Update ansible remediation to harden_sshd_ciphers_openssh_conf_crypto_policy rule

[mrkanon]

Description:

Updated
Ansible remediation

Add 'variables' clause and OL9 platform in header of the following tests
stig_correct.pass.sh
stig_correct_commented.fail.sh
stig_correct_followed_by_incorrect_commented.pass.sh
stig_empty_file.fail.sh
stig_empty_policy.fail.sh
stig_incorrect_followed_by_correct_commented.fail.sh
stig_incorrect_policy.fail.sh
stig_missing_file.fail.sh

Rationale:

In the task filling gaps in OL9 automation, the rule harden_sshd_ciphers_openssh_conf_crypto_policy has a remediation deficit with ansible. The Ansible remediation already existed; it just needed OL9 added to the "platform" clause. The test update is to align the test with best practices, since the profile can generate inconsistencies in the test because the variable may have a different value in the profile than the one used in the test, this can cause the test to fail.

[openshift-ci]

Hi @mrkanon. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12324
This image was built from commit: b5f8367

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12324

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12324 make deploy-local

[codeclimate]

Code Climate has analyzed commit b5f8367 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[Mab879]

Thanks for the PR.

What was the reasoning behind moving to variable vs profile in the tests?

[mrkanon]

Thanks for the PR.

What was the reasoning behind moving to variable vs profile in the tests?

This is because the "*.pass.sh" tests fails when it should pass, because the variable evaluated in the test may be different than the value in the profile. The change in the remaining tests is to maintain consistency.

[Mab879]

Thanks for comment.

LGTM.

[Mab879]

Waving the two failing automatus CI checks since SLE15 and Ubuntu don't have crypto policy rules.