Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLE Coredump configuration support dropin remediation #10604

Conversation

teacup-on-rockingchair
Copy link
Contributor

Description:

  • For SLE platforms add the remediation configuration in a drop-in file. Also modify the OVAL check to lookup also /etc/systemd/coredump.conf.d/*.conf files

Rationale:

  • In OVAL add new macro is called oval_check_systemd_config and has similar functionality, but adds the possibility to check also in drop-in files located in a sub-directory, named after the conf-file, as it is done in systemd services case.
  • For SLE platforms put ansible and bash remediation in drop-in configuration file
  • Add small test for coredump_disable_storage rule

@teacup-on-rockingchair teacup-on-rockingchair added Ansible Ansible remediation update. OVAL OVAL update. Related to the systems assessments. Bash Bash remediation update. SLES SUSE Linux Enterprise Server product related. labels May 21, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented May 21, 2023

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
OVAL for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- oval:ssg-coredump_disable_backtraces:def:1
+++ oval:ssg-coredump_disable_backtraces:def:1
@@ -1,2 +1,3 @@
 criteria OR
 criterion oval:ssg-test_coredump_disable_backtraces:tst:1
+criterion oval:ssg-test_coredump_disable_backtraces_config_dir:tst:1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage'.
--- xccdf_org.ssgproject.content_rule_coredump_disable_storage
+++ xccdf_org.ssgproject.content_rule_coredump_disable_storage
@@ -3,8 +3,7 @@
 Disable storing core dump
 
 [description]:
-The Storage option in [Coredump] section
-of /etc/systemd/coredump.conf
+The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
 can be set to none to disable storing core dumps permanently.
 
 [warning]:

OVAL for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- oval:ssg-coredump_disable_storage:def:1
+++ oval:ssg-coredump_disable_storage:def:1
@@ -1,2 +1,3 @@
 criteria OR
 criterion oval:ssg-test_coredump_disable_storage:tst:1
+criterion oval:ssg-test_coredump_disable_storage_config_dir:tst:1

@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label May 27, 2023
@evgenyz evgenyz changed the title SLE Coredump configuration support dropin remdediation SLE Coredump configuration support dropin remediation May 29, 2023
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label May 31, 2023
@jan-cerny
Copy link
Collaborator

@teacup-on-rockingchair Please remove the "Merge" commit from the PR, you can do that by performing an interactive rebase of the PR on the top of the latest upstream master branch.

The new macro is called oval_check_systemd_config and has similar functionality,
but adds the possibility to check also in drop-in files located in a subdirectory,
named after the conf-file, as it is done in systemd services case.
@teacup-on-rockingchair teacup-on-rockingchair force-pushed the coredump_config_dropin_remdediation branch from a1976c9 to d1aa7d6 Compare June 21, 2023 04:32
@teacup-on-rockingchair
Copy link
Contributor Author

@teacup-on-rockingchair Please remove the "Merge" commit from the PR, you can do that by performing an interactive rebase of the PR on the top of the latest upstream master branch.

🙇 not sure how I achieved that once more but now should be OK

@jan-cerny jan-cerny self-assigned this Jun 26, 2023
@jan-cerny jan-cerny added this to the 0.1.69 milestone Jun 26, 2023

- name: "{{{ rule_title }}}: Make sure Coredump section exist in remediation file"
ansible.builtin.lineinfile:
path: '/etc/systemd/coredump.conf.d/oscap-autoremedy.conf'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The path needs to be mentioned also in the rule.yml. Now your checks and remediations aren't aligned with the rule description.

@codeclimate
Copy link

codeclimate bot commented Jul 5, 2023

Code Climate has analyzed commit 9747511 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.5% (0.6% change).

View more on Code Climate.

Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume the the Autoamtus CI jobs fail is related to the fact that a container is used as a backend on the CI worker. When preformed locally with a VM, the test passed:

[jcerny@fedora scap-security-guide{pr/10604}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 coredump_disable_storage
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-07-10-0930/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_coredump_disable_storage
INFO - Script coredumps_storage_default.fail.sh using profile (all) OK
INFO - Script coredumps_storage_none.pass.sh using profile (all) OK
INFO - Script coredumps_storage_persistent.fail.sh using profile (all) OK
INFO - Script coredumps_storage_none_dropin.pass.sh using profile (all) OK
[jcerny@fedora scap-security-guide{pr/10604}]$ python3 tests/automatus.py rule --remediate-using ansible --libvirt qemu:///system ssgts_rhel9 coredump_disable_storage
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-07-10-0934/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_coredump_disable_storage
INFO - Script coredumps_storage_default.fail.sh using profile (all) OK
INFO - Script coredumps_storage_none.pass.sh using profile (all) OK
INFO - Script coredumps_storage_persistent.fail.sh using profile (all) OK
INFO - Script coredumps_storage_none_dropin.pass.sh using profile (all) OK
[jcerny@fedora scap-security-guide{pr/10604}]$ 

@jan-cerny jan-cerny merged commit 68e8aef into ComplianceAsCode:master Jul 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Ansible Ansible remediation update. Bash Bash remediation update. OVAL OVAL update. Related to the systems assessments. SLES SUSE Linux Enterprise Server product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants