-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
App armor oval check #11273
App armor oval check #11273
Conversation
Skipping CI for Draft Pull Request. |
Use oval count to get count of subexpression matches per type profile Fix object and variable namings to include rule_id
944c816
to
21f2fbd
Compare
e5bd789
to
de47285
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fill in the PR description.
@@ -1,4 +1,5 @@ | |||
#!/bin/bash | |||
# platform: package[apparmor] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This actually doesn't work this way. I admit its confusing. But automatus is different than format of rule.ymls. You should use packages
.
# platform: package[apparmor] | |
# packages = apparmor |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @teacup-on-rockingchair this actually occurs there multiple times, please replaces all occurrences.
…e_complain_mode/tests/correct_all_apparmor_profiles_in_complain.pass.sh Co-authored-by: Jan Černý <[email protected]>
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced' differs.
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q apparmor-profiles; }; then
# make sure apparmor-utils is installed for aa-complain and aa-enforce
zypper install -y "apparmor-utils"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced' differs.
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
@@ -1,6 +1,20 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-92371-4
+ - all_apparmor_profiles_enforced
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
- name: Enforce all AppArmor Profiles - Ensure all AppArmor Profiles are reloaded
ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
tags:
- CCE-92371-4
- all_apparmor_profiles_enforced
@@ -12,7 +26,9 @@
- name: Enforce all AppArmor Profiles - Ensure all AppArmor Profiles are enforcing
ansible.builtin.command: aa-enforce /etc/apparmor.d/*
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
tags:
- CCE-92371-4
- all_apparmor_profiles_enforced
@@ -25,7 +41,9 @@
- name: Enforce all AppArmor Profiles - Collect unconfined processes
ansible.builtin.command: aa-unconfined
register: unconfined_processes
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
tags:
- CCE-92371-4
- all_apparmor_profiles_enforced
@@ -45,6 +63,7 @@
with_items: '{{ unconfined_processes.stdout_lines }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
- unconfined_processes is not skipped
tags:
- CCE-92371-4
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced'
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
@@ -1 +1 @@
-
+oval:ssg-package_apparmor:def:1
New data stream adds OVAL for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode'.
bash remediation for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode' differs.
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q apparmor-profiles; }; then
var_apparmor_mode=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode' differs.
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
@@ -1,3 +1,14 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-92356-5
+ - all_apparmor_profiles_in_enforce_complain_mode
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
- name: XCCDF Value var_apparmor_mode # promote to variable
set_fact:
var_apparmor_mode: !!str
@@ -7,7 +18,9 @@
- name: All AppArmor Profiles are in enforce or complain mode - Ensure all AppArmor
Profiles are reloaded
ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
tags:
- CCE-92356-5
- all_apparmor_profiles_in_enforce_complain_mode
@@ -22,6 +35,7 @@
ansible.builtin.command: aa-enforce /etc/apparmor.d/*
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
- var_apparmor_mode == 'enforce'
tags:
- CCE-92356-5
@@ -37,6 +51,7 @@
ansible.builtin.command: aa-complain /etc/apparmor.d/*
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
- var_apparmor_mode == 'complain'
tags:
- CCE-92356-5
@@ -51,7 +66,9 @@
processes
ansible.builtin.command: aa-unconfined
register: unconfined_processes
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
tags:
- CCE-92356-5
- all_apparmor_profiles_in_enforce_complain_mode
@@ -72,6 +89,7 @@
with_items: '{{ unconfined_processes.stdout_lines }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"apparmor-profiles" in ansible_facts.packages'
- unconfined_processes is not skipped
tags:
- CCE-92356-5
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode'
--- xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
+++ xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
@@ -1 +1 @@
-
+oval:ssg-package_apparmor:def:1 |
Correctly define the depending package to install in order to run all_apparmor_profiles_in_enforce_complain_mode tests Thanks to @jan-cerny for pointing it out 🙇
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
Code Climate has analyzed commit 31aadb6 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.8%. View more on Code Climate. |
/packit retest-failed |
Description:
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes # Issue number here (e.g. Updating sysctl XCCDF naming #26) or remove this line if no issue exists.
Review Hints:
Review hints here. Replace this text. Don't use the italics format!
Use this optional section to give any relevant information which could help the reviewer to more quickly and assertively understand and test the changes.
Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc.