Add automatic detection of platform_package_overrides when using automatus #9897
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @litios. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel7 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -18,8 +18,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- NIST-800-53-AC-2(4)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Traverse all of:
#
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -22,8 +22,8 @@
patterns: '*.rules'
register: find_rules_d
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27097-5
- CJIS-5.4.1.1
@@ -47,8 +47,8 @@
loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules'']
}}'
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27097-5
- CJIS-5.4.1.1
@@ -74,8 +74,8 @@
- /etc/audit/audit.rules
- /etc/audit/rules.d/immutable.rules
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27097-5
- CJIS-5.4.1.1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -23,8 +23,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27168-4
- CJIS-5.4.1.1
@@ -47,8 +47,8 @@
patterns: '*.rules'
register: find_watch_key
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -71,8 +71,8 @@
all_files:
- /etc/audit/rules.d/MAC-policy.rules
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -95,8 +95,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -121,8 +121,8 @@
create: true
mode: '0640'
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -147,8 +147,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27168-4
- CJIS-5.4.1.1
@@ -172,8 +172,8 @@
create: true
mode: '0640'
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -22,8 +22,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27447-2
- CJIS-5.4.1.1
@@ -162,8 +162,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-27447-2
- CJIS-5.4.1.1
@@ -302,8 +302,8 @@
state: present
when: syscalls_found | length == 0
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-27447-2
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -21,8 +21,8 @@
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -162,8 +162,8 @@
state: present
when: syscalls_found | length == 0
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -303,8 +303,8 @@
state: present
when: syscalls_found | length == 0
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-27076-9
@@ -329,8 +329,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -354,8 +354,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -380,8 +380,8 @@
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -405,8 +405,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -432,8 +432,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -459,8 +459,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -485,8 +485,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -512,8 +512,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -537,8 +537,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -563,8 +563,8 @@
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -588,8 +588,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -615,8 +615,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -642,8 +642,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -668,8 +668,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -695,8 +695,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -720,8 +720,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -746,8 +746,8 @@
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -771,8 +771,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -798,8 +798,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -825,8 +825,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -851,8 +851,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -878,8 +878,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -903,8 +903,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -929,8 +929,8 @@
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -954,8 +954,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -981,8 +981,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -1008,8 +1008,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27076-9
- CJIS-5.4.1.1
@@ -1034,8 +1034,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -23,8 +23,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -47,8 +47,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -71,8 +71,8 @@
all_files:
- /etc/audit/rules.d/session.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -95,8 +95,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -121,8 +121,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -147,8 +147,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -172,8 +172,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -198,8 +198,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -222,8 +222,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -246,8 +246,8 @@
all_files:
- /etc/audit/rules.d/session.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -270,8 +270,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -296,8 +296,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -322,8 +322,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -347,8 +347,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
@@ -373,8 +373,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -397,8 +397,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -421,8 +421,8 @@
all_files:
- /etc/audit/rules.d/session.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -445,8 +445,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -471,8 +471,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -497,8 +497,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27301-1
- CJIS-5.4.1.1
@@ -522,8 +522,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -20,8 +20,8 @@
- name: Service facts
service_facts: null
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-83555-3
- DISA-STIG-RHEL-07-030360
@@ -42,8 +42,8 @@
command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
register: check_rules_scripts_result
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-83555-3
- DISA-STIG-RHEL-07-030360
@@ -68,8 +68,8 @@
- -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
- -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
tags:
- CCE-83555-3
- DISA-STIG-RHEL-07-030360
@@ -92,8 +92,8 @@
line: '{{ item }}'
create: true
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- '"auditd.service" in ansible_facts.services'
- '"augenrules" in check_rules_scripts_result.stdout'
register: augenrules_audit_rules_privilege_function_update_result
@@ -120,8 +120,8 @@
line: '{{ item }}'
create: true
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- '"auditd.service" in ansible_facts.services'
- '"auditctl" in check_rules_scripts_result.stdout'
register: auditctl_audit_rules_privilege_function_update_result
@@ -145,8 +145,8 @@
- name: Restart Auditd
command: /usr/sbin/service auditd restart
when:
+ - '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
- (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed)
- ansible_facts.services["auditd.service"].state == "running"
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -27,8 +27,8 @@
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27461-3
- CJIS-5.4.1.1
@@ -55,8 +55,8 @@
patterns: '*.rules'
register: find_watch_key
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -83,8 +83,8 @@
all_files:
- /etc/audit/rules.d/actions.rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -111,8 +111,8 @@
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
@@ -141,8 +141,8 @@
create: true
mode: '0640'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
@@ -171,8 +171,8 @@
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-27461-3
- CJIS-5.4.1.1
@@ -200,8 +200,8 @@
create: true
mode: '0640'
w
... The diff is trimmed here ... |
|
I like this solution more than the macros solution I proposed in #9869 (comment). The only thing here is that there would be an implicit behavior for the packages defined in the metadata, meaning that what you see is not what gets used by the system, for example if you specify a package it can be replaced by some other package during the runtime if the platform package overrides contain a matching package. This solution is definitely more clean but we have to keep this in mind. Maybe some form of the documentation can also be included to at least record this information. https://github.com/ComplianceAsCode/content/blame/master/tests/README.md#L168 |
|
Hey David, thanks for handling this! Just a small request to improve maintenance, could you please break the first commit into two, one commit just for the test_suite code changes, and a second commit with just the test fixes? Thanks in advance |
|
I also agree with the need for documentation. Also, please fix the issues reported by Code Climate. |
litios
force-pushed
the
master
branch
2 times, most recently
from
6ee8dd0
to
f57fbbf
Compare
|
Thanks everyone for the input! I broke the first commit as suggested by @dodys, provided documentation and fixed the codeclimate issues. |
|
Code Climate has analyzed commit 8787b02 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 48.6% (0.0% change). View more on Code Climate. |
freddieRv
approved these changes
Nov 29, 2022
ggbecker
approved these changes
Nov 29, 2022
ggbecker
added
Highlight
vojtapolasek
removed
the
Highlight
alanmcanonical
pushed a commit
to alanmcanonical/CaC_content
that referenced
this pull request
Aug 14, 2024
Too many disruptive changes to cherry pick. Only in master: - 91023c9|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt] - 3a89685|2023-10-31|2023-10-31 Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig [GitHub] - 2df3231|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing] - 2804dfb|2023-10-17|2023-10-18 Add rule for RHEL-09-654080 [Matthew Burket] - 92e7882|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le] - c493b4d|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek] - bdcd7c9|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek] - 29f415f|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing] - ec2bfe8|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala] - 8fe3315|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar] - 4f18ae7|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket] - acc24a1|2023-04-11|2023-04-11 Merge pull request ComplianceAsCode#10334 from vojtapolasek/anssi_20_upstream [GitHub] - 0c5d7b9|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair] - d6338b6|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair] - 209fc25|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek] - 5ae4bfd|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket] - e3886d4|2023-01-19|2023-01-19 Include CIS RHEL9 reference in Logging related rules [Marcus Burghardt] - 9f273f2|2022-12-08|2022-12-14 ubuntu2204: cis_level2_server: Add cis references [Eduardo Barretto] - 3d711c8|2022-11-30|2022-11-30 Merge pull request ComplianceAsCode#9897 from litios/master [GitHub] - 795f076|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez] - 15abac6|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek] - 5f2250d|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li] - 2e2af47|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket] - e02980a|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket] - fd54c29|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar] - 95f767a|2022-08-19|2022-08-22 Tag Ubuntu CIS reference for 22.04 [Juan Antonio Osorio] - 7f5b811|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio] - 16e89ad|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez] - a29edee|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato] - b020fd2|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li] - 95cfa85|2022-07-15|2022-07-15 Update RHEL8 CIS refereces for logging and auditing rules [Marcus Burghardt] - 41ea38b|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket] - 1b538df|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar] - 7a25ff4|2022-04-15|2022-06-08 products/alinux2 && controls: Add CIS Alibaba Cloud Linux (Aliyun Linux) 2 profiles [YiLin.Li] - 32c8074|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_init [Matthew Burket] - fa81eb1|2022-04-06|2022-04-06 Merge pull request ComplianceAsCode#8327 from Xeicker/ol08-00-030390 [GitHub] - c0ae24e|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar] - de702fb|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - 55f2f34|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - fa8680a|2022-03-22|2022-03-22 Group init_module and finit_module audit rules. [Yavor Georgiev] - c8b9548|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar] - a62d887|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030360 [Edgar Aguilar] - fb60278|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez] - f2530de|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez] - a59d63a|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket] - f59b8db|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno] - 5ad8290|2021-08-20|2021-09-08 Completed CIS Chapters 4-6 Build currently failing. [Nico Truzzolino] - 2214054|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal] Only in focal: - 782f6c4|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical] - f44e014|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical] - 60345d7|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa] - 51c80e3|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa]
alanmcanonical
pushed a commit
to alanmcanonical/CaC_content
that referenced
this pull request
Aug 14, 2024
Too many disruptive changes to cherry pick. Only in master: - 91023c9|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt] - 3a89685|2023-10-31|2023-10-31 Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig [GitHub] - 2df3231|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing] - 0bc66b3|2023-09-21|2023-10-18 Add RHEL 9 STIG IDs [Matthew Burket] - 92e7882|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le] - c493b4d|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek] - bdcd7c9|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek] - 29f415f|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing] - ec2bfe8|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala] - 8fe3315|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar] - 6f8a2ee|2023-04-25|2023-04-27 Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 [Marcus Burghardt] - 4f18ae7|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket] - acc24a1|2023-04-11|2023-04-11 Merge pull request ComplianceAsCode#10334 from vojtapolasek/anssi_20_upstream [GitHub] - 0c5d7b9|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair] - d6338b6|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair] - 209fc25|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek] - 5ae4bfd|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket] - b77974c|2023-02-09|2023-02-14 Fix `>` to `>` for audit rules in RHEL 9 STIG [Matthew Burket] - 45f48ce|2023-02-06|2023-02-14 Escape < and > in product specific content [Matthew Burket] - 3d711c8|2022-11-30|2022-11-30 Merge pull request ComplianceAsCode#9897 from litios/master [GitHub] - 795f076|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez] - 15abac6|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek] - 5f2250d|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li] - 2e2af47|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket] - e02980a|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket] - fd54c29|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar] - 7f5b811|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio] - 16e89ad|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez] - a29edee|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato] - b020fd2|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li] - f035005|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux2 full name error [YiLin.Li] - 41ea38b|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket] - 1b538df|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar] - 763df44|2022-05-09|2022-06-16 Clean and update OL8 STIG profile [Edgar Aguilar] - 870a7f0|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_finit [Matthew Burket] - c0ae24e|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar] - de702fb|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - 55f2f34|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - c8b9548|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar] - c04d0fa|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030380 [Edgar Aguilar] - d3756a7|2022-02-15|2022-02-15 Group RHEL7 STIG audit rules. [Gabriel Becker] - dd8af26|2022-02-07|2022-02-08 Assign single STIGID to multiples syscalls rules of *init group. [Gabriel Becker] - d29079c|2022-02-03|2022-02-04 Update STIG IDs to meet ol7 v2r6 [Edgar Aguilar] - fb60278|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez] - f2530de|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez] - a59d63a|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket] - f59b8db|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno] - 2214054|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal] Only in focal: - 782f6c4|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical] - f44e014|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical] - 9fbf7c4|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa] - 51c80e3|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
platform_package_overridesproduct section when using automatus for rule testing.Rationale:
Before performing the install step when testing a rule, ensure that the package is not listed under
platform_package_overrides. In case it is, replace the package to install with the one specified inplatform_package_overrides.Fixes platform_package_overrides not working with automatus #9869
Review Hints: