Add support for security policies

package/autoyast2.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov  3 16:45:52 UTC 2022 - Imobach Gonzalez Sosa <igonzalezsosa@suse.com>
+
+- Add support for security policies validation (jsc#SLE-24764).
+- 4.4.42
+
 -------------------------------------------------------------------
 Mon Oct 24 09:25:09 UTC 2022 - Imobach Gonzalez Sosa <igonzalezsosa@suse.com>
 

package/autoyast2.spec

@@ -22,7 +22,7 @@
 %endif
 
 Name:           autoyast2
-Version:        4.4.41
+Version:        4.4.42
 Release:        0
 Summary:        YaST2 - Automated Installation
 License:        GPL-2.0-only
@@ -53,8 +53,10 @@ BuildRequires:  yast2-update >= 3.3.0
 BuildRequires:  yast2-network >= 3.1.145
 BuildRequires:  yast2-slp
 BuildRequires:  yast2-country
+# Support for SecurityPolicies
+BuildRequires:  yast2-security >= 4.4.14
 # Required for test suite testing one time sync
-BuildRequires:       yast2-ntp-client >= 4.0.1
+BuildRequires:  yast2-ntp-client >= 4.0.1
 # UEFI detection in Y2Storage::Arch
 BuildRequires:  yast2-storage-ng >= 4.4.22
 # %%{_unitdir} macro definition is in a separate package since 13.1
@@ -71,8 +73,8 @@ Requires:       libxslt
 Requires:       yast2 >= 4.4.38
 Requires:       yast2-core
 Requires:       yast2-country >= 3.1.13
-# Moving security module to first installation stage
-Requires:       yast2-security >= 4.1.1
+# Support for SecurityPolicies
+Requires:       yast2-security >= 4.4.14
 # Install selected network backend packages 
 Requires:       yast2-network >= 4.4.53
 Requires:       yast2-schema >= 4.0.6

src/lib/autoinstall/autosetup_helpers.rb

@@ -18,6 +18,8 @@
 # find current contact information at www.suse.com.
 
 require "y2storage"
+require "y2security/security_policies/manager"
+require "y2security/security_policies/target_config"
 require "autoinstall/activate_callbacks"
 require "autoinstall/xml_checks"
 
@@ -27,6 +29,8 @@
 Yast.import "Timezone"
 Yast.import "Keyboard"
 Yast.import "Language"
+Yast.import "HTML"
+Yast.import "Report"
 
 module Y2Autoinstallation
   # This module defines some methods that are used in {Y2Autoinstallation::Clients::InstAutosetup}
@@ -229,6 +233,30 @@ def autosetup_firewall
       Yast::Profile.remove_sections("firewall") if !need_second_stage_run?
     end
 
+    # Check the security policy
+    #
+    # If any of the rules of the enabled policy fails, it displays a warning.
+    def autosetup_security_policy
+      target_config = Y2Security::SecurityPolicies::TargetConfig.new
+      manager = Y2Security::SecurityPolicies::Manager.instance
+      rules = manager.failing_rules(target_config)
+      return if !manager.enabled_policy || rules.empty?
+
+      items = rules.map do |rule|
+        ids = (rule.identifiers + rule.references).join(", ")
+        "#{rule.description} (#{ids})"
+      end
+
+      # TRANSLATORS: policy_name is the name of a SCAP policy
+      message = format(
+        _("The system does not comply with the %{policy_name} policy:"),
+        policy_name: manager.enabled_policy.name
+      )
+      Yast::Report.LongWarning(
+        Yast::HTML.Para(message) + Yast::HTML.List(items)
+      )
+    end
+
   private
 
     # Checks whether we need to run second stage handling

src/lib/autoinstall/clients/inst_autosetup.rb

@@ -79,7 +79,8 @@ def main
           _("Import SSH keys/settings"),
           _("Set up user defined configuration files"),
           _("Confirm License"),
-          _("Configure firewall")
+          _("Configure firewall"),
+          _("Check security policy")
         ]
 
         @progress_descriptions = [
@@ -97,7 +98,8 @@ def main
           _("Importing SSH keys/settings..."),
           _("Setting up user defined configuration files..."),
           _("Confirming License..."),
-          _("Configuring the firewall")
+          _("Configuring the firewall"),
+          _("Checking the security policy")
         ]
 
         Progress.New(
@@ -386,6 +388,11 @@ def main
         #
         autosetup_firewall
 
+        Progress.NextStage
+
+        # Validate the security policy
+        autosetup_security_policy unless AutoinstConfig.Confirm
+
         # Results of imported values semantic check.
         return :abort unless AutoInstall.valid_imported_values
 

test/lib/autosetup_helpers_test.rb

@@ -20,6 +20,7 @@
 
 require_relative "../test_helper"
 require "autoinstall/autosetup_helpers"
+require "y2security/security_policies/rule"
 
 Yast.import "AutoinstConfig"
 Yast.import "Profile"
@@ -506,4 +507,45 @@ class DummyClient < Yast::Client
       end
     end
   end
+
+  describe "#autosetup_security_policy" do
+    let(:target_config) do
+      instance_double(Y2Security::SecurityPolicies::TargetConfig)
+    end
+    let(:policy) do
+      instance_double(Y2Security::SecurityPolicies::Policy, name: "DISA STIG")
+    end
+    let(:failing_rules) { [] }
+
+    before do
+      allow(Y2Security::SecurityPolicies::Manager.instance)
+        .to receive(:enabled_policy).and_return(policy)
+      allow(Y2Security::SecurityPolicies::Manager.instance)
+        .to receive(:failing_rules).and_return(failing_rules)
+      allow(Y2Security::SecurityPolicies::TargetConfig)
+        .to receive(:new).and_return(target_config)
+    end
+
+    context "when there are no issues" do
+      it "does not report any issue" do
+        expect(Yast::Report).to_not receive(:LongWarning)
+          .with(/Dummy rule/)
+        client.autosetup_security_policy
+      end
+    end
+
+    context "when there are issues" do
+      let(:rule) do
+        instance_double(Y2Security::SecurityPolicies::Rule, id: "testing",
+          description: "Dummy rule", identifiers: ["CCE-12345"], references: ["SLES-15-12345"])
+      end
+      let(:failing_rules) { [rule] }
+
+      it "reports railing rules" do
+        expect(Yast::Report).to receive(:LongWarning)
+          .with(/DISA STIG.*Dummy rule \(CCE-12345, SLES-15-12345\)/)
+        client.autosetup_security_policy
+      end
+    end
+  end
 end

test/lib/clients/inst_autosetup_test.rb

@@ -305,5 +305,27 @@
         expect(Yast::Profile.current).to_not have_key("add-on")
       end
     end
+
+    context "when the confirmation mode is not enabled" do
+      before do
+        allow(Yast::AutoinstConfig).to receive(:Confirm).and_return(false)
+      end
+
+      it "validates the security policy" do
+        expect(subject).to receive(:autosetup_security_policy)
+        subject.main
+      end
+    end
+
+    context "when the confirmation mode is enabled" do
+      before do
+        allow(Yast::AutoinstConfig).to receive(:Confirm).and_return(true)
+      end
+
+      it "does not validate the security policy" do
+        expect(subject).to_not receive(:autosetup_security_policy)
+        subject.main
+      end
+    end
   end
 end