Modified 'ensure_rsyslog_log_file_conf' OVAL to allow user/groupnames #11226
Conversation
Currently, only UID/GIDs were supported in the template, which fails with Ubuntu 22.04 server. This is because the server and desktop installations have different UIDs for syslog user (104/107), but have the same identifier in CaC. The proposed modification checks if the provided `owner` and `groupowner` values are numbers (== UID/GID), and if not, it first extracts UID/GID information from /etc/passwd and /etc/group (or /usr/lib/ in case of CoreOS) based on the provided username/groupname values.
|
Hi @mpurg. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
@@ -94,7 +94,7 @@
then
continue
fi
- $FILE_CMD "0" "$LOG_FILE_PATH"
+ $FILE_CMD "root" "$LOG_FILE_PATH"
done
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
@@ -183,7 +183,7 @@
- name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute
ansible.builtin.file:
path: '{{ item }}'
- group: '0'
+ group: root
state: file
loop: '{{ log_files | list | flatten | unique }}'
failed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
@@ -94,7 +94,7 @@
then
continue
fi
- $FILE_CMD "0" "$LOG_FILE_PATH"
+ $FILE_CMD "root" "$LOG_FILE_PATH"
done
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
@@ -183,7 +183,7 @@
- name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute
ansible.builtin.file:
path: '{{ item }}'
- owner: '0'
+ owner: root
state: file
loop: '{{ log_files | list | flatten | unique }}'
failed_when: false |
|
Code Climate has analyzed commit 184d5f0 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.4%. View more on Code Climate. |
dodys
added
Ubuntu
Description:
The proposed modification checks if the provided
ownerandgroupownervalues are numbers (== UID/GID), and if not, it first extracts UID/GID information from /etc/passwd and /etc/group (or /usr/lib/ in case of CoreOS) based on the provided username/groupname values.Rationale:
Currently, only UID/GIDs were supported in the template, which fails with Ubuntu 22.04 server.
This is because the server and desktop installations have different UIDs for syslog user (104/107), but have the same identifier in CaC.