Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Align networkmanager_dns_mode to the RHEL 9 STIG #11745

Merged
merged 2 commits into from
Mar 27, 2024
Merged

Align networkmanager_dns_mode to the RHEL 9 STIG #11745

merged 2 commits into from
Mar 27, 2024

Conversation

Mab879
Copy link
Member

@Mab879 Mab879 commented Mar 22, 2024

Description:

Removes the ability to add space around the dns=none per the STIG SCAP content.

Rationale:

Fixes #11702

@Mab879 Mab879 added bugfix Fixes to reported bugs. RHEL9 Red Hat Enterprise Linux 9 product related. labels Mar 22, 2024
@Mab879 Mab879 added this to the 0.1.73 milestone Mar 22, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 22, 2024
edited
Loading

Start a new ephemeral environment with changes proposed in this pull request:

ol9 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 22, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11745
This image was built from commit: 95eadcc

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11745

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11745 make deploy-local

@jan-cerny
Copy link
Collaborator

The problem is that the Ansible remediation still adds or doesn't remove the spaces. Ansible has an option that could be used https://docs.ansible.com/ansible/latest/collections/community/general/ini_file_module.html#parameter-no_extra_spaces. OTOH Bash remediation is OK.

@jan-cerny jan-cerny self-assigned this Mar 25, 2024
@Mab879
Copy link
Member Author

Mab879 commented Mar 25, 2024

The problem is that the Ansible remediation still adds or doesn't remove the spaces. Ansible has an option that could be used https://docs.ansible.com/ansible/latest/collections/community/general/ini_file_module.html#parameter-no_extra_spaces. OTOH Bash remediation is OK.

I have updated the Ansible remediation.

jan-cerny
jan-cerny requested changes Mar 26, 2024
View reviewed changes
shared/macros/10-ansible.jinja
@@ -733,6 +733,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
value: "{{{ value }}}"
create: yes
mode: 0644
ignore_spaces: false
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests still fail.

If we do this they should stop failing:

Suggested change
ignore_spaces: false
ignore_spaces: false
no_extra_spaces: true

@Mab879 Mab879 force-pushed the adjust_networkmanager_dns_mode_for_stig branch from 81e63be to a53e09c Compare March 26, 2024 18:08
jan-cerny
jan-cerny requested changes Mar 27, 2024
View reviewed changes
linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml Outdated
@@ -6,7 +6,7 @@

{{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}}

{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}") }}}
{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}", true) }}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry I was wrong, this isn't sufficient, they still fail. We need also to update the macro here.

Suggested change
{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}", true) }}}
{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}", description=None, ignore_spaces=True) }}}

@Mab879 Mab879 force-pushed the adjust_networkmanager_dns_mode_for_stig branch from a53e09c to 95eadcc Compare March 27, 2024 13:50
@codeclimate CodeClimate
Copy link

codeclimate bot commented Mar 27, 2024

Code Climate has analyzed commit 95eadcc and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.3% (0.0% change).

View more on Code Climate.

jan-cerny
jan-cerny approved these changes Mar 27, 2024
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Automatus CI jobs fail because it isn't possible to start the networkmanager service in a container environment that we use in the CI. I have executed the tests locally using a RHEL 9 virtual machine backed and they all passed:

jcerny@fedora:~/work/git/scap-security-guide (pr/11745)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9  networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-03-27-1640/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script space.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/11745)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible  networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-03-27-1642/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script space.fail.sh using profile (all) OK

@jan-cerny jan-cerny merged commit 68a116b into ComplianceAsCode:master Mar 27, 2024
40 of 44 checks passed
@Mab879 Mab879 deleted the adjust_networkmanager_dns_mode_for_stig branch March 27, 2024 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
bugfix Fixes to reported bugs. RHEL9 Red Hat Enterprise Linux 9 product related.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.

networkmanager_dns_mode is misaligned with DISA
2 participants
@Mab879 @jan-cerny