Fix regex in file_ownership_audit_configuration

[marcusburghardt]

Description:

This regex was not matching the files as expected. After some minor changes with escapes, it is working.

Rationale:

Fix CI test Automatus Sanity / Run Tests (pull_request)

Review Hints:

./tests/automatus.py rule --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --dontclean --remediate-using bash file_ownership_audit_configuration
./tests/automatus.py rule --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --dontclean --remediate-using ansible file_ownership_audit_configuration

Reference:
https://www.gnu.org/software/findutils/manual/html_node/find_html/Regular-Expressions.html#Regular-Expressions

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
@@ -1,2 +1,2 @@
 
-find /boot/ -maxdepth 1 -type f ! -group root -regex '^.*System\.map.*$' -exec chgrp root {} \;
+find /boot/ -maxdepth 1 -type f ! -group root -regextype posix-extended -regex '^.*System\.map.*$' -exec chgrp root {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
@@ -1,5 +1,6 @@
 - name: Find /boot/ file(s) matching ^.*System\.map.*$
-  command: find -H /boot/ -maxdepth 1 -type f ! -group root -regex "^.*System\.map.*$"
+  command: find -H /boot/ -maxdepth 1 -type f ! -group root -regextype posix-extended
+    -regex "^.*System\.map.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_owner_systemmap
@@ -1,2 +1,2 @@
 
-find /boot/ -maxdepth 1 -type f ! -uid 0 -regex '^.*System\.map.*$' -exec chown 0 {} \;
+find /boot/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*System\.map.*$' -exec chown 0 {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_owner_systemmap
@@ -1,5 +1,6 @@
 - name: Find /boot/ file(s) matching ^.*System\.map.*$
-  command: find -H /boot/ -maxdepth 1 -type f ! -uid 0 -regex "^.*System\.map.*$"
+  command: find -H /boot/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex
+    "^.*System\.map.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -3,4 +3,4 @@
 
 
 
-find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regextype posix-extended -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -1,6 +1,6 @@
 - name: Find /etc/audit/rules.d/ file(s)
   command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type
-    f -regex "^.*rules$"
+    f -regextype posix-extended -regex "^.*rules$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_systemmap
+++ xccdf_org.ssgproject.content_rule_file_permissions_systemmap
@@ -3,4 +3,4 @@
 
 
 
-find -H /boot/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt  -type f -regex '^.*System\.map.*$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;
+find -H /boot/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt  -type f -regextype posix-extended -regex '^.*System\.map.*$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_systemmap
+++ xccdf_org.ssgproject.content_rule_file_permissions_systemmap
@@ -1,5 +1,6 @@
 - name: Find /boot/ file(s)
-  command: find -H /boot/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt  -type f -regex "^.*System\.map.*$"
+  command: find -H /boot/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt  -type f -regextype
+    posix-extended -regex "^.*System\.map.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -1,8 +1,8 @@
 
-find /lib/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+find /lib/  -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown 0 {} \;
 
-find /lib64/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+find /lib64/  -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown 0 {} \;
 
-find /usr/lib/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+find /usr/lib/  -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown 0 {} \;
 
-find /usr/lib64/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+find /usr/lib64/  -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown 0 {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -1,5 +1,5 @@
 - name: Find /lib/ file(s) matching ^.*$ recursively
-  command: find -H /lib/  -type f ! -uid 0 -regex "^.*$"
+  command: find -H /lib/  -type f ! -uid 0 -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -40,7 +40,7 @@
   - no_reboot_needed
 
 - name: Find /lib64/ file(s) matching ^.*$ recursively
-  command: find -H /lib64/  -type f ! -uid 0 -regex "^.*$"
+  command: find -H /lib64/  -type f ! -uid 0 -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -81,7 +81,7 @@
   - no_reboot_needed
 
 - name: Find /usr/lib/ file(s) matching ^.*$ recursively
-  command: find -H /usr/lib/  -type f ! -uid 0 -regex "^.*$"
+  command: find -H /usr/lib/  -type f ! -uid 0 -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -122,7 +122,8 @@
   - no_reboot_needed
 
 - name: Find /usr/lib64/ file(s) matching ^.*$ recursively
-  command: find -H /usr/lib64/  -type f ! -uid 0 -regex "^.*$"
+  command: find -H /usr/lib64/  -type f ! -uid 0 -regextype posix-extended -regex
+    "^.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
@@ -3,10 +3,10 @@
 
 
 
-find -H /lib/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+find -H /lib/  -perm /g+w,o+w  -type f -regextype posix-extended -regex '^.*$' -exec chmod g-w,o-w {} \;
 
-find -H /lib64/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+find -H /lib64/  -perm /g+w,o+w  -type f -regextype posix-extended -regex '^.*$' -exec chmod g-w,o-w {} \;
 
-find -H /usr/lib/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+find -H /usr/lib/  -perm /g+w,o+w  -type f -regextype posix-extended -regex '^.*$' -exec chmod g-w,o-w {} \;
 
-find -H /usr/lib64/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+find -H /usr/lib64/  -perm /g+w,o+w  -type f -regextype posix-extended -regex '^.*$' -exec chmod g-w,o-w {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
@@ -1,5 +1,6 @@
 - name: Find /lib/ file(s) recursively
-  command: find -H /lib/  -perm /g+w,o+w  -type f -regex "^.*$"
+  command: find -H /lib/  -perm /g+w,o+w  -type f -regextype posix-extended -regex
+    "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -40,7 +41,8 @@
   - no_reboot_needed
 
 - name: Find /lib64/ file(s) recursively
-  command: find -H /lib64/  -perm /g+w,o+w  -type f -regex "^.*$"
+  command: find -H /lib64/  -perm /g+w,o+w  -type f -regextype posix-extended -regex
+    "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -81,7 +83,8 @@
   - no_reboot_needed
 
 - name: Find /usr/lib/ file(s) recursively
-  command: find -H /usr/lib/  -perm /g+w,o+w  -type f -regex "^.*$"
+  command: find -H /usr/lib/  -perm /g+w,o+w  -type f -regextype posix-extended -regex
+    "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -122,7 +125,8 @@
   - no_reboot_needed
 
 - name: Find /usr/lib64/ file(s) recursively
-  command: find -H /usr/lib64/  -perm /g+w,o+w  -type f -regex "^.*$"
+  command: find -H /usr/lib64/  -perm /g+w,o+w  -type f -regextype posix-extended
+    -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs.
--- xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
+++ xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
@@ -1,8 +1,8 @@
 
-find /lib/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
+find /lib/  -type f ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp 0 {} \;
 
-find /lib64/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
+find /lib64/  -type f ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp 0 {} \;
 
-find /usr/lib/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
+find /usr/lib/  -type f ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp 0 {} \;
 
-find /usr/lib64/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
+find /usr/lib64/  -type f ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp 0 {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs.
--- xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
+++ xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
@@ -1,5 +1,5 @@
 - name: Find /lib/ file(s) matching ^.*$ recursively
-  command: find -H /lib/  -type f ! -group 0 -regex "^.*$"
+  command: find -H /lib/  -type f ! -group 0 -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -36,7 +36,7 @@
   - root_permissions_syslibrary_files
 
 - name: Find /lib64/ file(s) matching ^.*$ recursively
-  command: find -H /lib64/  -type f ! -group 0 -regex "^.*$"
+  command: find -H /lib64/  -type f ! -group 0 -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -73,7 +73,8 @@
   - root_permissions_syslibrary_files
 
 - name: Find /usr/lib/ file(s) matching ^.*$ recursively
-  command: find -H /usr/lib/  -type f ! -group 0 -regex "^.*$"
+  command: find -H /usr/lib/  -type f ! -group 0 -regextype posix-extended -regex
+    "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -110,7 +111,8 @@
   - root_permissions_syslibrary_files
 
 - name: Find /usr/lib64/ file(s) matching ^.*$ recursively
-  command: find -H /usr/lib64/  -type f ! -group 0 -regex "^.*$"
+  command: find -H /usr/lib64/  -type f ! -group 0 -regextype posix-extended -regex
+    "^.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files
+++ xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files
@@ -3,4 +3,4 @@
 
 
 
-find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regextype posix-extended -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files
+++ xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files
@@ -1,6 +1,6 @@
 - name: Find /etc/httpd/conf.d/ file(s)
   command: find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type
-    f -regex "^.*$"
+    f -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files
+++ xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files
@@ -3,4 +3,4 @@
 
 
 
-find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regextype posix-extended -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files
+++ xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files
@@ -1,6 +1,6 @@
 - name: Find /etc/httpd/conf/ file(s)
   command: find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f
-    -regex "^.*$"
+    -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key' differs.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex '^.*_key$' -exec chgrp ssh_keys {} \;
+find /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regextype posix-extended -regex '^.*_key$' -exec chgrp ssh_keys {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key' differs.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
@@ -1,5 +1,6 @@
 - name: Find /etc/ssh/ file(s) matching ^.*_key$
-  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex "^.*_key$"
+  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regextype posix-extended
+    -regex "^.*_key$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key' differs.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.pub$' -exec chgrp 0 {} \;
+find /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*\.pub$' -exec chgrp 0 {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key' differs.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
@@ -1,5 +1,6 @@
 - name: Find /etc/ssh/ file(s) matching ^.*\.pub$
-  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex "^.*\.pub$"
+  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended
+    -regex "^.*\.pub$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*_key$' -exec chown 0 {} \;
+find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*_key$' -exec chown 0 {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
@@ -1,5 +1,6 @@
 - name: Find /etc/ssh/ file(s) matching ^.*_key$
-  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*_key$"
+  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended
+    -regex "^.*_key$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.pub$' -exec chown 0 {} \;
+find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*\.pub$' -exec chown 0 {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
@@ -1,5 +1,6 @@
 - name: Find /etc/ssh/ file(s) matching ^.*\.pub$
-  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.pub$"
+  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended
+    -regex "^.*\.pub$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt  -type f -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \;
+find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt  -type f -regextype posix-extended -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
@@ -1,5 +1,6 @@
 - name: Find /etc/ssh/ file(s)
-  command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt  -type f -regex "^.*\.pub$"
+  command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt  -type f -regextype
+    posix-extended -regex "^.*\.pub$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration' differs.
--- xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
@@ -1,9 +1,9 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-find /etc/audit/ -maxdepth 1 -type f ! -group 0 -regex '^audit(\.rules|d\.conf)$' -exec chgrp 0 {} \;
+find /etc/audit/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*audit(\.rules|d\.conf)$' -exec chgrp 0 {} \;
 
-find /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.rules$' -exec chgrp 0 {} \;
+find /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*\.rules$' -exec chgrp 0 {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration' differs.
--- xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
@@ -10,8 +10,9 @@
   - medium_severity
   - no_reboot_needed
 
-- name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
-  command: find -H /etc/audit/ -maxdepth 1 -type f ! -group 0 -regex "^audit(\.rules|d\.conf)$"
+- name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
+  command: find -H /etc/audit/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended
+    -regex "^.*audit(\.rules|d\.conf)$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -28,7 +29,7 @@
   - medium_severity
   - no_reboot_needed
 
-- name: Ensure group owner on /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
+- name: Ensure group owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
   file:
     path: '{{ item }}'
     group: '0'
@@ -48,7 +49,8 @@
   - no_reboot_needed
 
 - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
-  command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regex "^.*\.rules$"
+  command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended
+    -regex "^.*\.rules$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -1,9 +1,9 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-find /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex '^audit(\.rules|d\.conf)$' -exec chown 0 {} \;
+find /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*audit(\.rules|d\.conf)$' -exec chown 0 {} \;
 
-find /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.rules$' -exec chown 0 {} \;
+find /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*\.rules$' -exec chown 0 {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -10,8 +10,9 @@
   - medium_severity
   - no_reboot_needed
 
-- name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
-  command: find -H /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex "^audit(\.rules|d\.conf)$"
+- name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
+  command: find -H /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended
+    -regex "^.*audit(\.rules|d\.conf)$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -28,7 +29,7 @@
   - medium_severity
   - no_reboot_needed
 
-- name: Ensure owner on /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
+- name: Ensure owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
   file:
     path: '{{ item }}'
     owner: '0'
@@ -48,7 +49,8 @@
   - no_reboot_needed
 
 - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
-  command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.rules$"
+  command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended
+    -regex "^.*\.rules$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
@@ -1,9 +1,9 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '.*audit\(\.rules\|d\.conf\)$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regextype posix-extended -regex '^.*audit(\.rules|d\.conf)$' -exec chmod u-xs,g-xws,o-xwrt {} \;
 
-find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '.*\.rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regextype posix-extended -regex '^.*\.rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
@@ -11,8 +11,8 @@
   - no_reboot_needed
 
 - name: Find /etc/audit/ file(s)
-  command: find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex
-    ".*audit\(\.rules\|d\.conf\)$"
+  command: find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regextype
+    posix-extended -regex "^.*audit(\.rules|d\.conf)$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -50,7 +50,7 @@
 
 - name: Find /etc/audit/rules.d/ file(s)
   command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type
-    f -regex ".*\.rules$"
+    f -regextype posix-extended -regex "^.*\.rules$"
   register: files_found
   changed_when: false
   failed_when: false

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12029
This image was built from commit: 8797ca8

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12029

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12029 make deploy-local

[jan-cerny]

@marcusburghardt

I think the updated version is also wrong. The updated OVAL check contains \( which matches the ( literally. You can see in the OVAL results that it didn't found the /etc/audit/audit.rules and /etc/audit/auditd.conf which should be flagged by the checks. On the other hand, it seems to fix the failing test scenario because it changed the Bash remediation. I think the problem is that there needs to be a different type of regular expression in OVAL than in the bash find command that is used for the remediation. OVAL should contain PCRE where parenthesis mean optional match but find should contain Emacs regex where parenthesis mean literal parenthesis. But, we put the same string into both OVAL and Bash.

Also, take a look that there are multiple occurrences of this regex: file_groupownership_audit_configuration, file_ownership_audit_configuration, ile_permissions_audit_configuration.

[marcusburghardt]

@marcusburghardt

I think the updated version is also wrong. The updated OVAL check contains \( which matches the ( literally. You can see in the OVAL results that it didn't found the /etc/audit/audit.rules and /etc/audit/auditd.conf which should be flagged by the checks. On the other hand, it seems to fix the failing test scenario because it changed the Bash remediation. I think the problem is that there needs to be a different type of regular expression in OVAL than in the bash find command that is used for the remediation. OVAL should contain PCRE where parenthesis mean optional match but find should contain Emacs regex where parenthesis mean literal parenthesis. But, we put the same string into both OVAL and Bash.

Also, take a look that there are multiple occurrences of this regex: file_groupownership_audit_configuration, file_ownership_audit_configuration, ile_permissions_audit_configuration.

Yes, the original issue was in the find command used in Bash remediation. If this break the OVAL, we need to find another solution. : (

[marcusburghardt]

It should be fine now. More details in the last commit message.

[marcusburghardt]

/packit test

[marcusburghardt]

/packit build

[marcusburghardt]

I just force-pushed to re-trigger some stalled testing-farm CI tests.

[jan-cerny]

@marcusburghardt There is the same regex also in file_groupownership_audit_configuration and file_permissions_audit_configuration. Can you check if we need to change these rules as well?

[marcusburghardt]

file_groupownership_audit_configuration

Thanks for noticing this. I updated them in fe7a5ea. But hold a little until I finish the tests, please.

[marcusburghardt]

file_groupownership_audit_configuration

Thanks for noticing this. I updated them in fe7a5ea. But hold a little until I finish the tests, please.

Should be ok now. My local tests are green for these three rules.

[codeclimate]

Code Climate has analyzed commit 8797ca8 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[dodys]

lgtm, thanks!