Simplify output of ip link show command

[marcusburghardt]

Description:

In network_sniffer_disabled rule this command is used to collect the interface names.
This can be simplified using the -o (oneline) option from ip command instead of filtering the output with other commands.

This was noticed when investigating failures in CI tests for #11248

Rationale:

Simplify command output so Bash and Ansible remediation are more robust.
Less is more. : )

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled' differs.
--- xccdf_org.ssgproject.content_rule_network_sniffer_disabled
+++ xccdf_org.ssgproject.content_rule_network_sniffer_disabled
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do
+for interface in $(ip -o link show | cut -d ":" -f 2); do
     ip link set dev $interface multicast off promisc off
 done
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled' differs.
--- xccdf_org.ssgproject.content_rule_network_sniffer_disabled
+++ xccdf_org.ssgproject.content_rule_network_sniffer_disabled
@@ -1,6 +1,6 @@
 - name: Ensure System is Not Acting as a Network Sniffer - Gather network interfaces
   ansible.builtin.command:
-    cmd: ip link show
+    cmd: ip -o link show
   register: network_interfaces
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
@@ -25,7 +25,7 @@
   loop: '{{ network_interfaces.stdout_lines }}'
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - item.split(':') | length == 3
+  - item.split(':')
   tags:
   - CCE-82283-3
   - DISA-STIG-RHEL-08-040330

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11657
This image was built from commit: d0724ed

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11657

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11657 make deploy-local

[marcusburghardt]

Automatus tests are expected to fail because the containers used in these tests are not allowing to set an interface in promisc mode:

ip link set dev lo promisc on
RTNETLINK answers: Operation not permitted

This could probably be solved managing the container capabilities. However, for the scope of this PR, testin-farm and automatus tests in local VMs should be enough.

[codeclimate]

Code Climate has analyzed commit d0724ed and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

[Mab879]

Automatus tests are expected to fail because the containers used in these tests are not allowing to set an interface in promisc mode:

ip link set dev lo promisc on
RTNETLINK answers: Operation not permitted

This could probably be solved managing the container capabilities. However, for the scope of this PR, testin-farm and automatus tests in local VMs should be enough.

Agreed. Tests pass locally in a VM.