scripts_result.stdout'
register: auditctl_audit_rules_privilege_function_update_result
@@ -145,8 +145,8 @@
- name: Restart Auditd
command: /usr/sbin/service auditd restart
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed)
- ansible_facts.services["auditd.service"].state == "running"
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -27,8 +27,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27461-3
- CJIS-5.4.1.1
@@ -55,8 +55,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -83,8 +83,8 @@
all_files:
- /etc/audit/rules.d/actions.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -111,8 +111,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -141,8 +141,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -171,8 +171,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27461-3
- CJIS-5.4.1.1
@@ -200,8 +200,8 @@
create: true
mode: '0640'
w
... The diff is trimmed here ... |
I like this solution more than the macros solution I proposed in #9869 (comment). The only thing here is that there would be an implicit behavior for the packages defined in the metadata, meaning that what you see is not what gets used by the system, for example if you specify a package it can be replaced by some other package during the runtime if the platform package overrides contain a matching package. This solution is definitely more clean but we have to keep this in mind. Maybe some form of the documentation can also be included to at least record this information. https://github.com/ComplianceAsCode/content/blame/master/tests/README.md#L168 |
Hey David, thanks for handling this! Just a small request to improve maintenance, could you please break the first commit into two, one commit just for the test_suite code changes, and a second commit with just the test fixes? Thanks in advance |
I also agree with the need for documentation. Also, please fix the issues reported by Code Climate. |
6ee8dd0
to
f57fbbf
Compare
Thanks everyone for the input! I broke the first commit as suggested by @dodys, provided documentation and fixed the codeclimate issues. |
Code Climate has analyzed commit 8787b02 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 48.6% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks David!
@ggbecker can you just check the tests for fedora, cs8 and cs9, they are failing but not sure if that's really an issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can confirm that the failures in the Automatus checks are expected and can be waived.
Thank you very much for the contribution and addressing the feedback.
I'd say this is a highlight because of the impact on code reduction it can have.
Description:
platform_package_overrides
product section when using automatus for rule testing.Rationale:
Before performing the install step when testing a rule, ensure that the package is not listed under
platform_package_overrides
. In case it is, replace the package to install with the one specified inplatform_package_overrides
.Fixes platform_package_overrides not working with automatus #9869
Review Hints: