Handle XCCDF variable in key_value_pair_in_file template #13051
Conversation
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- oval:ssg-selinux_policytype:def:1
+++ oval:ssg-selinux_policytype:def:1
@@ -1,2 +1,4 @@
criteria AND
-criterion oval:ssg-test_selinux_policy:tst:1
+criteria OR
+criterion oval:ssg-test_selinux_policytype:tst:1
+criterion oval:ssg-test_selinux_policytype_config_file_exists:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel; then
var_selinux_policy_name=''
-
if [ -e "/etc/selinux/config" ] ; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -12,11 +12,11 @@
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
+ - configure_strategy
- low_complexity
- low_disruption
- medium_severity
- - reboot_required
- - restrict_strategy
+ - no_reboot_needed
- selinux_policytype
- name: XCCDF Value var_selinux_policy_name # promote to variable
set_fact:
@@ -64,9 +64,9 @@
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
+ - configure_strategy
- low_complexity
- low_disruption
- medium_severity
- - reboot_required
- - restrict_strategy
+ - no_reboot_needed
- selinux_policytype
bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -3,7 +3,7 @@
if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then
- LC_ALL=C sed -i "/^\s*AuditBackend=/d" "/etc/usbguard/usbguard-daemon.conf"
+ LC_ALL=C sed -i "/^[ \\t]*AuditBackend=/Id" "/etc/usbguard/usbguard-daemon.conf"
else
touch "/etc/usbguard/usbguard-daemon.conf"
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -7,12 +7,12 @@
- NIST-800-53-AU-2
- NIST-800-53-CM-8(3)
- NIST-800-53-IA-3
+ - configure_strategy
- configure_usbguard_auditbackend
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- - restrict_strategy
- name: Log USBGuard daemon audit events using Linux Audit
block:
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
- regexp: (?i)^\s*AuditBackend=
+ regexp: (?i)^[ \\t]*AuditBackend=
state: absent
check_mode: true
changed_when: false
@@ -31,7 +31,7 @@
lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
- regexp: (?i)^\s*AuditBackend=
+ regexp: (?i)^[ \\t]*AuditBackend=
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -39,7 +39,7 @@
lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
- regexp: (?i)^\s*AuditBackend=
+ regexp: (?i)^[ \\t]*AuditBackend=
line: AuditBackend=LinuxAudit
state: present
when:
@@ -51,9 +51,9 @@
- NIST-800-53-AU-2
- NIST-800-53-CM-8(3)
- NIST-800-53-IA-3
+ - configure_strategy
- configure_usbguard_auditbackend
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- - restrict_strategy |
| @@ -0,0 +1,6 @@ | |||
| deny_templated_scenarios: | |||
There was a problem hiding this comment.
Why do you disable the templated scenarios? I can see that you modified the templated scenarios to make them work also if the XCCDF value is provided, but on this rule where you want to demonstrate it you disabled them.
There was a problem hiding this comment.
Hello.
This is a good point and it made me add some additional template options for providing correct and incorrect value which is later used in test scenarios.
See latest commits.
However, some scenarios have to be skipped because selinux is very picky about the configuration file. And if configured incorrectly, it will not allow me to continue.
| @@ -84,9 +91,19 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo | |||
| </criteria> | |||
| {{%- endif %}} | |||
| </definition> | |||
|
|
|||
| {{% if xccdf_variable %}} | |||
| {{{ oval_line_in_file_define_variable(xccdf_variable, datatype="string") }}} | |||
There was a problem hiding this comment.
I don't like that this macro generates a local variable that references an external variable. Also, I don't like that the generated local variable has a comment: Regex that matches exact value represented by var_selinux_policy_name XCCDF variable. That is misleading, at least for the OVAL in rule selinux_policytype, the XCCDF value isn't a regular expression and the local variable isn't used in a pattern match operation but in a equals operation.
There was a problem hiding this comment.
I hope I resolved naming problems in 68a527c .
Regarding the usage of local variable... I always thought that you need a local variable to reference external variable and then the local variable can be used in OVAL state. Am I wrong?
There was a problem hiding this comment.
You can use external variable directly in OVAL state. You don't need the interim local variable. See for example linux_os/guide/system/selinux/selinux_state/oval/shared.xml where in textfilecontent54_state the var_ref="var_selinux_state" references external_variable.
|
/packit build |
There was a problem hiding this comment.
When testing rule selinux_policytype using Automatus against a RHEL 9 VM the test scenario missing_file.fail.sh errors for me in both Ansible and oscap remediations. The verbose log shows the following:
Warning: Permanently added '192.168.124.220' (ED25519) to the list of known hosts.
Connection closed by 192.168.124.220 port 22
Failed to connect!
I don't know what problem is this. I suggest adding the missing_file.fail.sh to linux_os/guide/system/selinux/selinux_policytype/tests/test_config.yml
…ble in the place of value
…stead of hardcoded value
This rule uses XCCDF variable.
… test value See updated template documentation for explanation.
Some tests still need to be excluded because selinux has apparently very strict configuration format. In case the configuration is invalid, it is not possible to log into the test machine.
it is not needed
68a527c to
4532fa5
Compare
|
Hello @jan-cerny I think I solved all your feedback in latest commits. |
|
Code Climate has analyzed commit b048962 and detected 2 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
TSs have passed locally on a RHEL 9 VM back end.
8000
jcerny@fedora:~/work/git/scap-security-guide (pr/13051)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 selinux_policytype
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-03-26-0945/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_selinux_policytype
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script duplicate_values.pass.sh using profile (all) OK
INFO - Script commented_value.fail.sh using profile (all) OK
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script selinuxtype_missing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script selinuxtype_targeted.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script selinuxtype_targeted_additional_spaces.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13051)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible selinux_policytype
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-03-26-0948/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_selinux_policytype
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script duplicate_values.pass.sh using profile (all) OK
INFO - Script commented_value.fail.sh using profile (all) OK
INFO - Script selinuxtype_missing.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script selinuxtype_targeted.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script selinuxtype_targeted_additional_spaces.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13051)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 configure_usbguard_auditbackend
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-03-26-0951/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
INFO - Script conflicting_values.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script missing_file.fail.sh using profile (all) OK
INFO - Script commented_value.fail.sh using profile (all) OK
INFO - Script duplicate_values.pass.sh using profile (all) OK
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script commented.fail.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script present.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13051)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible configure_usbguard_auditbackend
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-03-26-0954/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script conflicting_values.fail.sh using profile (all) OK
INFO - Script commented_value.fail.sh using profile (all) OK
INFO - Script duplicate_values.pass.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script missing_file.fail.sh using profile (all) OK
INFO - Script commented.fail.sh using profile (all) OK
INFO - Script missing.fail.sh using profile (all) OK
INFO - Script present.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
Description:
Rationale:
Review Hints: