Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files #11474
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -28,6 +28,11 @@
fi
fi
+readarray -t SSSD_CONF_D_FILES < <(find /etc/sssd/conf.d/ -name "*.conf")
+for SSSD_CONF_D_FILE in "${SSSD_CONF_D_FILES[@]}"; do
+ sed -i "s#ldap_tls_cacertdir[^(\n)]*#ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir#" "$SSSD_CONF_D_FILE"
+done
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -115,3 +115,43 @@
- no_reboot_needed
- sssd_ldap_configure_tls_ca_dir
- unknown_strategy
+
+- name: Find all the conf files inside /etc/sssd/conf.d/
+ find:
+ paths: /etc/sssd/conf.d/
+ patterns: '*.conf'
+ register: sssd_conf_d_files
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82456-5
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-12(3)
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_ldap_configure_tls_ca_dir
+ - unknown_strategy
+
+- name: Set ldap_tls_cacertdir to {{ var_sssd_ldap_tls_ca_dir }} in /etc/sssd/conf.d/
+ if exists
+ ansible.builtin.replace:
+ path: '{{ item.path }}'
+ regexp: '[^#]*ldap_tls_cacertdir.*'
+ replace: ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}
+ with_items: '{{ sssd_conf_d_files.files }}'
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82456-5
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-12(3)
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_ldap_configure_tls_ca_dir
+ - unknown_strategy
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -25,6 +25,11 @@
fi
fi
+readarray -t SSSD_CONF_D_FILES < <(find /etc/sssd/conf.d/ -name "*.conf")
+for SSSD_CONF_D_FILE in "${SSSD_CONF_D_FILES[@]}"; do
+ sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" "$SSSD_CONF_D_FILE"
+done
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -110,3 +110,42 @@
- no_reboot_needed
- sssd_ldap_configure_tls_reqcert
- unknown_strategy
+
+- name: Find all the conf files inside /etc/sssd/conf.d/
+ find:
+ paths: /etc/sssd/conf.d/
+ patterns: '*.conf'
+ register: sssd_conf_d_files
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-84062-9
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-12(3)
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_ldap_configure_tls_reqcert
+ - unknown_strategy
+
+- name: Set ldap_tls_reqcert to demand in /etc/sssd/conf.d/ if exists
+ ansible.builtin.replace:
+ path: '{{ item.path }}'
+ regexp: '[^#]*ldap_tls_reqcert.*'
+ replace: ldap_tls_reqcert = demand
+ with_items: '{{ sssd_conf_d_files.files }}'
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-84062-9
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-12(3)
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_ldap_configure_tls_reqcert
+ - unknown_strategy
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls'.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -11,7 +11,7 @@
To check if LDAP is configured to use TLS when id_provider is
set to ldap or ipa, use the following command:
-$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf
+$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
[reference]:
11
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -25,6 +25,11 @@
fi
fi
+readarray -t SSSD_CONF_D_FILES < <(find /etc/sssd/conf.d/ -name "*.conf")
+for SSSD_CONF_D_FILE in "${SSSD_CONF_D_FILES[@]}"; do
+ sed -i "s#ldap_id_use_start_tls[^(\n)]*#ldap_id_use_start_tls = true#" "$SSSD_CONF_D_FILE"
+done
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -115,3 +115,44 @@
- no_reboot_needed
- sssd_ldap_start_tls
- unknown_strategy
+
+- name: Find all the conf files inside /etc/sssd/conf.d/
+ find:
+ paths: /etc/sssd/conf.d/
+ patterns: '*.conf'
+ register: sssd_conf_d_files
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82437-5
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - high_severity
+ - low_complexity
+ - medium_disruption
+ - no_reboot_needed
+ - sssd_ldap_start_tls
+ - unknown_strategy
+
+- name: Set ldap_id_use_start_tls to true in /etc/sssd/conf.d/ if exists
+ ansible.builtin.replace:
+ path: '{{ item.path }}'
+ regexp: '[^#]*ldap_id_use_start_tls.*'
+ replace: ldap_id_use_start_tls = true
+ with_items: '{{ sssd_conf_d_files.files }}'
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82437-5
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - high_severity
+ - low_complexity
+ - medium_disruption
+ - no_reboot_needed
+ - sssd_ldap_start_tls
+ - unknown_strategy |
jan-cerny
added
Update Rule
jan-cerny
reviewed
Jan 25, 2024
| @@ -0,0 +1,16 @@ | |||
| #!/bin/bash | |||
| # packages = /usr/lib/systemd/system/sssd.service | |||
| # profiles = xccdf_org.ssgproject.content_profile_stig | |||
There was a problem hiding this comment.
I don't see a reason for having the profiles key here. Why do you add it?
There was a problem hiding this comment.
Just copied it from the other tests
| @@ -0,0 +1,12 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Suggested change
| #!/bin/bash | |
| #!/bin/bash | |
| # packages = sssd-ldap |
| @@ -0,0 +1,23 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Suggested change
| #!/bin/bash | |
| #!/bin/bash | |
| # packages = sssd-ldap |
| @@ -0,0 +1,12 @@ | |||
| #!/bin/bash | |||
|
|
|||
There was a problem hiding this comment.
this test scenario fails for me, the rule passes:
jcerny@fedora:~/work/git/scap-security-guide (pr/11474)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 --scenario ldap_id_provider_and_reqcert_never_conf_d.fail.sh sssd_ldap_configure_tls_reqcert
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-01-25-1102/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
ERROR - Script ldap_id_provider_and_reqcert_never_conf_d.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert'.
There was a problem hiding this comment.
I set the wrong config in the test hahaha
shared/macros/10-bash.jinja
Outdated
| @@ -1291,6 +1290,12 @@ if grep -qvzosP $AD_REGEX $SSSD_CONF; then | |||
| fi | |||
| fi | |||
| fi | |||
|
|
|||
| readarray -t SSSD_CONF_D_FILES < <(find /etc/sssd/conf.d/ -name *.conf) | |||
There was a problem hiding this comment.
shellcheck flags this, see the CI results:
In /__w/content/content/build/rhel8/fixes/bash/sssd_ldap_configure_tls_ca_dir.sh line 32:
readarray -t SSSD_CONF_D_FILES < <(find /etc/sssd/conf.d/ -name *.conf)
^----^ SC2061 (warning): Quote the parameter to -name so the shell won't interpret it.
Update rules sssd_ldap_configure_tls_ca_dir, sssd_ldap_start_tls & sssd_ldap_configure_tls_reqcert to also consider files in /etc/sssd/conf.d/ directory. This update includes OVAL changes for each rule, and changes in the macros that the remedations use Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Add tests to cover scenarios with configurations in files in /etc/sssd/conf.d/ directory Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Xeicker
force-pushed
the
update_sssd-ldap
branch
from
2c57d4f
to
5537b5c
Compare
|
Code Climate has analyzed commit 5537b5c and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.3% (0.0% change). View more on Code Climate. |
jan-cerny
approved these changes
Jan 31, 2024
There was a problem hiding this comment.
The Automatus test scenarios are passing when run locally.
jcerny@fedora:~/work/git/scap-security-guide (pr/11474)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 sssd_ldap_configure_tls_ca_dir sssd_ldap_configure_tls_reqcert sssd_ldap_start_tls
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-01-31-0959/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script domain_not_there.fail.sh.
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script ldap_tls_cacertdir.pass.sh.
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script ldap_tls_cacertdir_bad_value.fail.sh.
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script ldap_tls_cacertdir_not_absolute_path.fail.sh.
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script ldap_tls_cacertdir_not_there.fail.sh.
INFO - Script ldap_tls_cacertdir_bad_value_conf_d.fail.sh using profile (all) OK
INFO - Script ldap_tls_cacertdir_conf_d.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
WARNING - Script ad_id_provider_and_reqcert_never.notapplicable.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert evaluation resulted in notapplicable
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_dropin.pass.sh using profile (all) OK
WARNING - Script id_provider_is_set_to_ad.notapplicable.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert evaluation resulted in notapplicable
INFO - Script ldap_id_provider_and_reqcert_never.fail.sh using profile (all) OK
INFO - Script ldap_tls_reqcert_not_there.fail.sh using profile (all) OK
INFO - Script correct_value_conf_d.pass.sh using profile (all) OK
INFO - Script ldap_id_provider_and_reqcert_never_conf_d.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
WARNING - Script ad_id_provider_and_tls_false.notapplicable.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls evaluation resulted in notapplicable
INFO - Script correct_value.pass.sh using profile (all) OK
WARNING - Script id_provider_is_set_to_ad.notapplicable.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls evaluation resulted in notapplicable
INFO - Script ldap_id_provider_and_tls_false.fail.sh using profile (all) OK
INFO - Script ldap_use_start_tls_not_there.fail.sh using profile (all) OK
INFO - Script correct_value_dropin.pass.sh using profile (all) OK
INFO - Script correct_value_conf_d.pass.sh using profile (all) OK
INFO - Script ldap_id_provider_and_tls_false_conf_d.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/11474)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 sssd_ldap_configure_tls_ca_dir sssd_ldap_configure_tls_reqcert sssd_ldap_start_tls
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-01-31-1012/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script domain_not_there.fail.sh.
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script ldap_tls_cacertdir.pass.sh.
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script ldap_tls_cacertdir_bad_value.fail.sh.
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script ldap_tls_cacertdir_not_absolute_path.fail.sh.
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir isn't part of profile xccdf_org.ssgproject.content_profile_stig requested by script ldap_tls_cacertdir_not_there.fail.sh.
INFO - Script ldap_tls_cacertdir_bad_value_conf_d.fail.sh using profile (all) OK
INFO - Script ldap_tls_cacertdir_conf_d.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
WARNING - Script ad_id_provider_and_reqcert_never.notapplicable.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert evaluation resulted in notapplicable
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_dropin.pass.sh using profile (all) OK
WARNING - Script id_provider_is_set_to_ad.notapplicable.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert evaluation resulted in notapplicable
INFO - Script ldap_id_provider_and_reqcert_never.fail.sh using profile (all) OK
INFO - Script ldap_tls_reqcert_not_there.fail.sh using profile (all) OK
INFO - Script correct_value_conf_d.pass.sh using profile (all) OK
INFO - Script ldap_id_provider_and_reqcert_never_conf_d.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
WARNING - Script ad_id_provider_and_tls_false.notapplicable.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls evaluation resulted in notapplicable
INFO - Script correct_value.pass.sh using profile (all) OK
WARNING - Script id_provider_is_set_to_ad.notapplicable.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls evaluation resulted in notapplicable
INFO - Script ldap_id_provider_and_tls_false.fail.sh using profile (all) OK
INFO - Script ldap_use_start_tls_not_there.fail.sh using profile (all) OK
INFO - Script correct_value_dropin.pass.sh using profile (all) OK
INFO - Script correct_value_conf_d.pass.sh using profile (all) OK
INFO - Script ldap_id_provider_and_tls_false_conf_d.fail.sh using profile (all) OK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Review Hints: