Add new rule file_cron_allow_exists #11441
Conversation
Add new rule file_cron_allow_exists and add it to CIS profiles because the CIS RHEL Benchmark requires the file /etc/cron.allow to exist. The other rules within the control that check the ownership and permissions on /etc/cron.allow are passing if this file doesn't exist. The file doesn't exist by default. To ensure the file exists, we add a new rule that creates it. Resolves: https://issues.redhat.com/browse/RHEL-1314
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
| @@ -0,0 +1,2 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Is the name dne.fail.sh intentional? Maybe we can rename the file to more easily reflect the test?
There was a problem hiding this comment.
dne is acronym for "does not exist"
There was a problem hiding this comment.
Ah ok. Thanks. It was not obvious to me. : ) So, all fine to keep this name if you prefer.
| and the output should list the file. | ||
|
|
||
| template: | ||
| name: file_existence |
There was a problem hiding this comment.
It would be great to extend this template to also accept mode and ownership properties as parameters for the remediation when creating the file. This would avoid the rules file_groupowner_cron_allow, file_owner_cron_allow and file_permissions_cron_allow to fail after creating the file.
There was a problem hiding this comment.
yes, that'd be amazing!
|
Now there is a problem with the dependency between rules - during the initial scan, the |
I recently commented about this: #11441 (comment) |
This patch adds 2 new parameters fileuid and filemode to the file_existence template. They will be used only on remediations. They will enable us to create the file with correct permissions from the beginning which helps avoid remediation time collision with other rules that check file permissions and file ownership.
This way we will ensure that the file is created with correct owner and permissions from the beginning. Uses the new parameters of the file_existence template. These options aren't checked by OVAL, they are only used by remediations.
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_file_at_deny_not_exist' differs.
--- xccdf_org.ssgproject.content_rule_file_at_deny_not_exist
+++ xccdf_org.ssgproject.content_rule_file_at_deny_not_exist
@@ -1,11 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-#!/bin/bash
-
-
-
- if [[ -f /etc/at.deny ]]; then
+if [[ -f /etc/at.deny ]]; then
rm /etc/at.deny
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist' differs.
--- xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist
+++ xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist
@@ -1,11 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-#!/bin/bash
-
-
-
- if [[ -f /etc/cron.deny ]]; then
+if [[ -f /etc/cron.deny ]]; then
rm /etc/cron.deny
fi
|
|
Code Climate has analyzed commit ed654d2 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5% (0.0% change). View more on Code Climate. |
|
I have improved the file_existence template so that the remediations will create files with given uid and permissions and I have used this in the rule file_cron_allow_exists to help avoid the aforementioned remediation time conflict. |
Add new rule file_cron_allow_exists and add it to CIS profiles because the CIS RHEL Benchmark requires the file /etc/cron.allow to exist.
The other rules within the control that check the ownership and permissions on /etc/cron.allow are passing if this file doesn't exist. The file doesn't exist by default. To ensure the file exists, we add a new rule that creates it.
Resolves: https://issues.redhat.com/browse/RHEL-1314