Add support for XCCDF variables into sshd_lineinfile template #12251
Conversation
vojtapolasek
added
Ansible
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- oval:ssg-sshd_set_keepalive:def:1
+++ oval:ssg-sshd_set_keepalive:def:1
@@ -5,5 +5,7 @@
criteria AND
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
-criteria OR
-criterion oval:ssg-test_sshd_set_keepalive_clientalivecountmax:tst:1
+criteria AND
+criteria AND
+criterion oval:ssg-test_sshd_set_keepalive:tst:1
+criterion oval:ssg-test_ClientAliveCountMax_present_sshd_set_keepalive:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -2,6 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var_sshd_set_keepalive=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
vojtapolasek
force-pushed
the
sshd_lineinfile_variables
branch
from
8cf4050 to
7d232bc
Compare
vojtapolasek
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Please double check your commits, there are commits on this PR that don't seem to belong. |
vojtapolasek
force-pushed
the
sshd_lineinfile_variables
branch
from
cd37810 to
c7cf89c
Compare
|
Sorry for inconvenience, fixed. |
| name: sshd_lineinfile | ||
| vars: | ||
| parameter: ClientAliveCountMax | ||
| rule_id: sshd_set_keepalive |
There was a problem hiding this comment.
I found it weird that the rule_id is passed as a parameter here because the rule ID is known to the templating engine.
There was a problem hiding this comment.
I confirm it is not used. I fixed it in the sshd_set_keepalive. I also made a commit which removes it from other templated rules, just in case it would feel too much out of scope here.
shared/macros/10-oval.jinja
Outdated
| @@ -336,6 +336,21 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo | |||
| </ind:textfilecontent54_state> | |||
| {{%- endmacro %}} | |||
|
|
|||
| {{%- macro oval_line_in_file_state_xccdf_variable(var_name='', id_stem='', datatype='') -%}} | |||
| {{%- set id_stem = id_stem or rule_id -%}} | |||
| <local_variable id="local_var_regex_{{{ id_stem }}}" | |||
There was a problem hiding this comment.
I have discovered that eg. in build/rhel9/checks/oval/sshd_set_keepalive.xml this generates 2 local variables that reference the same external variable. It probably isn't a problem.
There was a problem hiding this comment.
I think I solved it by 444811a
| @@ -2,8 +2,9 @@ | |||
|
|
|||
| # platform = Oracle Linux 8,Oracle Linux 9 | |||
|
|
|||
| SSHD_PARAM={{{ PARAMETER }}} | |||
| SSHD_VAL="bad_val" | |||
| {{% if XCCDF_VARIABLE %}} | |||
There was a problem hiding this comment.
Would it make sense to extend all the Oracle test scenarios also to RHEL? How can we test that these scenarios work well and don't break Oracle?
There was a problem hiding this comment.
I don't think this is in scope of this PR. Oracle has an extra test in the oval which has something to do with the fact that there should be correct include directive present in /etc/ssh/sshd_config. It might be worth adding also to our OVAL, but I think this needs an extra PR.
|
Hello @jan-cerny , I think I addressed your feedback. |
vojtapolasek
force-pushed
the
sshd_lineinfile_variables
branch
from
a1516f4 to
7384483
Compare
There was a problem hiding this comment.
@vojtapolasek Please resolve the Code Climate problems, but overall it looks great.
vojtapolasek
force-pushed
the
sshd_lineinfile_variables
branch
2 times, most recently
from
3488d2f to
16205f2
Compare
|
Hello @jan-cerny I am not sure if fixing the remaining Codeclimate issue would not be actually contraproductive... I am afraid it would decrease readability of the |
implement notion of XCCDF variables also start using a new template parameter datatype. It is used to generate proper templated test scenarios, see the template.py of the sysctl template.
…ger as well the + character kinda forced the value to be a string because it refused to concatenate non-string instances of the value
It is effectivelly not used and will be removed in the future. The build system does not need this passed, it knows it already.
…pendently of the OVAL state. This prevents creating of duplicate local_variables which in the end reference the same XCCDF variable (through external_variable).
extract setting of test scenario variables to a separate function split long strings to multiple lines
vojtapolasek
force-pushed
the
sshd_lineinfile_variables
branch
from
16205f2 to
b7b820d
Compare
|
@vojtapolasek I concur, thanks for your analysis. |
|
Code Climate has analyzed commit b7b820d and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
Description:
Rationale:
The sshd_lineinfile is very robust and it has support for distributed sshd configuration.
There are rules regarding sshd configuration which utilize XCCDF variables.
But these rules are not using the sshd_lineinfile template and therefore they don't respect presence of distributed sshd configuration. This creates problems because if two categories of rules mentioned above are combined, then remediations can end up in different files; some in the main sshd_config and some in a file within the sshd_config.d directory. This is not desired.
Please note that I did not template all relevant rules, I modified only one to keep the PR size down. The rest will follow up in a separate PR.
Review Hints: