Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ansible remediation for root group owner of audit for UBTU-20-010124 #11092

Merged
merged 1 commit into from
Oct 18, 2023
Merged

Add ansible remediation for root group owner of audit for UBTU-20-010124 #11092

merged 1 commit into from
Oct 18, 2023

Conversation

dexterle
Copy link
Contributor

@dexterle dexterle commented Sep 8, 2023
edited
Loading

Description:

  • Fix UBTU-20-010124
  • Add Ansible remediation for ubuntu

Rationale:

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes with Ansible:

ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010124"

To test changes with bash, run the remediation sections: xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit

Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.

git checkout dexterle:add-manual-stig-ubtu-20-v1r9

This STIG can not be tested with the latest Ubuntu 2004 Benchmark SCAP. Please perform a manual check given the check text. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Used by openshift-ci bot. needs-ok-to-test Used by openshift-ci bot. labels Sep 8, 2023
@openshift-ci
Copy link

openshift-ci bot commented Sep 8, 2023

Hi @dexterle. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Mab879 Mab879 added Ubuntu Ubuntu product related. STIG STIG Benchmark related. labels Sep 8, 2023
@github-actions
Copy link

github-actions bot commented Sep 8, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@dexterle dexterle marked this pull request as ready for review September 11, 2023 16:53
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 11, 2023
@dexterle dexterle mentioned this pull request Sep 11, 2023
Closed
@dodys dodys self-assigned this Sep 12, 2023
@dodys dodys requested a review from a team September 12, 2023 08:54
dodys
dodys requested changes Sep 12, 2023
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please make the ansible script shared with others, just like the bash remediation is

@dodys dodys added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Sep 12, 2023
@dexterle
Add ansible remediation for root group owner of audit for UBTU-20-010124
ccbd143 
This commit will add in the ansible remediation for ensuring that all audit logs are owned by root group.
@dexterle dexterle force-pushed the add-remediation-ubtu-20-010124 branch from a82dcdd to ccbd143 Compare September 28, 2023 16:36
@codeclimate
Copy link

codeclimate bot commented Sep 28, 2023

Code Climate has analyzed commit ccbd143 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 56.9%.

View more on Code Climate.

@dodys
Copy link
Contributor

dodys commented Oct 3, 2023

@ComplianceAsCode/oracle-maintainers this PR when applied will affect you because of the added ansible remediation and the missing ol8 bits. I just want to let you know before we merge it and if that's okay with you?

dodys
dodys approved these changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys merged commit 3c81866 into ComplianceAsCode:master Oct 18, 2023
@Mab879 Mab879 added the Ansible Ansible remediation update. label Oct 18, 2023
@Mab879 Mab879 added this to the 0.1.71 milestone Oct 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dodys dodys dodys approved these changes

Assignees

@dodys dodys

Labels
Ansible Ansible remediation update. ok-to-test Used by openshift-ci bot. STIG STIG Benchmark related. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
0.1.71
Development

Successfully merging this pull request may close these issues.
3 participants
@dexterle @dodys @Mab879