-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLE Coredump configuration support dropin remediation #10604
SLE Coredump configuration support dropin remediation #10604
Conversation
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- oval:ssg-coredump_disable_backtraces:def:1
+++ oval:ssg-coredump_disable_backtraces:def:1
@@ -1,2 +1,3 @@
criteria OR
criterion oval:ssg-test_coredump_disable_backtraces:tst:1
+criterion oval:ssg-test_coredump_disable_backtraces_config_dir:tst:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage'.
--- xccdf_org.ssgproject.content_rule_coredump_disable_storage
+++ xccdf_org.ssgproject.content_rule_coredump_disable_storage
@@ -3,8 +3,7 @@
Disable storing core dump
[description]:
-The Storage option in [Coredump] section
-of /etc/systemd/coredump.conf
+The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently.
[warning]:
OVAL for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- oval:ssg-coredump_disable_storage:def:1
+++ oval:ssg-coredump_disable_storage:def:1
@@ -1,2 +1,3 @@
criteria OR
criterion oval:ssg-test_coredump_disable_storage:tst:1
+criterion oval:ssg-test_coredump_disable_storage_config_dir:tst:1 |
@teacup-on-rockingchair Please remove the "Merge" commit from the PR, you can do that by performing an interactive rebase of the PR on the top of the latest upstream master branch. |
The new macro is called oval_check_systemd_config and has similar functionality, but adds the possibility to check also in drop-in files located in a subdirectory, named after the conf-file, as it is done in systemd services case.
a1976c9
to
d1aa7d6
Compare
🙇 not sure how I achieved that once more but now should be OK |
|
||
- name: "{{{ rule_title }}}: Make sure Coredump section exist in remediation file" | ||
ansible.builtin.lineinfile: | ||
path: '/etc/systemd/coredump.conf.d/oscap-autoremedy.conf' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The path needs to be mentioned also in the rule.yml
. Now your checks and remediations aren't aligned with the rule description.
.../restrictions/coredumps/coredump_disable_storage/tests/coredumps_storage_none_dropin.pass.sh
Outdated
Show resolved
Hide resolved
…ump_disable_storage/tests/coredumps_storage_none_dropin.pass.sh Co-authored-by: Jan Černý <[email protected]>
Code Climate has analyzed commit 9747511 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.5% (0.6% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume the the Autoamtus CI jobs fail is related to the fact that a container is used as a backend on the CI worker. When preformed locally with a VM, the test passed:
[jcerny@fedora scap-security-guide{pr/10604}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 coredump_disable_storage
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-07-10-0930/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_coredump_disable_storage
INFO - Script coredumps_storage_default.fail.sh using profile (all) OK
INFO - Script coredumps_storage_none.pass.sh using profile (all) OK
INFO - Script coredumps_storage_persistent.fail.sh using profile (all) OK
INFO - Script coredumps_storage_none_dropin.pass.sh using profile (all) OK
[jcerny@fedora scap-security-guide{pr/10604}]$ python3 tests/automatus.py rule --remediate-using ansible --libvirt qemu:///system ssgts_rhel9 coredump_disable_storage
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-07-10-0934/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_coredump_disable_storage
INFO - Script coredumps_storage_default.fail.sh using profile (all) OK
INFO - Script coredumps_storage_none.pass.sh using profile (all) OK
INFO - Script coredumps_storage_persistent.fail.sh using profile (all) OK
INFO - Script coredumps_storage_none_dropin.pass.sh using profile (all) OK
[jcerny@fedora scap-security-guide{pr/10604}]$
Description:
/etc/systemd/coredump.conf.d/*.conf
filesRationale:
coredump_disable_storage
rule