Add more rules for SLE16 ANSSI profiles#14514
Open
teacup-on-rockingchair wants to merge 19 commits intoComplianceAsCode:masterfrom
Open
Add more rules for SLE16 ANSSI profiles#14514teacup-on-rockingchair wants to merge 19 commits intoComplianceAsCode:masterfrom
teacup-on-rockingchair wants to merge 19 commits intoComplianceAsCode:masterfrom
Conversation
…trace_scope sysctl_net_core_bpf_jit_harden rules
teacup-on-rockingchair
added
Ansible
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -99,7 +99,9 @@
- restrict_strategy
- name: 'Ensure Red Hat GPG Key Installed: Import RedHat GPG key'
- ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+ ansible.builtin.rpm_key:
+ state: present
+ key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
when:
- gpg_key_directory_permission.stat.mode <= '0755'
- (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-login_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$login_banner_contents" > /etc/issue
+read -r -d '' login_banner_text <<'EOF' || true
+
+EOF
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+formatted=$(echo "$login_banner_text" | fold -sw 80)
+cat <<EOF >/etc/issue
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -13,18 +13,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value login_banner_contents # promote to variable
+- name: XCCDF Value login_banner_text # promote to variable
set_fact:
- login_banner_contents: !!str
+ login_banner_text: !!str
tags:
- always
- name: Modify the System Login Banner - Ensure Correct Banner
ansible.builtin.copy:
dest: /etc/issue
- content: |
- {{ login_banner_contents | replace('\n', '
- ') }}
+ content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-80763-6
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-remote_login_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$remote_login_banner_contents" > /etc/issue.net
+remote_login_banner_text=''
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\\//g')
+formatted=$(echo "$remote_login_banner_text" | fold -sw 80)
+
+cat <<EOF >/etc/issue.net
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -9,18 +9,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value remote_login_banner_contents # promote to variable
+- name: XCCDF Value remote_login_banner_text # promote to variable
set_fact:
- remote_login_banner_contents: !!str
+ remote_login_banner_text: !!str
tags:
- always
- name: Modify the System Login Banner for Remote Connections - ensure correct banner
ansible.builtin.copy:
dest: /etc/issue.net
- content: |
- {{ remote_login_banner_contents | replace('\n', '
- ') }}
+ content: '{{ remote_login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86147-6
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-motd_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$motd_banner_contents" > /etc/motd
+motd_banner_text=''
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/\\//g')
+formatted=$(echo "$motd_banner_text" | fold -sw 80)
+
+cat <<EOF >/etc/motd
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -9,18 +9,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value motd_banner_contents # promote to variable
+- name: XCCDF Value motd_banner_text # promote to variable
set_fact:
- motd_banner_contents: !!str
+ motd_banner_text: !!str
tags:
- always
- name: Modify the System Message of the Day Banner - ensure correct banner
ansible.builtin.copy:
dest: /etc/motd
- content: |
- {{ motd_banner_contents | replace('\n', '
- ') }}
+ content: '{{ motd_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83496-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -1,7 +1,24 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
-dconf_login_banner_contents=$(echo "" )
+login_banner_text=''
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
+# ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
+login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g')
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
@@ -28,7 +45,7 @@
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
fi
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${dconf_login_banner_contents}'")"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")"
if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}"
then
sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -13,9 +13,9 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value dconf_login_banner_contents # promote to variable
+- name: XCCDF Value login_banner_text # promote to variable
set_fact:
- dconf_login_banner_contents: !!str
+ login_banner_text: !!str
tags:
- always
@@ -72,7 +72,9 @@
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-text
- value: '''{{ dconf_login_banner_contents }}'''
+ value: '''{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "(n)*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
create: true
no_extra_spaces: true
register: result_ini
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_logrotate_activated' differs.
--- xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
+++ xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
@@ -1,7 +1,8 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core && { rpm --quiet -q logrotate; }; then
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+LOGROTATE_CONF_FILE='/etc/logrotate.conf'
+
if ! rpm -q --quiet "crontabs" ; then
yum install -y "crontabs"
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_dnsmasq_removed'.
--- xccdf_org.ssgproject.content_rule_package_dnsmasq_removed
+++ xccdf_org.ssgproject.content_rule_package_dnsmasq_removed
@@ -10,6 +10,9 @@
$ sudo yum erase dnsmasq
+[reference]:
+2.1.6
+
[rationale]:
Unless a system is specifically designated to act as a DNS
caching, DNS forwarding and/or DHCP server, it is recommended that the
xccdf_org.ssgproject.content_rule_service_dnsmasq_disabled is missing in new data stream. |
teacup-on-rockingchair
requested review from
a team,
Mab879,
jan-cerny,
matusmarhefka and
vojtapolasek
as code owners
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Contributor
|
hi @teacup-on-rockingchair , there IMHO these rules are not applicable, because the packages are not available on SLES 16: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Enable for sle16 rules:
Minor patch in bash_ensure_pam_module_configuration macro for SLE platform