-
Notifications
You must be signed in to change notification settings - Fork 687
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ansible remediation for log perm for UBTU-20-010122 #11091
Add ansible remediation for log perm for UBTU-20-010122 #11091
Conversation
This commit will add log perm ansible remediation for ensuring all audit logs are 600 or less permissible.
feedback: 114455d#r1319043421 |
Hi @dexterle. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
@@ -18,8 +18,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Get audit log files
- command: grep -iw ^log_file /etc/audit/auditd.conf
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Get Audit Log Files
+ ansible.builtin.command: grep -iw ^log_file /etc/audit/auditd.conf
failed_when: false
register: log_file_exists
when:
@@ -42,8 +42,9 @@
- no_reboot_needed
- restrict_strategy
-- name: Parse log file line
- command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Parse Log File
+ Line
+ ansible.builtin.command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf
register: log_file_line
when:
- '"audit" in ansible_facts.packages'
@@ -66,8 +67,9 @@
- no_reboot_needed
- restrict_strategy
-- name: Set default log_file if not set
- set_fact:
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Set Default log_file
+ if Not Set
+ ansible.builtin.set_fact:
log_file: /var/log/audit/audit.log
when:
- '"audit" in ansible_facts.packages'
@@ -90,8 +92,9 @@
- no_reboot_needed
- restrict_strategy
-- name: Set log_file from log_file_line if not set already
- set_fact:
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Set log_file From
+ log_file_line if Not Set Already
+ ansible.builtin.set_fact:
log_file: '{{ log_file_line.stdout | trim }}'
when:
- '"audit" in ansible_facts.packages'
@@ -114,8 +117,9 @@
- no_reboot_needed
- restrict_strategy
-- name: Apply mode to log file
- file:
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Apply Mode to Log
+ File
+ ansible.builtin.file:
path: '{{ log_file }}'
mode: 384
failed_when: false |
Code Climate has analyzed commit af2b256 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.8% (0.0% change). View more on Code Climate. |
I believe that this PR can be enhanced if it removes the second |
{{% if 'ol' not in product and "rhel" not in product %}} | ||
- name: Get log files group | ||
command: grep -m 1 ^log_group /etc/audit/auditd.conf | ||
{{% if 'ol' not in product and "rhel" not in product and "ubuntu" not in product %}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this deviates from the bash remediation, please check it
@dexterle: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
ping |
dexterle reached out last week about continuing work on this PRs, and I've asked to open new ones for a clean state. Therefore closing this one. |
Description:
Rationale:
Review Hints:
Build the product:
To test these changes with Ansible:
To test changes with bash, run the remediation sections:
xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.
This STIG can not be tested with the latest Ubuntu 2004 Benchmark SCAP. Please perform a manual check given the check text. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/