Add ansible remediation for log perm for UBTU-20-010122

[dexterle]

Description:

• Fix UBTU-20-010122
• Add ansible remediation for ubuntu, and fix styling

Rationale:

• Part of Ubuntu 20.04 DISA STIG v1r9 profile upgrade
• Ubuntu2004 stig profile v1r9 update #10738

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes with Ansible:

ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010122"

To test changes with bash, run the remediation sections: xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit

Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.

git checkout dexterle:add-manual-stig-ubtu-20-v1r9

This STIG can not be tested with the latest Ubuntu 2004 Benchmark SCAP. Please perform a manual check given the check text. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/

[dexterle]

feedback: 114455d#r1319043421

[openshift-ci]

Hi @dexterle. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
@@ -18,8 +18,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Get audit log files
-  command: grep -iw ^log_file /etc/audit/auditd.conf
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Get Audit Log Files
+  ansible.builtin.command: grep -iw ^log_file /etc/audit/auditd.conf
   failed_when: false
   register: log_file_exists
   when:
@@ -42,8 +42,9 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Parse log file line
-  command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Parse Log File
+    Line
+  ansible.builtin.command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf
   register: log_file_line
   when:
   - '"audit" in ansible_facts.packages'
@@ -66,8 +67,9 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Set default log_file if not set
-  set_fact:
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Set Default log_file
+    if Not Set
+  ansible.builtin.set_fact:
     log_file: /var/log/audit/audit.log
   when:
   - '"audit" in ansible_facts.packages'
@@ -90,8 +92,9 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Set log_file from log_file_line if not set already
-  set_fact:
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Set log_file From
+    log_file_line if Not Set Already
+  ansible.builtin.set_fact:
     log_file: '{{ log_file_line.stdout | trim }}'
   when:
   - '"audit" in ansible_facts.packages'
@@ -114,8 +117,9 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Apply mode to log file
-  file:
+- name: System Audit Logs Must Have Mode 0640 or Less Permissive - Apply Mode to Log
+    File
+  ansible.builtin.file:
     path: '{{ log_file }}'
     mode: 384
   failed_when: false

[codeclimate]

Code Climate has analyzed commit af2b256 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.8% (0.0% change).

View more on Code Climate.

[dexterle]

feedback: 114455d#r1319043421

I believe that this PR can be enhanced if it removes the second command task with similar changes here: #11092

[dodys]

this deviates from the bash remediation, please check it

[openshift-ci]

@dexterle: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.14-images	af2b256	link	true	/test 4.14-images
ci/prow/4.13-images	af2b256	link	true	/test 4.13-images
ci/prow/4.15-images	af2b256	link	true	/test 4.15-images
ci/prow/4.16-images	af2b256	link	true	/test 4.16-images
ci/prow/4.12-images	af2b256	link	true	/test 4.12-images
ci/prow/4.17-images	af2b256	link	true	/test 4.17-images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jan-cerny]

ping

[dodys]

dexterle reached out last week about continuing work on this PRs, and I've asked to open new ones for a clean state. Therefore closing this one.