Align wireless_disable_interfaces with Ubuntu 22.04 STIG

[mpurg]

Description:

• Created Ubuntu-specific OVAL to check /proc/net/wireless for enabled interfaces.
  The existing implementation relies on the interface name starting with
  "wl", which could be overriden.
• Modified remediation to disable the driver modules as suggested by CIS and STIG,
  instead of disabling wifi using nmcli.

[openshift-ci]

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11886
This image was built from commit: a99b885

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11886

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11886 make deploy-local

[dodys]

please keep the nmcli, this aligns with CIS

[mpurg]

As discussed, we can remove this since CIS 2.0.0 no longer uses nmcli in the remediation.

[dodys]

this check is only identifying if there's any wireless interface, it is not checking if they are disabled.
The shared oval is better

[mpurg]

I did this test to check if the interface is still listed:

# cat /proc/net/wireless 
Inter-| sta-|   Quality        |   Discarded packets               | Missed | WE
 face | tus | link level noise |  nwid  crypt   frag  retry   misc | beacon | 22
wlp2s0: 0000   45.  -65.  -256        0      0      0      0      1        0

# ip link set wlp2s0 down

# cat /proc/net/wireless 
Inter-| sta-|   Quality        |   Discarded packets               | Missed | WE
 face | tus | link level noise |  nwid  crypt   frag  retry   misc | beacon | 22

I did find an issue with the regex though.

[dodys]

this if seems unnecessary as you already has the command introduced above and the note is already in the else below.

[mpurg]

If we don't make a special conditional for ubuntu it will show the nmcli in the else statement, which is not ideal since we are not relying on nmcli.

[dodys]

also mention the nmcli fix

[mpurg]

As decided, we are moving away from the nmcli fix.

[mpurg]

Force pushed a fix to the OVAL regex and rebased to master. @dodys can you re-review?

[codeclimate]

Code Climate has analyzed commit a99b885 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[dodys]

lgtm, thanks!