Include dracut filter to audit_rules_privileged_commands #11246
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The logic implemented in OVAL already prevent failures when there are more audit rules than privileged commands in the system. One valid case is when a package including privileged commands is removed from the system. The audit rule will remain there, but the commands are no longer present in the system. This is a valid case and the check should not fail. It was included a test scenario for this case.
During tests it was noticed that dracut creates random temporary files which impacts the OVAL assessment during the system installation or after rebooting the system. This test scenario simulates a situation where the audit rules are properly created and then some dracut files are included in the system.
marcusburghardt
added
bugfix
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
Code Climate has analyzed commit 17edecc and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5%. View more on Code Climate. |
|
/packit build |
jan-cerny
approved these changes
Nov 6, 2023
There was a problem hiding this comment.
The Automatus CI jobs run all the scenarios as notapplicable, therefore I executed them locally against a virtual machine back end and they pass.
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-0949/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1034/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1055/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --remediate-using ansible audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1116/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1136/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11246) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 --remediate-using ansible audit_rules_privileged_commands
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-06-1151/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
INFO - Script auditctl_default.fail.sh using profile (all) OK
INFO - Script auditctl_missing_rule.fail.sh using profile (all) OK
INFO - Script auditctl_one_rule.fail.sh using profile (all) OK
INFO - Script auditctl_rules_configured.pass.sh using profile (all) OK
INFO - Script auditctl_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_default.fail.sh using profile (all) OK
INFO - Script augenrules_duplicated.fail.sh using profile (all) OK
INFO - Script augenrules_missing_rule.fail.sh using profile (all) OK
INFO - Script augenrules_one_rule.fail.sh using profile (all) OK
INFO - Script augenrules_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_configured_mixed_keys.pass.sh using profile (all) OK
INFO - Script augenrules_rules_without_perm_x.pass.sh using profile (all) OK
INFO - Script augenrules_two_rules_mixed_keys.fail.sh using profile (all) OK
INFO - Script augenrules_two_rules_sep_files.fail.sh using profile (all) OK
INFO - Script rules_with_own_key.pass.sh using profile (all) OK
INFO - Script augenrules_extra_rules_configured.pass.sh using profile (all) OK
INFO - Script augenrules_rules_ignore_dracut_tmp.pass.sh using profile (all) OK
jan-cerny
added a commit
to jan-cerny/contest
that referenced
this pull request
Nov 9, 2023
This strange fail has been caused by Dracut temporary files but in ComplianceAsCode/content#11246 we blocked these files in the OVAL, so now the rule won't fail randomly and therefore we don't need the waiver. Related to: https://issues.redhat.com/browse/RHEL-11938
jan-cerny
added a commit
to jan-cerny/contest
that referenced
this pull request
Nov 9, 2023
This strange fail has been caused by Dracut temporary files but in ComplianceAsCode/content#11246 we blocked these files in the OVAL, so now the rule won't fail randomly and therefore we don't need the waiver. Related to: https://issues.redhat.com/browse/RHEL-11938
matusmarhefka
pushed a commit
to RHSecurityCompliance/contest
that referenced
this pull request
Nov 9, 2023
This strange fail has been caused by Dracut temporary files but in ComplianceAsCode/content#11246 we blocked these files in the OVAL, so now the rule won't fail randomly and therefore we don't need the waiver. Related to: https://issues.redhat.com/browse/RHEL-11938
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
During tests it was noticed that
dracutcreates random temporary files which impacts the OVAL assessment during the system installation or after rebooting the system.The OVAL was extended to filter out
dracuttemporary files.New test scenarios were included.
Rationale:
Review Hints:
Automatus tests should be enough.