Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule: networkmanager_dns_mode #11160

Merged
merged 5 commits into from
Oct 6, 2023

Conversation

Mab879
Copy link
Member

@Mab879 Mab879 commented Sep 29, 2023

Description:

This PR adds the new rule networkmanager_dns_mode

Rationale:

Needed for future work.

@Mab879 Mab879 added New Rule Issues or pull requests related to new Rules. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. labels Sep 29, 2023
@Mab879 Mab879 added this to the 0.1.70 milestone Sep 29, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel9 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 changed the title New Rule: network_manager_dns_mode New Rule: networkmanager_dns_mode Sep 29, 2023
@Mab879 Mab879 force-pushed the new_rule_dns_mode_nm branch from f21fc8c to 70679ae Compare September 29, 2023 18:53
@Mab879 Mab879 force-pushed the new_rule_dns_mode_nm branch from 7b2d045 to 1ead347 Compare September 29, 2023 19:44
@jan-cerny jan-cerny self-assigned this Oct 2, 2023
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the CI fail of Automatus jobs is caused by systemd not running in the container environemnt. Consider marking the rule as machine only.

However, when executed locally on a RHEL 9.2 virtual machine back end, I get some fails with Ansible remediations:

[jcerny@fedora tests]$ python3 automatus.py rule --libvirt qemu:///system ssgts_rhel9 networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/tests/logs/rule-custom-2023-10-02-0944/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
[jcerny@fedora tests]$ python3 automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/tests/logs/rule-custom-2023-10-02-1036/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_networkmanager_dns_mode'.
INFO - Script wrong_value.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_networkmanager_dns_mode'.

Do you encounter the same problem? Please take a look.


prodtype: rhel9

title: 'NetworkManager DNS Mode Must Be Must'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: 'NetworkManager DNS Mode Must Be Must'
title: 'NetworkManager DNS Mode Must Be Configured'


{{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}}

{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ networkmanager_dns_mode }}") }}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3851 fatal: [192.168.124.141]: FAILED! => {
3852     "msg": "The task includes an option with an undefined variable. The error was: 'networkmanager_dns_mode' is        undefined. 'networkmanager_dns_mode' is undefined\n\nThe error appears to be in '/home/jcerny/work/git/scap-           security-guide/tests/logs/rule-custom-2023-10-02-1036/xccdf_org.ssgproject.content_rule_networkmanager_dns_mode.       yml': line 45, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe               offending line appears to be:\n\n\n    - name: Set 'dns' to '{{ networkmanager_dns_mode }}' in the [main] section      of '/etc/NetworkManager/NetworkManager.conf'\n      ^ here\nWe could be wrong, but this one looks like it might        be an issue with\nmissing quotes. Always quote template expression brackets when they\nstart a value. For              instance:\n\n    with_items:\n      - {{ foo }}\n\nShould be written as:\n\n    with_items:\n      - \"{{ foo          }}\"\n"
3853 }

@Mab879 Mab879 modified the milestones: 0.1.70, 0.1.71 Oct 2, 2023
@Mab879 Mab879 force-pushed the new_rule_dns_mode_nm branch from ce1f84f to cf22422 Compare October 5, 2023 12:21
@codeclimate
Copy link

codeclimate bot commented Oct 5, 2023

Code Climate has analyzed commit 3dd2bde and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 56.8%.

View more on Code Climate.

@jan-cerny
Copy link
Collaborator

/packit retest-failed

1 similar comment
@jan-cerny
Copy link
Collaborator

/packit retest-failed

Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When executed on a VM back end the Automatus tests pass:

jcerny@fedora ~/work/git/scap-security-guide (pr/11160) $ python3 tests/automatus.py rule   --libvirt qemu:///system ssgts_rhel9 networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-10-06-1419/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11160) $ python3 tests/automatus.py rule   --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible networkmanager_dns_mode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-10-06-1421/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script correct_default.pass.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11160) $ 


@jan-cerny jan-cerny merged commit ecdee9b into ComplianceAsCode:master Oct 6, 2023
@Mab879 Mab879 deleted the new_rule_dns_mode_nm branch October 6, 2023 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
New Rule Issues or pull requests related to new Rules. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants