Add ansible remediation for aide_use_fips_hashes rule #12327
Conversation
For aide_use_fips_hashes rule Signed-off-by: Armando Acosta <[email protected]>
|
Hi @mrkanon. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_aide_use_fips_hashes'. |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit c11f84d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
jcerny@fedora:~/work/git/scap-security-guide (pr/12327)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --remediate-using ansible aide_use_fips_hashes
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-08-26-1329/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
Description:
Added
Ansible remediation
Rationale:
In the task filling gaps in OL9 automation, the rule
aide_use_fips_hasheshas a remediation deficit with ansible. The remediation logic was adapted from bash remediation, the residual+verification steps was reduced in the regex to remove forbidden hashes and also the approach prioritize the use of the regex before the loops handled in bash remediation.In addition to the test of automatus tool, the following scenario was tested to ensure the correct remediation behavior.
With the following result: