Fix UBTU-20-010013 OVAL and simplify ansible remediation #11085
Conversation
This commit will fix the tmout remediation for UBTU-20-010013 which only expects TMOUT=600. Additionally, the remediation variable has been simplified to tmout_line, which can be used for OS's that may have different expected TMOUT lines.
openshift-ci
bot
added
do-not-merge/work-in-progress
|
Hi @dexterle. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout' differs.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -4,11 +4,30 @@
tags:
- always
-- name: Correct any occurrence of TMOUT in /etc/profile
- replace:
+- name: Set Interactive Session Timeout - Set TMOUT Line Fact
+ ansible.builtin.set_fact:
+ tmout_line: declare -xr TMOUT={{ var_accounts_tmout }}
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80673-7
+ - NIST-800-171-3.1.11
+ - NIST-800-53-AC-12
+ - NIST-800-53-AC-2(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-10
+ - PCI-DSSv4-8.6.1
+ - accounts_tmout
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set Interactive Session Timeout - Correct Any Occurrence of TMOUT in /etc/profile
+ ansible.builtin.replace:
path: /etc/profile
regexp: ^[^#].*TMOUT=.*
- replace: declare -xr TMOUT={{ var_accounts_tmout }}
+ replace: '{{ tmout_line }}'
register: profile_replaced
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
@@ -31,7 +50,7 @@
path: /etc/profile.d/tmout.sh
create: true
regexp: TMOUT=
- line: declare -xr TMOUT={{ var_accounts_tmout }}
+ line: '{{ tmout_line }}'
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags: |
|
Code Climate has analyzed commit e488724 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.8% (0.0% change). View more on Code Climate. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
dodys
added
ok-to-test
| @@ -37,8 +37,10 @@ | |||
| {{% if filepath %}} | |||
| <ind:filepath>{{{ filepath }}}</ind:filepath> | |||
| {{% endif %}} | |||
| {{% if product in ['sle12', 'sle15'] or "ubuntu" in product %}} | |||
| {{% if product in ['sle12', 'sle15'] or product in ['ubuntu1804', 'ubuntu2204'] %}} | |||
There was a problem hiding this comment.
we should not split this rule
I belive the solution as is now is way better than what is in DISA's stig document.
There was a problem hiding this comment.
Would you recommend to drop the PR if we follow CIS? The original remediation seems to work well so not sure if this PR is even needed.
There was a problem hiding this comment.
I believe you will still want to add a ubuntu specific ansible, as the shared ansible does not cover our case, see bash remediation. But for the oval you could drop the changes.
|
On ubuntu 22.04 ansible create wrong tmout file: cat /etc/profile.d/tmout.sh Bash fix is good. |
|
@dexterle: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
ping |
|
dexterle reached out last week about continuing work on this PRs, and I've asked to open new ones for a clean state. Therefore closing this one. |
Description:
Rationale:
Review Hints:
Build the product:
To test these changes with Ansible:
To test changes with bash, run the remediation sections:
xccdf_org.ssgproject.content_rule_accounts_tmoutCheckout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.
This STIG can not be tested with the latest Ubuntu 2004 Benchmark SCAP. Please perform a manual check given the check text. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/