Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

App armor oval check #11273

Merged

Conversation

teacup-on-rockingchair
Copy link
Contributor

Description:

  • Description here. Replace this text. Don't use the italics format!

Rationale:

  • Rationale here. Replace this text. Don't use the italics format!

  • Fixes # Issue number here (e.g. Updating sysctl XCCDF naming #26) or remove this line if no issue exists.

Review Hints:

  • Review hints here. Replace this text. Don't use the italics format!

  • Use this optional section to give any relevant information which could help the reviewer to more quickly and assertively understand and test the changes.

  • Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Nov 14, 2023
Copy link

openshift-ci bot commented Nov 14, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Copy link

github-actions bot commented Nov 14, 2023

Start a new ephemeral environment with changes proposed in this pull request:

sle12 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@vojtapolasek vojtapolasek added this to the 0.1.72 milestone Nov 29, 2023
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Dec 14, 2023
@marcusburghardt marcusburghardt modified the milestones: 0.1.72, 0.1.73 Jan 29, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Feb 4, 2024
@teacup-on-rockingchair teacup-on-rockingchair marked this pull request as ready for review February 4, 2024 20:04
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 4, 2024
@jan-cerny jan-cerny self-assigned this Feb 5, 2024
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fill in the PR description.

@@ -1,4 +1,5 @@
#!/bin/bash
# platform: package[apparmor]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually doesn't work this way. I admit its confusing. But automatus is different than format of rule.ymls. You should use packages.

Suggested change
# platform: package[apparmor]
# packages = apparmor

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @teacup-on-rockingchair this actually occurs there multiple times, please replaces all occurrences.

@jan-cerny jan-cerny added the OVAL OVAL update. Related to the systems assessments. label Feb 12, 2024
…e_complain_mode/tests/correct_all_apparmor_profiles_in_complain.pass.sh

Co-authored-by: Jan Černý <[email protected]>
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced' differs.
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q apparmor-profiles; }; then
 
 # make sure apparmor-utils is installed for aa-complain and aa-enforce
 zypper install -y "apparmor-utils"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced' differs.
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
@@ -1,6 +1,20 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-92371-4
+  - all_apparmor_profiles_enforced
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
 - name: Enforce all AppArmor Profiles - Ensure all AppArmor Profiles are reloaded
   ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   tags:
   - CCE-92371-4
   - all_apparmor_profiles_enforced
@@ -12,7 +26,9 @@
 
 - name: Enforce all AppArmor Profiles - Ensure all AppArmor Profiles are enforcing
   ansible.builtin.command: aa-enforce /etc/apparmor.d/*
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   tags:
   - CCE-92371-4
   - all_apparmor_profiles_enforced
@@ -25,7 +41,9 @@
 - name: Enforce all AppArmor Profiles - Collect unconfined processes
   ansible.builtin.command: aa-unconfined
   register: unconfined_processes
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   tags:
   - CCE-92371-4
   - all_apparmor_profiles_enforced
@@ -45,6 +63,7 @@
   with_items: '{{ unconfined_processes.stdout_lines }}'
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   - unconfined_processes is not skipped
   tags:
   - CCE-92371-4

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced'
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
@@ -1 +1 @@
-
+oval:ssg-package_apparmor:def:1

New data stream adds OVAL for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode'.
bash remediation for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode' differs.
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q apparmor-profiles; }; then
 
 var_apparmor_mode=''
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode' differs.
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
@@ -1,3 +1,14 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-92356-5
+  - all_apparmor_profiles_in_enforce_complain_mode
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
 - name: XCCDF Value var_apparmor_mode # promote to variable
   set_fact:
     var_apparmor_mode: !!str 
@@ -7,7 +18,9 @@
 - name: All AppArmor Profiles are in enforce or complain mode - Ensure all AppArmor
     Profiles are reloaded
   ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   tags:
   - CCE-92356-5
   - all_apparmor_profiles_in_enforce_complain_mode
@@ -22,6 +35,7 @@
   ansible.builtin.command: aa-enforce /etc/apparmor.d/*
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   - var_apparmor_mode == 'enforce'
   tags:
   - CCE-92356-5
@@ -37,6 +51,7 @@
   ansible.builtin.command: aa-complain /etc/apparmor.d/*
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   - var_apparmor_mode == 'complain'
   tags:
   - CCE-92356-5
@@ -51,7 +66,9 @@
     processes
   ansible.builtin.command: aa-unconfined
   register: unconfined_processes
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   tags:
   - CCE-92356-5
   - all_apparmor_profiles_in_enforce_complain_mode
@@ -72,6 +89,7 @@
   with_items: '{{ unconfined_processes.stdout_lines }}'
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"apparmor-profiles" in ansible_facts.packages'
   - unconfined_processes is not skipped
   tags:
   - CCE-92356-5

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode'
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
@@ -1 +1 @@
-
+oval:ssg-package_apparmor:def:1

Correctly define the depending package to install in order to run all_apparmor_profiles_in_enforce_complain_mode tests
Thanks to @jan-cerny for pointing it out 🙇
Copy link

github-actions bot commented Mar 6, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11273
This image was built from commit: 31aadb6

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11273

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11273 make deploy-local

Copy link

codeclimate bot commented Mar 6, 2024

Code Climate has analyzed commit 31aadb6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8%.

View more on Code Climate.

@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny jan-cerny merged commit 8d48440 into ComplianceAsCode:master Mar 7, 2024
40 of 44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OVAL OVAL update. Related to the systems assessments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants