Fix rule ubtu 20 010066

[yunimoo]

Description:

• Fix UBTU-20-010066
• Add Ansible remediation for ubuntu
• Fix OVAL Definition to regex check for a semicolon ; (smartcard_configure_crl)

Original PR: #11078

Rationale:

• Part of Ubuntu 20.04 DISA STIG v1r12 profile upgrade

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes with Ansible:

ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010066

To test changes with bash, run the remediation section: xccdf_org.ssgproject.content_rule_install_smartcard_packages and xccdf_org.ssgproject.content_rule_smartcard_configure_crl. The install_smartcard_packages is required so that tasks in smartcard_configure_crl can run.

Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.

git checkout yunimoo:update-manual-stig-ubtu-20-v1r12

This STIG can be tested with the latest Ubuntu 2004 Benchmark SCAP. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/

[openshift-ci]

Hi @yunimoo. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ubuntu2004 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_smartcard_configure_crl'.

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12296
This image was built from commit: 200c341

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12296

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12296 make deploy-local

[dodys]

Could you take a look at the failed tests, specially the Automatus Ubuntu 22.04

[yunimoo]

Could you take a look at the failed tests, specially the Automatus Ubuntu 22.04

I think this one might be related to the fact that conditional fails if package is not properly installed beforehand, leading to that notapplicable error? So the fix might be adding in the template for ensuring that package is installed.

[dodys]

Could you take a look at the failed tests, specially the Automatus Ubuntu 22.04

I think this one might be related to the fact that conditional fails if package is not properly installed beforehand, leading to that notapplicable error? So the fix might be adding in the template for ensuring that package is installed.

the package needed is part of the tests dependencies:
# packages = libpam-pkcs11

@Mab879 do you have any insights on why it seems that the needed package is not getting installed? Is it a bug in ubuntu's automatus?

[jan-cerny]

Installing packages
ssh -o Port=33623 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@localhost DEBIAN_FRONTEND=noninteractive apt install -y libpam-pkcs11
STDOUT: Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  libpcsclite1
Suggested packages:
  pcscd
The following NEW packages will be installed:
  libpam-pkcs11 libpcsclite1
0 upgraded, 2 newly installed, 0 to remove and 4 not upgraded.
Need to get 175 kB of archives.
After this operation, 1038 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpcsclite1 amd64 1.9.5-3ubuntu1 [19.8 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy/universe amd64 libpam-pkcs11 amd64 0.6.11-4build2 [155 kB]
Fetched 175 kB in 0s (1220 kB/s)
Selecting previously unselected package libpcsclite1:amd64.
(Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 102542 files and directories currently installed.)
Preparing to unpack .../libpcsclite1_1.9.5-3ubuntu1_amd64.deb ...
Unpacking libpcsclite1:amd64 (1.9.5-3ubuntu1) ...
Selecting previously unselected package libpam-pkcs11.
Preparing to unpack .../libpam-pkcs11_0.6.11-4build2_amd64.deb ...
Unpacking libpam-pkcs11 (0.6.11-4build2) ...
Setting up libpcsclite1:amd64 (1.9.5-3ubuntu1) ...
Setting up libpam-pkcs11 (0.6.11-4build2) ...
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
STDERR: Warning: Permanently added '[localhost]:33623' (ED25519) to the list of known hosts.

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

debconf: delaying package configuration, since apt-utils is not installed

the last line looks suspicious to me

[dodys]

debconf: delaying package configuration, since apt-utils is not installed

that's not really an issue:
https://stackoverflow.com/questions/51023312/docker-having-issues-installing-apt-utils

and installing apt-utils will cause other problems

[yunimoo]

Thank you for the helpful conversations on this. Seems like the packages are installing properly but I am curious, would the test fail / not be applicable if a command is invalid? (i.e., https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/commented.fail.sh#L6)

The cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example does not exist in the container so I assume that this would fail.

I have also tried a simpler test:

#!/bin/bash
# platform = multi_platform_ubuntu
# packages = libpam-pkcs11

mkdir -p /etc/pam_pkcs11
echo "cert_policy = ca,signature,ocsp_on,crl_auto;" > /etc/pam_pkcs11/pam_pkcs11.conf

Which also results in a failure / not applicable when it should pass given the OVALs. Any thoughts on this?

[yunimoo]

The packages (Dependencies) do not seem to be the problem. I was able to fix the environment setup and will add in a temporary WIP commit for the tests. I'm noticing that the environment sets up properly but openscap is still showing up as notapplicable when:

• Verified that libpam-pkcs11 package is installed
• Path to /etc/pam_pkcs11/pam_pkcs11.conf exists

Errors also seem to persist on master branch... I have also tried testing out the extended criteria install_smartcard_packages which results in notapplicable. So perhaps these errors may be related together in some way?

[codeclimate]

Code Climate has analyzed commit 200c341 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.