Improve remediation for enable_authselect #12038
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a supportive rule intended to ensure authselect is used in a system, specially in fresh installations in some specific scenarios where authselect is not enabled by default. In this case, the preferred profile is selected. However, in a scenario where a custom profile is used, even based on the preferred profile, this rule would move again from the custom profile to the preferred profile. This is usually not a desired bahavior because may cause inconsistencies between the profiles since custom profiles are usually there because a requirement cannot be satisfied by a default profile.
Avoid showing task as changed when nothing was actually changed.
marcusburghardt
added
bugfix
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_authselect' differs.
--- xccdf_org.ssgproject.content_rule_enable_authselect
+++ xccdf_org.ssgproject.content_rule_enable_authselect
@@ -2,12 +2,16 @@
var_authselect_profile=''
-authselect select "$var_authselect_profile"
+authselect current
if test "$?" -ne 0; then
- if rpm --quiet --verify pam; then
- authselect select --force "$var_authselect_profile"
- else
- echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2
+ authselect select "$var_authselect_profile"
+
+ if test "$?" -ne 0; then
+ if rpm --quiet --verify pam; then
+ authselect select --force "$var_authselect_profile"
+ else
+ echo "authselect is not used but files from the 'pam' package have been altered, so the authselect configuration won't be forced." >&2
+ fi
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_authselect' differs.
--- xccdf_org.ssgproject.content_rule_enable_authselect
+++ xccdf_org.ssgproject.content_rule_enable_authselect
@@ -4,10 +4,11 @@
tags:
- always
-- name: Enable authselect - Select authselect profile
+- name: Enable authselect - Check Current authselect Profile
ansible.builtin.command:
- cmd: authselect select "{{ var_authselect_profile }}"
- register: result_authselect_select
+ cmd: authselect current
+ register: result_authselect_current
+ changed_when: false
failed_when: false
tags:
- CCE-88248-0
@@ -20,12 +21,13 @@
- medium_severity
- no_reboot_needed
-- name: Enable authselect - Verify if PAM has been altered
+- name: Enable authselect - Try to Select an authselect Profile
ansible.builtin.command:
- cmd: rpm -qV pam
- register: result_altered_authselect
+ cmd: authselect select "{{ var_authselect_profile }}"
+ register: result_authselect_select
+ changed_when: result_authselect_select.rc == 0
failed_when: false
- when: result_authselect_select.rc != 0
+ when: result_authselect_current.rc != 0
tags:
- CCE-88248-0
- NIST-800-53-AC-3
@@ -37,14 +39,15 @@
- medium_severity
- no_reboot_needed
-- name: Enable authselect - Informative message based on the authselect integrity
- check
- ansible.builtin.assert:
- that:
- - result_altered_authselect is skipped or result_altered_authselect.rc == 0
- fail_msg:
- - Files in the 'pam' package have been altered, so the authselect configuration
- won't be forced.
+- name: Enable authselect - Verify If pam Has Been Altered
+ ansible.builtin.command:
+ cmd: rpm -qV pam
+ register: result_altered_authselect
+ changed_when: false
+ failed_when: false
+ when:
+ - result_authselect_select is not skipped
+ - result_authselect_select.rc != 0
tags:
- CCE-88248-0
- NIST-800-53-AC-3
@@ -56,12 +59,14 @@
- medium_severity
- no_reboot_needed
-- name: Enable authselect - Force authselect profile select
- ansible.builtin.command:
- cmd: authselect select --force "{{ var_authselect_profile }}"
- when:
- - result_authselect_select.rc != 0
- - result_altered_authselect is skipped or result_altered_authselect.rc == 0
+- name: Enable authselect - Informative Message Based on authselect Integrity Check
+ ansible.builtin.assert:
+ that:
+ - result_authselect_current.rc == 0 or result_altered_authselect is skipped or
+ result_altered_authselect.rc == 0
+ fail_msg:
+ - authselect is not used but files from the 'pam' package have been altered, so
+ the authselect configuration won't be forced.
tags:
- CCE-88248-0
- NIST-800-53-AC-3
@@ -72,3 +77,21 @@
- medium_disruption
- medium_severity
- no_reboot_needed
+
+- name: Enable authselect - Force authselect Profile Selection
+ ansible.builtin.command:
+ cmd: authselect select --force "{{ var_authselect_profile }}"
+ when:
+ - result_authselect_current.rc != 0
+ - result_authselect_select.rc != 0
+ - result_altered_authselect.rc == 0
+ tags:
+ - CCE-88248-0
+ - NIST-800-53-AC-3
+ - PCI-DSSv4-8.3.4
+ - configure_strategy
+ - enable_authselect
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit 4f3deb2 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
/packit build |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This is a supportive rule intended to ensure
authselectis used in a system, specially in fresh installations in some specific scenarios whereauthselectis not enabled by default. In this case, the preferred profile is selected.However, in a scenario where a custom profile is used, even when based on the preferred profile, this rule would move again from the custom profile to the preferred profile. This is usually not a desired behavior because may cause inconsistencies between the profiles.
Custom profiles are usually there because a requirement cannot be satisfied by a default profile.
Rationale:
Review Hints:
CI tests in containers are expected to fail because the containers usually don't use authselect.
The simplest test is to ensure authselect is enabled with some features.
Then execute the
enable_authselectremediation informing a different profile forvar_authselect_profilevariable.A hint is to build the content, copy and edit the
enable_authselect.ymlPlaybook and execute it directly.Edit the Playbook to make it executable directly via
ansible-playbook. Here is an example:Then execute it in a VM.
Check the authselect settings on the VM.