Add new rule for rootfiles package #13134
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mab879
added
RHEL
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
jan-cerny
requested changes
Mar 4, 2025
Comment on lines
25
to
26
| }}}$ | ||
| </ind:pattern> |
There was a problem hiding this comment.
All automatus tests fail. It's caused by the newline and spaces between the $ and </ind:pattern>.
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata("Ensure that tmpfiles for rootfiles is configured correctly.") }}}] | ||
| <criteria operator="AND" comment="Ensure that"> |
There was a problem hiding this comment.
the comment is incomplete
| C /root/.bash_profile 644 root root - /usr/share/rootfiles/.bash_profile | ||
| C /root/.bashrc 644 root root - /usr/share/rootfiles/.bashrc | ||
| C /root/.cshrc 644 root root - /usr/share/rootfiles/.cshrc | ||
| C /root/.tcshrc 644 root root - /usr/share/rootfiles/.tcshrc |
There was a problem hiding this comment.
If the Bash remediation is applied, the result is the following:
[root@localhost ~]# cat /etc/tmpfiles.d/rootconf.conf
C /root/.bash_logout 644 root root - /usr/share/rootfiles/.bash_logout
C /root/.bash_profile 644 root root - /usr/share/rootfiles/.bash_profile
C /root/.bashrc 644 root root - /usr/share/rootfiles/.bashrc
C /root/.cshrc 644 root root - /usr/share/rootfiles/.cshrc
C /root/.tcshrc 644 root root - /usr/share/rootfiles/.tcshrc
C /root/.bash_logout 600 root root - /usr/share/rootfiles/.bash_logout
C /root/.bash_profile 600 root root - /usr/share/rootfiles/.bash_profile
C /root/.bashrc 600 root root - /usr/share/rootfiles/.bashrc
C /root/.cshrc 600 root root - /usr/share/rootfiles/.cshrc
C /root/.tcshrc 600 root root - /usr/share/rootfiles/.tcshrc
This isn't expected - the items should be replaced instead of added.
(Ansible remediation seems to work correctly).
Comment on lines
6
to
8
| To set the mode of the root user initialization file <tt>/root/.bash_profile</tt>, | ||
| ensure the following line is is included in a file ending in <tt>.conf</tt> under | ||
| <tt>/etc/tmpfiles.d/</tt>. |
There was a problem hiding this comment.
This part of the description is about a single file and about a single line but then it adds multiple files and multiple lines. Please reword.
| @@ -0,0 +1,33 @@ | |||
| documentation_complete: true | |||
|
|
|||
| title: "Ensure rootfiles tmpfile.d is configured correctly" | |||
* Ensure that only one configuration exists * Adjust PR based on feedback
jan-cerny
requested changes
Mar 6, 2025
| references: | ||
| disa: CCI-000366 | ||
| srg: SRG-OS-000480-GPOS-00227 | ||
|
|
There was a problem hiding this comment.
Missing OCIL, OCIL clause and fixtext. This makes the thin data stream for this rule invalid. (It's unfortunate that we don't test this).
| # strategy = configure | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
There was a problem hiding this comment.
The test scenarios fail for me if Bash remediation is used:
jcerny@fedora:~/work/git/scap-security-guide (pr/13134)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 rootfiles_configured
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-03-06-0845/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rootfiles_configured
INFO - Script configured_wrong.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in error, instead of expected fixed during remediation stage
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_rootfiles_configured'.
INFO - Script conflicting.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in error, instead of expected fixed during remediation stage
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_rootfiles_configured'.
INFO - Script file_not_there.fail.sh using profile (all) OK
INFO - Script missing_some.fail.sh using profile (all) OK
INFO - Script valid.pass.sh using profile (all) OK
I can see this suspicious message in the results:
sed: no input files
sed: no input files
sed: no input files
sed: no input files
sed: no input files
|
Code Climate has analyzed commit 2dcb09a and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 62.1% (0.0% change). View more on Code Climate. |
|
/packit build |
jan-cerny
approved these changes
Mar 10, 2025
There was a problem hiding this comment.
I have run automatus tests on RHEL 9.
jcerny@fedora:~/work/git/scap-security-guide (pr/13134)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 rootfiles_configured
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-03-10-1306/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rootfiles_configured
INFO - Script configured_wrong.fail.sh using profile (all) OK
INFO - Script conflicting.fail.sh using profile (all) OK
INFO - Script file_not_there.fail.sh using profile (all) OK
INFO - Script missing_some.fail.sh using profile (all) OK
INFO - Script valid.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13134)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible rootfiles_configured
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-03-10-1309/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rootfiles_configured
INFO - Script configured_wrong.fail.sh using profile (all) OK
INFO - Script conflicting.fail.sh using profile (all) OK
INFO - Script file_not_there.fail.sh using profile (all) OK
INFO - Script missing_some.fail.sh using profile (all) OK
INFO - Script valid.pass.sh using profile (all) OK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Add rules to ensure that root's init files created by the rootfiles package are correctly configured.
Rationale:
Fixes #13100