Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install NetworkManager as part of wireless_disable_interfaces remediation #10018

Conversation

mildas
Copy link
Contributor

@mildas mildas commented Jan 3, 2023

Description:

NetworkManager is needed for remediation as it uses nmcli. Install it, don't fail - same approach as firewalld_sshd_port_enabled

Rationale:

CentOS 7 doesn't have NetworkManager installed by default and it aborts ansible-playbook:

TASK [Deactivate Wireless Network Interfaces] **********************************
fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["nmcli", "radio", "wifi", "off"], "delta": "0:00:00.013661", "end": "2023-01-02 09:16:34.337236", "msg": "non-zero return code", "rc": 8, "start": "2023-01-02 09:16:34.323575", "stderr": "Error: NetworkManager is not running.", "stderr_lines": ["Error: NetworkManager is not running."], "stdout": "", "stdout_lines": []}

@github-actions
Copy link

github-actions bot commented Jan 3, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Jan 3, 2023

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces' differs.
--- xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
+++ xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
@@ -1,8 +1,6 @@
 
-if 
- rpm -q NetworkManager
-then
- nmcli radio all off
-else
- echo "NetworkManager package not installed" >&2 
+if ! rpm -q --quiet "NetworkManager" ; then
+ yum install -y "NetworkManager"
 fi
+
+nmcli radio all off

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces' differs.
--- xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
+++ xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
@@ -19,31 +19,12 @@
 - unknown_strategy
 - wireless_disable_interfaces
 
-- name: Check if NetworkManager is installed
- ansible.builtin.package_facts:
- manager: auto
- tags:
- - CCE-83501-7
- - DISA-STIG-RHEL-08-040110
- - NIST-800-171-3.1.16
- - NIST-800-53-AC-18(3)
- - NIST-800-53-AC-18(a)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-CM-7(a)
- - NIST-800-53-CM-7(b)
- - NIST-800-53-MP-7
- - PCI-DSS-Req-1.3.3
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - unknown_strategy
- - wireless_disable_interfaces
-
-- name: Error message when NetworkManager not installed
- fail:
- msg: NetworkManager package not installed
- when: '''NetworkManager'' not in ansible_facts.packages'
+- name: Ensure NetworkManager is installed
+ ansible.builtin.package:
+ name: '{{ item }}'
+ state: present
+ with_items:
+ - NetworkManager
 tags:
 - CCE-83501-7
 - DISA-STIG-RHEL-08-040110

@codeclimate
Copy link

codeclimate bot commented Jan 3, 2023

Code Climate has analyzed commit 94f0113 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.8% (0.0% change).

View more on Code Climate.

@marcusburghardt marcusburghardt self-assigned this Jan 3, 2023
@marcusburghardt marcusburghardt added this to the 0.1.66 milestone Jan 3, 2023
@marcusburghardt marcusburghardt added Ansible Ansible remediation update. Bash Bash remediation update. labels Jan 3, 2023
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@marcusburghardt marcusburghardt merged commit 5c0e874 into ComplianceAsCode:master Jan 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Ansible Ansible remediation update. Bash Bash remediation update.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants