-
Notifications
You must be signed in to change notification settings - Fork 704
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enhance the grub2_argument template to cover more use cases #12375
enhance the grub2_argument template to cover more use cases #12375
Conversation
…er/entries and options in grubenv These options do not make sense separately.
… argument parsing in RHEL 8
Skipping CI for Draft Pull Request. |
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the rule grub2_audit_argument the test scenarios arg_not_in_entries.fail.sh and wrong_value_entries.fail.sh fail on RHEL 8. It passes on RHEL 9. However, I'm surprised that these test scenarios pass for other rules that use the same template eg. grub2_spectre_v2_argument.
Can you take a look into this problem?
See the Automatus output:
jcerny@fedora:~/work/git/scap-security-guide (pr/12375)$ python3 tests/automatus.py rule --datastream build/ssg-rhel8-ds.xml --libvirt qemu:///system ssgts_rhel8 grub2_audit_argument
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-13-1346/test_suite.log
WARNING - Script correct_value_etcdefault_dir.pass.sh is not applicable on given platform
WARNING - Script invalid_rescue.pass.sh is not applicable on given platform
WARNING - Script correct_value_substring_right.pass.sh is not applicable on given platform
WARNING - Script correct_value_substring_left.pass.sh is not applicable on given platform
WARNING - Script correct_value_noupdate.fail.sh is not applicable on given platform
WARNING - Script arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir_noupdate.fail.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefault_dir.fail.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefault.fail.sh is not applicable on given platform
WARNING - Script correct_recovery_disabled.pass.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefaultgrub.fail.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefaultgrub_recovery_disabled.fail.sh is not applicable on given platform
WARNING - Script arg_not_there_grub_cfg.fail.sh is not applicable on given platform
WARNING - Script double_value_ol7.fail.sh is not applicable on given platform
WARNING - Script wrong_value_ol7.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_grub2_audit_argument
INFO - Script correct_value_mix_entries_and_grubenv.pass.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub.fail.sh using profile (all) OK
ERROR - Script wrong_value_entries.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'.
INFO - Script arg_not_in_grubenv_and_not_referenced.pass.sh using profile (all) OK
INFO - Script correct_value_grubenv_only.pass.sh using profile (all) OK
ERROR - Script arg_not_in_entries.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'.
INFO - Script arg_not_in_grubenv_but_referenced.fail.sh using profile (all) OK
INFO - Script wrong_value_grubenv.fail.sh using profile (all) OK
INFO - Script correct_value_remediated.pass.sh using profile (all) OK
INFO - Script double_value_rhel8.fail.sh using profile (all) OK
# platform = Oracle Linux 7 | ||
# Removes audit argument from kernel command line in /etc/default/grub | ||
if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*audit=.*"' '/etc/default/grub' ; then | ||
sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' | ||
# Removes the argument from kernel command line in /etc/default/grub |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test scenario is only for Oracle Linux 7. Have you tested your change on OL 7? Would it make sense to extend the scenario to other operating systems?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think i resolved it in the latest force push. I made most of such tests which were moved from the grub2_audit_argument applicable to all platforms because checking of /etc/default/grub is relevant for all products.
some of those scenarios were moved to the folder with template test scenarios in the previous commit Also make some scenarios applicable to all platforms. Especially those which check configuration in /etc/default/grub because these are common for all products.
96fd588
to
1d6427f
Compare
# configure the argument in kernel command line in /boot/grub2/grubenv | ||
#file="/boot/grub2/grubenv" | ||
#if grep -q '^.*{{{ARG_NAME}}}=.*' "$file"; then | ||
# modify the GRUB command-line if the arg already exists | ||
# sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME_VALUE}}} \2/' "$file" | ||
#else | ||
# no arg is present, append it | ||
# sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME_VALUE}}}/' "$file" | ||
#fi | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it probably should be removed instead of having it commented out
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in the latest commit.
In the past, the script seemed to be here to help to prepare environment in containers. However, as the complexity of this template increases, I decided to rewrite the script to prepare uniform environment in any case.
Code Climate has analyzed commit c3b668f and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.5% (0.0% change). View more on Code Climate. |
@jan-cerny I refactored tests. I rewrote the common.sh script so that it prepares a clean environment in any case. Other scenarios can be therefore simpler. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests of rule grub2_audit_argument are passing now for RHEL 8 and RHEL 9 with both Ansible and Bash remediations.
jcerny@fedora:~/work/git/scap-security-guide (pr/12375)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --datastream build/ssg-rhel9-ds.xml grub2_audit_argument
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-23-0927/test_suite.log
WARNING - Script correct_value_mix_entries_and_grubenv.pass.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir.pass.sh is not applicable on given platform
WARNING - Script arg_not_in_grubenv_but_referenced.fail.sh is not applicable on given platform
WARNING - Script correct_value_substring_left.pass.sh is not applicable on given platform
WARNING - Script correct_value_grubenv_only.pass.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefault_dir.fail.sh is not applicable on given platform
WARNING - Script wrong_value_grubenv.fail.sh is not applicable on given platform
WARNING - Script arg_not_in_grubenv_and_not_referenced.pass.sh is not applicable on given platform
WARNING - Script correct_value_substring_right.pass.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir_noupdate.fail.sh is not applicable on given platform
WARNING - Script double_value_rhel8.fail.sh is not applicable on given platform
WARNING - Script arg_not_there_grub_cfg.fail.sh is not applicable on given platform
WARNING - Script double_value_ol7.fail.sh is not applicable on given platform
WARNING - Script wrong_value_ol7.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_grub2_audit_argument
INFO - Script invalid_rescue.pass.sh using profile (all) OK
INFO - Script wrong_value_entries.fail.sh using profile (all) OK
INFO - Script correct_value_noupdate.fail.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script correct_recovery_disabled.pass.sh using profile (all) OK
INFO - Script arg_not_in_entries.fail.sh using profile (all) OK
INFO - Script wrong_value_etcdefault.fail.sh using profile (all) OK
INFO - Script correct_value_remediated.pass.sh using profile (all) OK
INFO - Script wrong_value_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12375)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --datastream build/ssg-rhel8-ds.xml grub2_audit_argument
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-23-0932/test_suite.log
WARNING - Script correct_value_substring_right.pass.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir_noupdate.fail.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefault_dir.fail.sh is not applicable on given platform
WARNING - Script invalid_rescue.pass.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir.pass.sh is not applicable on given platform
WARNING - Script correct_value_substring_left.pass.sh is not applicable on given platform
WARNING - Script arg_not_there_grub_cfg.fail.sh is not applicable on given platform
WARNING - Script double_value_ol7.fail.sh is not applicable on given platform
WARNING - Script wrong_value_ol7.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_grub2_audit_argument
INFO - Script wrong_value_etcdefault.fail.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script arg_not_in_grubenv_and_not_referenced.pass.sh using profile (all) OK
INFO - Script correct_recovery_disabled.pass.sh using profile (all) OK
INFO - Script correct_value_grubenv_only.pass.sh using profile (all) OK
INFO - Script correct_value_remediated.pass.sh using profile (all) OK
INFO - Script correct_value_noupdate.fail.sh using profile (all) OK
INFO - Script arg_not_in_entries.fail.sh using profile (all) OK
INFO - Script wrong_value_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script wrong_value_grubenv.fail.sh using profile (all) OK
INFO - Script wrong_value_entries.fail.sh using profile (all) OK
INFO - Script correct_value_mix_entries_and_grubenv.pass.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script arg_not_in_grubenv_but_referenced.fail.sh using profile (all) OK
INFO - Script double_value_rhel8.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12375)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --datastream build/ssg-rhel9-ds.xml --remediate-using ansible grub2_audit_argument
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-23-0942/test_suite.log
WARNING - Script correct_value_substring_right.pass.sh is not applicable on given platform
WARNING - Script arg_not_in_grubenv_but_referenced.fail.sh is not applicable on given platform
WARNING - Script arg_not_in_grubenv_and_not_referenced.pass.sh is not applicable on given platform
WARNING - Script correct_value_substring_left.pass.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefault_dir.fail.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir_noupdate.fail.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir.pass.sh is not applicable on given platform
WARNING - Script correct_value_grubenv_only.pass.sh is not applicable on given platform
WARNING - Script correct_value_mix_entries_and_grubenv.pass.sh is not applicable on given platform
WARNING - Script wrong_value_grubenv.fail.sh is not applicable on given platform
WARNING - Script double_value_rhel8.fail.sh is not applicable on given platform
WARNING - Script arg_not_there_grub_cfg.fail.sh is not applicable on given platform
WARNING - Script double_value_ol7.fail.sh is not applicable on given platform
WARNING - Script wrong_value_ol7.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_grub2_audit_argument
INFO - Script invalid_rescue.pass.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script wrong_value_entries.fail.sh using profile (all) OK
INFO - Script arg_not_in_entries.fail.sh using profile (all) OK
INFO - Script correct_recovery_disabled.pass.sh using profile (all) OK
INFO - Script correct_value_noupdate.fail.sh using profile (all) OK
INFO - Script correct_value_remediated.pass.sh using profile (all) OK
INFO - Script wrong_value_etcdefault.fail.sh using profile (all) OK
INFO - Script wrong_value_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12375)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --datastream build/ssg-rhel8-ds.xml --remediate-using ansible grub2_audit_argument
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-23-0947/test_suite.log
WARNING - Script correct_value_substring_left.pass.sh is not applicable on given platform
WARNING - Script invalid_rescue.pass.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefault_dir.fail.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir_noupdate.fail.sh is not applicable on given platform
WARNING - Script correct_value_substring_right.pass.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir.pass.sh is not applicable on given platform
WARNING - Script arg_not_there_grub_cfg.fail.sh is not applicable on given platform
WARNING - Script double_value_ol7.fail.sh is not applicable on given platform
WARNING - Script wrong_value_ol7.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_grub2_audit_argument
INFO - Script arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script correct_value_mix_entries_and_grubenv.pass.sh using profile (all) OK
INFO - Script correct_recovery_disabled.pass.sh using profile (all) OK
INFO - Script wrong_value_etcdefault.fail.sh using profile (all) OK
INFO - Script correct_value_noupdate.fail.sh using profile (all) OK
INFO - Script arg_not_in_grubenv_and_not_referenced.pass.sh using profile (all) OK
INFO - Script wrong_value_grubenv.fail.sh using profile (all) OK
INFO - Script correct_value_grubenv_only.pass.sh using profile (all) OK
INFO - Script correct_value_remediated.pass.sh using profile (all) OK
INFO - Script wrong_value_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script wrong_value_entries.fail.sh using profile (all) OK
INFO - Script arg_not_in_entries.fail.sh using profile (all) OK
INFO - Script arg_not_in_grubenv_but_referenced.fail.sh using profile (all) OK
INFO - Script double_value_rhel8.fail.sh using profile (all) OK
Description:
Rationale:
Review Hints: