-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include remediation for fapolicy_default_deny rule #11211
Include remediation for fapolicy_default_deny rule #11211
Conversation
The remediation ensures the fapolicyd is not working in permissive mode and also explicitly creates a final rule denying everything as required by some policies.
The Ansible remediation is aligned to the Bash remediation.
The test scenarios were using a macro which was enough to test the OVAL but was breaking the fapolicyd service due to syntax error. The same macro was used twice while the first call was unnecessary. This commit removes the unnecessary call and replace the macro by another that does not break the fapolicyd syntax.
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'.
--- xccdf_org.ssgproject.content_rule_fapolicy_default_deny
+++ xccdf_org.ssgproject.content_rule_fapolicy_default_deny
@@ -4,9 +4,6 @@
[description]:
The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running.
-
-[warning]:
-This rule doesn't come with a remediation. Before remediating the system administrator needs to create an allowlist of authorized software.
[reference]:
CCI-001764
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'.
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR.
Please remove the warning in the rule.yml stating there is no remediation.
Done |
Code Climate has analyzed commit 1034cda and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 57.0%. View more on Code Climate. |
The failure on SLE15 can be waived as the rule is not applicable on SLE15. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Thanks!
Description:
Create Bash and Ansible remediation for
fapolicy_default_deny
rule.The remediation ensures the
fapolicyd
is not working in permissive mode and also explicitly creates a final rule denying everything. Currently, STIG requires this explicit final rule.Test scenarios were also reviewed and improved.
Rationale:
Review Hints:
./tests/automatus.py rule --libvirt qemu:///session rhel8 --datastream build/ssg-rhel8-ds.xml --dontclean --remediate-using bash fapolicy_default_deny
./tests/automatus.py rule --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --dontclean --remediate-using ansible fapolicy_default_deny