New Rule: networkmanager_dns_mode #11160
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mab879
added
New Rule
|
Start a new ephemeral environment with changes proposed in this pull request: rhel9 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
Mab879
changed the title
Mab879
force-pushed
the
new_rule_dns_mode_nm
branch
from
f21fc8c
to
70679ae
Compare
Mab879
force-pushed
the
new_rule_dns_mode_nm
branch
from
7b2d045
to
1ead347
Compare
jan-cerny
requested changes
Oct 2, 2023
There was a problem hiding this comment.
I think that the CI fail of Automatus jobs is caused by systemd not running in the container environemnt. Consider marking the rule as machine only.
However, when executed locally on a RHEL 9.2 virtual machine back end, I get some fails with Ansible remediations:
[jcerny@fedora tests]$ python3 automatus.py rule --libvirt qemu:///system ssgts_rhel9 networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/tests/logs/rule-custom-2023-10-02-0944/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
[jcerny@fedora tests]$ python3 automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/tests/logs/rule-custom-2023-10-02-1036/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_networkmanager_dns_mode'.
INFO - Script wrong_value.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_networkmanager_dns_mode'.
Do you encounter the same problem? Please take a look.
|
|
||
| prodtype: rhel9 | ||
|
|
||
| title: 'NetworkManager DNS Mode Must Be Must' |
There was a problem hiding this comment.
Suggested change
| title: 'NetworkManager DNS Mode Must Be Must' | |
| title: 'NetworkManager DNS Mode Must Be Configured' |
jan-cerny
reviewed
Oct 2, 2023
|
|
||
| {{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}} | ||
|
|
||
| {{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ networkmanager_dns_mode }}") }}} |
There was a problem hiding this comment.
3851 fatal: [192.168.124.141]: FAILED! => {
3852 "msg": "The task includes an option with an undefined variable. The error was: 'networkmanager_dns_mode' is undefined. 'networkmanager_dns_mode' is undefined\n\nThe error appears to be in '/home/jcerny/work/git/scap- security-guide/tests/logs/rule-custom-2023-10-02-1036/xccdf_org.ssgproject.content_rule_networkmanager_dns_mode. yml': line 45, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Set 'dns' to '{{ networkmanager_dns_mode }}' in the [main] section of '/etc/NetworkManager/NetworkManager.conf'\n ^ here\nWe could be wrong, but this one looks like it might be an issue with\nmissing quotes. Always quote template expression brackets when they\nstart a value. For instance:\n\n with_items:\n - {{ foo }}\n\nShould be written as:\n\n with_items:\n - \"{{ foo }}\"\n"
3853 }
ce1f84f
to
cf22422
Compare
|
Code Climate has analyzed commit 3dd2bde and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 56.8%. View more on Code Climate. |
|
/packit retest-failed |
1 similar comment
|
/packit retest-failed |
jan-cerny
approved these changes
Oct 6, 2023
There was a problem hiding this comment.
When executed on a VM back end the Automatus tests pass:
jcerny@fedora ~/work/git/scap-security-guide (pr/11160) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-10-06-1419/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11160) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-10-06-1421/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11160) $
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR adds the new rule networkmanager_dns_mode
Rationale:
Needed for future work.