Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pipe characters in XCCDF Values need to be escaped in Ansible Playbooks #1879

Open
jan-cerny opened this issue Aug 5, 2022 · 0 comments
Open

Pipe characters in XCCDF Values need to be escaped in Ansible Playbooks #1879

jan-cerny opened this issue Aug 5, 2022 · 0 comments
Labels
help wanted

Comments

@jan-cerny
Copy link
Member

Description of Problem:

During @vojtapolasek 's work on ComplianceAsCode/content#9285 we have discovered that if an XCCDF value contains a pipe character (|) the generated Ansible Playbook in invalid because the generated Playbook contains a pipe character (|) which has a special meaning in YAML, specifically, the pipe introduces multililne string.

This is explained on https://yaml-multiline.info/.

This can also be a problem when people have a tailoring where they customize their XCCDF Values to an arbitrary string if that arbitrary string contains a pipe character (|) . We can't prevent users from doing that and that means that any workaround in the content isn't sufficient.

OpenSCAP Version:

1.3.6

Operating System & Version:

F 35

Steps to Reproduce:

  1. Download and unpack SCAP source data stream ds.tar.gz

  2. oscap xccdf generate fix --fix-type ansible --profile stig ssg-rhel9-ds.xml > playbook.yml

  3. grep "sysctl_kernel_core_pattern_value:" playbook.yml

  4. ansible-lint playbook.yml

Actual Results:

ansible-lint playbook.yml 
WARNING  Listing 1 violation(s) that are fatal
syntax-check: Ansible syntax check failed
playbook.yml:1 [WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
ERROR! We were unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)

Syntax Error while loading YAML.
  did not find expected comment or line break

The error appears to be in '/home/jcerny/work/git/scap-security-guide/playbook.yml': line 87, column 46, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

    var_removable_partition: !!str /dev/cdrom
    sysctl_kernel_core_pattern_value: !!str |/bin/false
                                             ^ here



Finished with 1 failure(s), 0 warning(s) on 1 files.

Expected Results:

  • pipe is escaped or quoted
  • ansible-lint passes

Additional Information / Debugging Steps:

For more details, see the discussion in ComplianceAsCode/content#9285.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jan-cerny