Fix rule ubtu 20 010033

[dexterle]

Description:

• Fix UBTU-20-010033
• Deprecate ubuntu.xml OVAL definition and to use modified shared.xml
• Refactor ansible remediation to simplify PAM specific packages and config lines

Rationale:

• Part of Ubuntu 20.04 DISA STIG v1r9 profile upgrade
• Ubuntu2004 stig profile v1r9 update #10738

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes with Ansible:

ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010033"

To test changes with bash, run the remediation section: xccdf_org.ssgproject.content_rule_smartcard_pam_enabled

Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.

git checkout dexterle:add-manual-stig-ubtu-20-v1r9

This STIG can be tested with the latest Ubuntu 2004 Benchmark SCAP. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/

[openshift-ci]

Hi @dexterle. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dexterle]

Refer to comment on reverting ubuntu.xml when get chance

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

sle12 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_smartcard_pam_enabled'.
--- xccdf_org.ssgproject.content_rule_smartcard_pam_enabled
+++ xccdf_org.ssgproject.content_rule_smartcard_pam_enabled
@@ -13,7 +13,9 @@
 
 # grep pam_pkcs11.so /etc/pam.d/common-auth
 
+
 auth sufficient pam_pkcs11.so
+
 
 For general information about enabling smart card authentication, consult
 the documentation at:

OCIL for rule 'xccdf_org.ssgproject.content_rule_smartcard_pam_enabled' differs.
--- ocil:ssg-smartcard_pam_enabled_ocil:questionnaire:1
+++ ocil:ssg-smartcard_pam_enabled_ocil:questionnaire:1
@@ -13,7 +13,9 @@
 
 # grep pam_pkcs11.so /etc/pam.d/common-auth
 
+
 auth sufficient pam_pkcs11.so
+
 
 If pam_pkcs11.so is not set in etc/pam.d/common-auth this
 is a finding.

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_smartcard_pam_enabled' differs.
--- xccdf_org.ssgproject.content_rule_smartcard_pam_enabled
+++ xccdf_org.ssgproject.content_rule_smartcard_pam_enabled
@@ -1,9 +1,6 @@
-- name: Gather list of packages
+- name: Gather the package facts
   package_facts:
     manager: auto
-  when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - ''
   tags:
   - CCE-83208-9
   - DISA-STIG-SLES-12-030520
@@ -27,9 +24,39 @@
   - restrict_strategy
   - smartcard_pam_enabled
 
-- name: Check to see if 'pam_pkcs11' module is configured in '/etc/pam.d/common-auth'
-  shell: grep -E '^\s*auth\s+\S+\s+pam_pkcs11\.so' /etc/pam.d/common-auth || true
+- name: Enable Smart Card Logins in PAM - Gather List of Packages
+  ansible.builtin.package_facts:
+    manager: auto
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-83208-9
+  - DISA-STIG-SLES-12-030520
+  - NIST-800-53-IA-2(1)
+  - NIST-800-53-IA-2(1).1
+  - NIST-800-53-IA-2(11)
+  - NIST-800-53-IA-2(12)
+  - NIST-800-53-IA-2(2)
+  - NIST-800-53-IA-2(2).1
+  - NIST-800-53-IA-2(3)
+  - NIST-800-53-IA-2(3).1
+  - NIST-800-53-IA-2(4)
+  - NIST-800-53-IA-2(4).1
+  - NIST-800-53-IA-5(2)
+  - NIST-800-53-IA-5(2)(c)
+  - NIST-800-53-IA-5(2).1
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+  - smartcard_pam_enabled
+
+- name: Enable Smart Card Logins in PAM - Check to See if 'pam_pkcs11' Module Is Configured
+    in '/etc/pam.d/common-auth'
+  ansible.builtin.shell: grep -E '^\s*auth\s+\S+\s+pam_pkcs11\.so' /etc/pam.d/common-auth
+    || true
   register: check_pam_pkcs11_module_result
+  changed_when: false
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   - '"pam_pkcs11" in ansible_facts.packages'
@@ -56,8 +83,8 @@
   - restrict_strategy
   - smartcard_pam_enabled
 
-- name: Configure 'pam_pkcs11' module in '/etc/pam.d/common-auth'
-  lineinfile:
+- name: Enable Smart Card Logins in PAM - Configure 'pam_pkcs11' Module in '/etc/pam.d/common-auth'
+  ansible.builtin.lineinfile:
     path: /etc/pam.d/common-auth
     line: auth sufficient pam_pkcs11.so
     insertafter: ^\s*#
@@ -89,8 +116,9 @@
   - restrict_strategy
   - smartcard_pam_enabled
 
-- name: Ensure 'pam_pkcs11' module has 'sufficient' control flag
-  lineinfile:
+- name: Enable Smart Card Logins in PAM - Ensure 'pam_pkcs11' Module Has sufficient
+    Control Flag
+  ansible.builtin.lineinfile:
     path: /etc/pam.d/common-auth
     regexp: ^(\s*auth\s+)\S+(\s+pam_pkcs11\.so.*)
     line: \g<1>sufficient\g<2>

[codeclimate]

Code Climate has analyzed commit 7a39713 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.8% (0.0% change).

View more on Code Climate.

[teacup-on-rockingchair]

LGTM 👍

[marcusburghardt]

This is up to you now @dodys . : )

[dodys]

lgtm, thanks