Align RHEL 7 CIS control file with CIS v4.0.0 - Section 5

[jan-cerny]

Description:

In this PR, we change the control file, change references, add existing rules. But, we don't add new rules.

Rationale:

Align RHEL 7 CIS control file with CIS v4.0.0

Review Hints:

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[jan-cerny]

The CI fail on Rawhide is caused by aio-libs/multidict#926 and isn't related to the pull request.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
@@ -4,6 +4,7 @@
 var_auditd_space_left_action=''
 
 
+var_auditd_space_left_action="$(echo $var_auditd_space_left_action | cut -d \| -f 1)"
 #
 # If space_left_action present in /etc/audit/auditd.conf, change value
 # to var_auditd_space_left_action, else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
@@ -28,7 +28,7 @@
 - name: Configure auditd space_left Action on Low Disk Space
   lineinfile:
     dest: /etc/audit/auditd.conf
-    line: space_left_action = {{ var_auditd_space_left_action }}
+    line: space_left_action = {{ var_auditd_space_left_action.split('|')[0] }}
     regexp: ^\s*space_left_action\s*=\s*.*$
     state: present
     create: true

New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed'.
--- xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed
+++ xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed
@@ -14,3 +14,6 @@
 Storing log data on a remote host protects log integrity from local
 attacks. If an attacker gains root access on the local system, they
 could tamper with or remove log data that is stored on the local system.
+
+[ident]:
+CCE-86467-8

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed
+++ xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed
@@ -4,6 +4,7 @@
     state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
+  - CCE-86467-8
   - enable_strategy
   - low_complexity
   - low_disruption

[jan-cerny]

I have rebased this PR on the top of the latest upstream master branch.

[marcusburghardt]

Nice work. I only have some few comments to take a look.

[jan-cerny]

I have done changes according to @marcusburghardt's comments.

[marcusburghardt]

The status now can be updated to automated and the comment can be removed.

[jan-cerny]

I have updated the status and removed the comment.

[marcusburghardt]

Great. Thanks for the nice work @jan-cerny . I will wait the CI tests to confirm everything is good and merge it.

[codeclimate]

Code Climate has analyzed commit a7860dc and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5% (0.0% change).

View more on Code Climate.

[marcusburghardt]

I checked the failed Automatus tests and they are failing during the clean-up, after the rule tests.
There are no issues testing the rules, so the tests can be safely waived in this particular case.

We are investigating the issue with automatus task "Delete datastream artifact".