-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use bash_package_* #10557
Use bash_package_* #10557
Conversation
… to install required packages
If remediation uses crontabs, require relevant package too.
Is about crontabs / cron too. So add those.
Hi @maage. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
When testing without relevant packages installed you get wrong results.
When testing without relevant packages installed you get wrong results.
When testing without relevant packages installed you get wrong results.
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking' differs.
--- xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
+++ xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
@@ -3,6 +3,9 @@
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
+fi
+if ! rpm -q --quiet "crontabs" ; then
+ yum install -y "crontabs"
fi
if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking' differs.
--- xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
+++ xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
@@ -1,9 +1,9 @@
- name: Ensure AIDE is installed
package:
- name: '{{ item }}'
+ name:
+ - aide
+ - crontabs
state: present
- with_items:
- - aide
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80676-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification' differs.
--- xccdf_org.ssgproject.content_rule_aide_scan_notification
+++ xccdf_org.ssgproject.content_rule_aide_scan_notification
@@ -3,6 +3,9 @@
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
+fi
+if ! rpm -q --quiet "crontabs" ; then
+ yum install -y "crontabs"
fi
var_aide_scan_notification_email=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification' differs.
--- xccdf_org.ssgproject.content_rule_aide_scan_notification
+++ xccdf_org.ssgproject.content_rule_aide_scan_notification
@@ -6,10 +6,10 @@
- name: Ensure AIDE is installed
package:
- name: '{{ item }}'
+ name:
+ - aide
+ - crontabs
state: present
- with_items:
- - aide
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82891-3 |
Change state_aide_check_attributes to ensure no prefix/suffix for pattern. Fix correct_with_selinux.pass.sh Also use packages to ensure aide package is installed in tests.
When testing without relevant packages installed you get wrong results.
Code Climate has analyzed commit 7f58b56 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.4% (0.0% change). View more on Code Climate. |
Again these are misleading, and are not caused by this PR
|
There are some errors with the
@maage , could you take a look on this, please? |
There is also some other cases where newlines are added to values, see #10534. So generally this issue should be handled somehow or failed fast, and not like Slightly off topic rant follows, But somewhat better fix would be to improve But key should not be too much regexp so that it can be remediated. Now that I'm thinking about how to bypass the rule and there are definitely possiblities. https://aide.github.io/doc/#config "Understanding AIDE rule matching".
Something like:
182 is size of database of whole system in bytes. So only way I can see to make this remediation to definitely work is to generate a config in simple manner, ask But if configuration is right from OVAL check part, then no remediation is triggered. Rule tests should have another way to check the status of system. Currently most remediations do not check that after configuration system actually does what is tried to configure. This is like adding a lock to a door and then checking the lock, but not checking if the door opens when the lock is locked. Many rules focus only on right looking configuration, but forget to check that system works to achieve what rule / control behind tries to achieve. If this kind of solution is not possible, then there should be backends for any complex configuration language system. If configuration needs EBNF syntax (sudo) or external manual where there is need for pseudocode (aide), is generally way beyond any way to definitely handle with one liner regexps. I guess only way to definitely handle this is just limit what kind of configurations are accepted. But usually that just weeds out so-called real-world cases. For example for aide, accept only suffix regexps and only limited variants. Define only one defined order. |
Thanks for the #10578, it fixes the mentioned issue.
I agree. I see you are already working on something related to this in #10574. Thanks for that.
Indeed, the rules are intended to check the configuration but not its functionality. It would be tricky and likely not feasible for many rules. So, in general, benchmarks and vendors do these tests to determine the proper configuration to be checked in order to achieve a Benchmark requirement. Usually when something changes in the system, the flow is to interact with the Benchmarks and propose the changes.
Thanks for this analysis regarding AIDE. It would be great if you file an issue with this information so we can collaborate investigating better solutions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for these improvements.
Hey, @maage I've noticed that when you install the crontabs package you do not check the product, so at the moment it's not working for SLE, I'm not sure for RedHat, so maybe this merge should be reverted. @marcusburghardt please advise. |
@svet-se Could it be possible to implement I think issue here is that |
Thanks @maage I believe it's possible to fix that, but maybe it will be much better when making changes and targeting the specific platform to use some checks like this:
IMHO it's better to be more explicit than implicit. Best regards and have a nice day |
@maage you also broke it for Ubuntu in both bash (not really broke it but throwing error message) and ansible (see #10725), there's no crontabs package in ubuntu. This PR should have triggered reviews from other distros, this was definitely a mistake. |
Thanks for the PR proposing to reverting the commit @dodys . We can review the related rules separately. |
Description:
Fix
aide_check_audit_tools
bug where it did not handle suffixes of prefixes and had bad test, found when testing this.Use
bash_package_install
orbash_package_remove
or# packages =
to manage packages, not plain shell commands.Add some missing packages seen when test system was bare bones.
Rationale:
Simplifies code. Makes it more product independent.
Review Hints:
Has potentially functionality changes. Unfortunately somewhat all over. Mainly should check aide.