Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include remediation for fapolicy_default_deny rule #11211

Merged
merged 4 commits into from
Oct 18, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

Create Bash and Ansible remediation for fapolicy_default_deny rule.
The remediation ensures the fapolicyd is not working in permissive mode and also explicitly creates a final rule denying everything. Currently, STIG requires this explicit final rule.

Test scenarios were also reviewed and improved.

Rationale:

Review Hints:

  • There are more details in each commit description.
  • automatus should be enough for technical tests. e.g.:

./tests/automatus.py rule --libvirt qemu:///session rhel8 --datastream build/ssg-rhel8-ds.xml --dontclean --remediate-using bash fapolicy_default_deny

./tests/automatus.py rule --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --dontclean --remediate-using ansible fapolicy_default_deny

The remediation ensures the fapolicyd is not working in permissive mode
and also explicitly creates a final rule denying everything as required
by some policies.
The Ansible remediation is aligned to the Bash remediation.
The test scenarios were using a macro which was enough to test the OVAL
but was breaking the fapolicyd service due to syntax error. The same
macro was used twice while the first call was unnecessary. This commit
removes the unnecessary call and replace the macro by another that does
not break the fapolicyd syntax.
@marcusburghardt marcusburghardt added bugfix Fixes to reported bugs. Ansible Ansible remediation update. Test Suite Update in Test Suite. Bash Bash remediation update. labels Oct 18, 2023
@marcusburghardt marcusburghardt added this to the 0.1.71 milestone Oct 18, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Oct 18, 2023

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'.
--- xccdf_org.ssgproject.content_rule_fapolicy_default_deny
+++ xccdf_org.ssgproject.content_rule_fapolicy_default_deny
@@ -4,9 +4,6 @@
 
 [description]:
 The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running.
-
-[warning]:
-This rule doesn't come with a remediation. Before remediating the system administrator needs to create an allowlist of authorized software.
 
 [reference]:
 CCI-001764

New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'.
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'.

Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR.

Please remove the warning in the rule.yml stating there is no remediation.

@marcusburghardt
Copy link
Member Author

Thanks for this PR.

Please remove the warning in the rule.yml stating there is no remediation.

Done

@codeclimate
Copy link

codeclimate bot commented Oct 18, 2023

Code Climate has analyzed commit 1034cda and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 57.0%.

View more on Code Climate.

@Mab879 Mab879 self-assigned this Oct 18, 2023
@Mab879
Copy link
Member

Mab879 commented Oct 18, 2023

The failure on SLE15 can be waived as the rule is not applicable on SLE15.

Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Thanks!

@Mab879 Mab879 merged commit b7c53a2 into ComplianceAsCode:master Oct 18, 2023
33 of 34 checks passed
@marcusburghardt marcusburghardt deleted the fapolicy_default_deny branch October 19, 2023 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Ansible Ansible remediation update. Bash Bash remediation update. bugfix Fixes to reported bugs. Test Suite Update in Test Suite.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants