-
Notifications
You must be signed in to change notification settings - Fork 685
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stabilization: Make Ansible remediation less prone to fatal errors #9911
Stabilization: Make Ansible remediation less prone to fatal errors #9911
Conversation
There are cases where the systems don't have one or more of the grub files intended to be checked. If this is the case, the former task in the Ansible playbook would result in a fatal error. Now, the files existences are firstly ensured before checking their contents.
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chgrp 0 /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -20,8 +20,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85915-7
@@ -42,8 +42,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
group: '0'
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chgrp 0 /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -20,8 +20,8 @@
path: /boot/efi/EFI/redhat/user.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86012-2
@@ -42,8 +42,8 @@
path: /boot/efi/EFI/redhat/user.cfg
group: '0'
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chown 0 /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -20,8 +20,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85913-2
@@ -42,8 +42,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
owner: '0'
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chown 0 /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -20,8 +20,8 @@
path: /boot/efi/EFI/redhat/user.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86021-3
@@ -42,8 +42,8 @@
path: /boot/efi/EFI/redhat/user.cfg
owner: '0'
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -18,8 +18,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85912-4
@@ -38,8 +38,8 @@
path: /boot/efi/EFI/redhat/grub.cfg
mode: u-s,g-xwrs,o-xwrt
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chmod u-xs,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -18,8 +18,8 @@
path: /boot/efi/EFI/redhat/user.cfg
register: file_exists
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86028-8
@@ -38,8 +38,8 @@
path: /boot/efi/EFI/redhat/user.cfg
mode: u-xs,g-xwrs,o-xwrt
when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux' differs.
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*
sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux' differs.
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -1,10 +1,6 @@
-- name: Find /etc/grub.d/ files
- find:
- paths:
- - /etc/grub.d/
- follow: true
- register: grub
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-80827-9
- NIST-800-171-3.1.2
@@ -18,15 +14,15 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure SELinux Not Disabled in grub files
- replace:
- dest: '{{ item.path }}'
- regexp: (selinux|enforcing)=0
- with_items:
- - '{{ grub.files }}'
- - path: /etc/grub2.cfg
- - path: /etc/default/grub
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Find /etc/grub.d/ files
+ ansible.builtin.find:
+ paths:
+ - /etc/grub.d/
+ follow: true
+ register: result_grub_d
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
tags:
- CCE-80827-9
- NIST-800-171-3.1.2
@@ -39,3 +35,112 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
+ in /etc/grub.d/ files
+ ansible.builtin.replace:
+ dest: '{{ item.path }}'
+ regexp: (selinux|enforcing)=0
+ with_items:
+ - '{{ result_grub_d.files }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/grub2.cfg
+ exists
+ ansible.builtin.stat:
+ path: /etc/grub2.cfg
+ register: result_grub2_cfg_present
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/default/grub
+ exists
+ ansible.builtin.stat:
+ path: /etc/default/grub
+ register: result_default_grub_present
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
+ in /etc/grub2.cfg
+ ansible.builtin.replace:
+ dest: /etc/grub2.cfg
+ regexp: (selinux|enforcing)=0
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ - result_grub2_cfg_present.stat.exists
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
+ in /etc/default/grub
+ ansible.builtin.replace:
+ dest: /etc/default/grub
+ regexp: (selinux|enforcing)=0
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ - result_default_grub_present.stat.exists
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux'
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -1 +1 @@
-
+cpe:/a:grub2
bash remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' differs.
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then
+if rpm --quiet -q postfix && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then
echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' differs.
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -40,8 +40,8 @@
line: smtpd_client_restrictions = permit_mynetworks,reject
state: present
when:
+ - '"postfix" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"postfix" in ansible_facts.packages'
tags:
- CCE-84054-6
- DISA-STIG-RHEL-08-040290
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
+if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var_sssd_ldap_tls_ca_dir=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -25,8 +25,8 @@
changed_when: false
check_mode: false
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
tags:
- CCE-82456-5
- NIST-800-53-CM-6(a)
@@ -45,8 +45,8 @@
changed_when: false
check_mode: false
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
tags:
- CCE-82456-5
- NIST-800-53-CM-6(a)
@@ -73,8 +73,8 @@
option: ldap_tls_cacertdir
value: '{{ var_sssd_ldap_tls_ca_dir }}'
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- test_id_provider.stdout is defined
@@ -97,8 +97,8 @@
option: ldap_tls_cacertdir
value: '{{ var_sssd_ldap_tls_ca_dir }}'
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- test_id_provider.stdout is defined
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
+if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -20,8 +20,8 @@
changed_when: false
check_mode: false
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
tags:
- CCE-84062-9
- NIST-800-53-CM-6(a)
@@ -40,8 +40,8 @@
changed_when: false
check_mode: false
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
tags:
- CCE-84062-9
- NIST-800-53-CM-6(a)
@@ -68,8 +68,8 @@
option: ldap_tls_reqcert
value: demand
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- test_id_provider.stdout is defined
@@ -92,8 +92,8 @@
option: ldap_tls_reqcert
value: demand
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- test_id_provider.stdout is defined
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
+if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -21,8 +21,8 @@
changed_when: false
check_mode: false
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
tags:
- CCE-82437-5
- NIST-800-53-CM-6(a)
@@ -42,8 +42,8 @@
changed_when: false
check_mode: false
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
tags:
- CCE-82437-5
- NIST-800-53-CM-6(a)
@@ -71,8 +71,8 @@
option: ldap_id_use_start_tls
value: 'true'
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- test_id_provider.stdout is defined
@@ -96,8 +96,8 @@
option: ldap_id_use_start_tls
value: 'true'
when:
+ - '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- test_id_provider.stdout is defined |
...uide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub_missing.fail.sh
Outdated
Show resolved
Hide resolved
811449e
to
400efc9
Compare
Automatus CS8, CS9 and Fedora are failing because the containers used for tests don't have grub. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
grub2_enable_selinux
should not be applicable on s390x at all. That should be done with platform
, same as for grub2 group
Can the rule not be implemented via grub2_bootloader_argument
template? The template does Ansible remediation properly using /sbin/grubby
.
Nice. I will include the |
No problem with it for 0.1.65 release if it works as expected. I need to verify this approach is ok for aarch64. s390x should be ok now, because of platform. |
Sure. Once this PR is merged in stabilization, I port it to master to keep the branches aligned. Then I create a new PR for the template, ok? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. Once this PR is merged in stabilization, I port it to master to keep the branches aligned. Then I create a new PR for the template, ok?
Ok, sounds fine.
This PR works fine, approving and merging.
Description:
There are cases where the systems don't have one or more of the grub files intended to be checked. If this is the case, the former task in the Ansible playbook would result in a fatal error. Now, the files existences are firstly ensured before checking their contents.
Rationale:
Avoids fatal errors when executing the Ansible Playbook.
Review Hints:
The OVAL changes are only related to style guide alignment. No functional changes were made there.
The relevant changes happened in the Ansible remediation.
The test scenario scripts were improvement to test the Ansible remediation robustness and cover OVAL tests.