Add new rule socket_systemd-journal-remote_disabled

[dodys]

Description:

• Rule to disable systemd-journal-remote.socket

Rationale:

• This rule is needed on CIS for both Ubuntu and RHEL

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel7 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[vojtapolasek]

Hello, thank you for the new rule. See my comments. But here is the main question:
Are you aiming at disabling ONLY the socket as stated in CIS benchmark?
If yes, the you should know that themplate you are using disables the service unit as well as the socket unit.

[dodys]

/retest

[dodys]

/retest

[vojtapolasek]

@dodys are you planing to add test scenarios as well? How about Ansible remediation?

[dodys]

@dodys are you planing to add test scenarios as well? How about Ansible remediation?

Just pushed tests for it.
Regarding ansible I won't be pushing anything for it, as we don't support it and have no way to test it properly

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_smartcard_auth' differs.
--- xccdf_org.ssgproject.content_rule_smartcard_auth
+++ xccdf_org.ssgproject.content_rule_smartcard_auth
@@ -15,7 +15,9 @@
 # The service may not be running because it has been started and failed,
 # so let's reset the state so OVAL checks pass.
 # Service should be 'inactive', not 'failed' after reboot though.
-/usr/bin/systemctl reset-failed "pcscd.socket"
+if /usr/bin/systemctl --failed | grep -q "pcscd.socket"; then
+ /usr/bin/systemctl reset-failed "pcscd.socket"
+fi
 
 # Configure the expected /etc/pam.d/system-auth{,-ac} settings directly
 #

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
+++ xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
@@ -8,7 +8,9 @@
 # The service may not be running because it has been started and failed,
 # so let's reset the state so OVAL checks pass.
 # Service should be 'inactive', not 'failed' after reboot though.
- /usr/bin/systemctl reset-failed "chronyd"
+ if /usr/bin/systemctl --failed | grep -q "chronyd"; then
+ /usr/bin/systemctl reset-failed "chronyd"
+ fi
 fi
 elif rpm --quiet -q "ntp" ; then
 /usr/bin/systemctl enable "ntpd"
@@ -16,7 +18,9 @@
 # The service may not be running because it has been started and failed,
 # so let's reset the state so OVAL checks pass.
 # Service should be 'inactive', not 'failed' after reboot though.
- /usr/bin/systemctl reset-failed "ntpd"
+ if /usr/bin/systemctl --failed | grep -q "ntpd"; then
+ /usr/bin/systemctl reset-failed "ntpd"
+ fi
 else
 if ! rpm -q --quiet "chrony" ; then
 yum install -y "chrony"
@@ -26,7 +30,9 @@
 # The service may not be running because it has been started and failed,
 # so let's reset the state so OVAL checks pass.
 # Service should be 'inactive', not 'failed' after reboot though.
- /usr/bin/systemctl reset-failed "chronyd"
+ if /usr/bin/systemctl --failed | grep -q "chronyd"; then
+ /usr/bin/systemctl reset-failed "chronyd"
+ fi
 fi
 
 else

[vojtapolasek]

Hello,
thank you for updates. It wil need few more changes, see comments.

[vojtapolasek]

Hello, thank you for improvements. Just two more things and I think we are ready to merge it.

[codeclimate]

Code Climate has analyzed commit 1ca3238 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.7% (0.0% change).

View more on Code Climate.

[openshift-ci]

@dodys: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ocp4-moderate-node	1ca3238	link	true	/test e2e-aws-ocp4-moderate-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[vojtapolasek]

Looks good now.
automatus tests are failing because during the PR development, there were added test scenarios (which passed), but later it was decided to restrict the rule to Ubuntu2204 prodtype. I think it does not make sense to remove those tests - it is possible that the rule will be eventually reused in RHEL since it is from CIS profile.

[vojtapolasek]

@dodys are you able to approve this PR? I can't merge it because @ComplianceAsCode/ubuntu-maintainers is required to approve the PR and you are the only member.@dodys are you planing to add test scenarios as well? How about Ansible remediation?

[dodys]

@dodys are you able to approve this PR? I can't merge it because @ComplianceAsCode/ubuntu-maintainers is required to approve the PR and you are the only member.@dodys are you planing to add test scenarios as well? How about Ansible remediation?

@vojtapolasek no I cannot approve PRs that I'm the author. @marcusburghardt can you help us here?
also @vojtapolasek regarding the test and ansible I've mentioned before:
"Just pushed tests for it.
Regarding ansible I won't be pushing anything for it, as we don't support it and have no way to test it properly"

[marcusburghardt]

Thanks for this rule. It will also be useful for other distros. I will be happy to include the Ansible remediation for it.

[marcusburghardt]

Automatus CS8, CS9 and Fedora are failing because the rule is restricted to ubuntu2204 in its prodtype. Waived.
ci/prow/e2e-aws-ocp4-moderate-node failed due to test environment issue but can safely be waived too since the rule is specific for ubuntu2204.

[marcusburghardt]

Overriding CODEOWNERS since @dodys can't approve his own PR.