Modify adie db exist path for UBTU-20-010450

[dexterle]

Description:

• Fix aide_build_database ansible remediation to ensure proper aide path

Rationale:

• Part of Ubuntu 20.04 DISA STIG v1r9 profile upgrade
• Ubuntu2004 stig profile v1r9 update #10738

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes with Ansible:

ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010450"

To test changes with bash, run the remediation section: xccdf_org.ssgproject.content_rule_aide_build_database

Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.

git checkout dexterle:add-manual-stig-ubtu-20-v1r9

This STIG can be tested with the latest Ubuntu 2004 Benchmark SCAP. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/

[openshift-ci]

Hi @dexterle. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[dexterle]

This should be consolidated with #11058

[dodys]

you should create a separate ubuntu ansible remediation, following the bash implementation.
Our OVAL check is different from other and so our remediation.

[dexterle]

you should create a separate ubuntu ansible remediation, following the bash implementation. Our OVAL check is different from other and so our remediation.

Taking a look at this now...

[dexterle]

Should linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml be reverted removing ubuntu specific tasks?

I've added in ansible remediation for Ubuntu that follows bash remediation.

[dodys]

Should linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml be reverted removing ubuntu specific tasks?

I've added in ansible remediation for Ubuntu that follows bash remediation.

yes, please

[dexterle]

Reverted ubuntu specific on shared ansible remediation. I also shortened some of the logic and use proper styling.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_build_database' differs.
--- xccdf_org.ssgproject.content_rule_aide_build_database
+++ xccdf_org.ssgproject.content_rule_aide_build_database
@@ -1,5 +1,5 @@
-- name: Ensure AIDE is installed
-  package:
+- name: Build and Test AIDE Database - Ensure AIDE Is Installed
+  ansible.builtin.package:
     name: '{{ item }}'
     state: present
   with_items:
@@ -19,8 +19,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Build and Test AIDE Database
-  command: /usr/sbin/aide --init
+- name: Build and Test AIDE Database - Build and Test AIDE Database
+  ansible.builtin.command: /usr/sbin/aide --init
   changed_when: true
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
@@ -37,8 +37,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check whether the stock AIDE Database exists
-  stat:
+- name: Build and Test AIDE Database - Check Whether the Stock AIDE Database Exists
+  ansible.builtin.stat:
     path: /var/lib/aide/aide.db.new.gz
   register: aide_database_stat
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -56,8 +56,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Stage AIDE Database
-  copy:
+- name: Build and Test AIDE Database - Stage AIDE Database
+  ansible.builtin.copy:
     src: /var/lib/aide/aide.db.new.gz
     dest: /var/lib/aide/aide.db.gz
     backup: true

[openshift-ci]

@dexterle: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	33f7850	link	true	/test images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[codeclimate]

Code Climate has analyzed commit 33f7850 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.8% (0.0% change).

View more on Code Climate.

[dodys]

lgtm, thanks

[marcusburghardt]

I believe it can already be merged, correct?