Fix Lexicological ordering of immutable.rules #12763
Conversation
Lexicological order, put immutable at the end of the line.
|
Hi @bordenit. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -15,7 +15,7 @@
# * /etc/audit/audit.rules file (for auditctl case)
# * /etc/audit/rules.d/immutable.rules (for augenrules case)
-for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
+for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/90-immutable.rules"
do
echo '' >> $AUDIT_FILE
echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -73,15 +73,14 @@
- reboot_required
- restrict_strategy
-- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+- name: Add Audit -e option into /etc/audit/rules.d/90-immutable.rules
lineinfile:
path: '{{ item }}'
create: true
line: -e 2
mode: g-rwx,o-rwx
loop:
- - /etc/audit/audit.rules
- - /etc/audit/rules.d/immutable.rules
+ - /etc/audit/rules.d/90-immutable.rules
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages' |
|
Well, doesn't seem to matter much, the -e is still always loaded last based on my testing when you reload the rules in entirety, but placing the immutable rules in 90- follows the RHEL guidance as well...... Also, the audit system should be trusted to load the rules in order, depending on how you run the playbook, which order, tags, etc... it could update /etc/audit/audit.rules in a different order with the lineinfile commands. If you want consistency, rename the /etc/audit/rules.d .rules files with something like 30-stig.rules and 90-immutable.rules, and trust the audit system to load /etc/audit/audit.rules in the same order every time. Using the playbook is very inconsistent with iteration for the rules being manually placed in /etc/audit/audit.rules. |
|
Code Climate has analyzed commit 6ab29c5 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Thanks for the PR pull request.
I have let one comment to ensure the files used in both remediation types are the same.
Secondly, I'm not sure 90-immutable.rules will work fully with this project. We have many unnumbered files such as modules.rules and based on my quick research it seems 90-immutable.rules, might get loaded first.
| lineinfile: | ||
| path: "{{ item }}" | ||
| create: True | ||
| line: "-e 2" | ||
| mode: g-rwx,o-rwx | ||
| loop: | ||
| - "/etc/audit/audit.rules" |
There was a problem hiding this comment.
Please keep this file to match the bash remediation.
Description:
The filename for the auditd immutable rules is 90-immutable.rules in some areas, but not in others. This fixes it.
Rationale:
With lexicological ordering naming the file immutable.rules will not let it load last. The DISA STIG, and common practice is to put the immutable rule at the last entry in the audit.rules file. Also, the DISA STIG checks for the last line in the audit.rules file for this check. Instead of loading the -e option into audit.rules in a random fashion, the system should be rebooted, then it will pick up the -e from the 90-immutable.rules and put it at the end.