Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move RPM verify rules to use --restore #12413

Merged
merged 1 commit into from
Oct 9, 2024
Merged

Move RPM verify rules to use --restore #12413

merged 1 commit into from
Oct 9, 2024

Conversation

Mab879
Copy link
Member

@Mab879 Mab879 commented Sep 24, 2024
edited
Loading

Description:

  • Move RPM verify rules to use --restore

Rationale:

Update for RHEL 10

@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label Sep 24, 2024
@Mab879 Mab879 added this to the 0.1.75 milestone Sep 24, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 marked this pull request as draft September 24, 2024 20:30
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 24, 2024
@Mab879 Mab879 force-pushed the adjust_rpm_rules_rhel10 branch from b79f1ee to 6eb7c1e Compare September 25, 2024 00:20
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 25, 2024
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_ownership'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_ownership
+++ xccdf_org.ssgproject.content_rule_rpm_verify_ownership
@@ -11,7 +11,7 @@
 $ rpm -qf FILENAME
           
 Next, run the following command to reset its permissions to the correct values:
-$ sudo rpm --setugids PACKAGENAME
+$ sudo rpm --restore PACKAGENAME
 
 [warning]:
 Profiles may require that specific files be owned by root while the default owner defined

bash remediation for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rpm_verify_ownership
+++ xccdf_org.ssgproject.content_rule_rpm_verify_ownership
@@ -17,5 +17,5 @@
 # correct values
 for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
 do
-        rpm --setugids "${RPM_PACKAGE}"
+        rpm --restore "${RPM_PACKAGE}"
 done

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rpm_verify_ownership
+++ xccdf_org.ssgproject.content_rule_rpm_verify_ownership
@@ -55,7 +55,7 @@
   - rpm_verify_ownership
 
 - name: Correct file ownership with RPM
-  command: rpm --setugids '{{ item }}'
+  command: rpm --restore '{{ item }}'
   with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
     | unique }}'
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_permissions
+++ xccdf_org.ssgproject.content_rule_rpm_verify_permissions
@@ -16,7 +16,7 @@
           
           
 Next, run the following command to reset its permissions to the correct values:
-$ sudo rpm --setperms PACKAGENAME
+$ sudo rpm --restore PACKAGENAME
 
 [warning]:
 Profiles may require that specific files have stricter file permissions than defined by

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions' differs.
--- xccdf_org.ssgproject.content_rule_rpm_verify_permissions
+++ xccdf_org.ssgproject.content_rule_rpm_verify_permissions
@@ -57,7 +57,7 @@
   - rpm_verify_permissions
 
 - name: Correct file permissions with RPM
-  command: rpm --setperms '{{ item }}'
+  command: rpm --restore '{{ item }}'
   with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
     | unique }}'
   when: (files_with_incorrect_permissions.stdout_lines | length > 0)

@Mab879
Copy link
Member Author

Mab879 commented Sep 25, 2024

/retest-required

@Mab879 Mab879 marked this pull request as ready for review September 26, 2024 12:46
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 26, 2024
@jan-cerny jan-cerny self-assigned this Oct 4, 2024
jan-cerny
jan-cerny requested changes Oct 4, 2024
View reviewed changes
...m/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh
@@ -22,5 +22,9 @@ done
# correct values
for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
do
{{% if "rhel" in product %}}
rpm --restore "${RPM_PACKAGE}"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the same change needs do be done in Ansible code.

...ystem/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
@@ -16,7 +16,11 @@ description: |-
<pre>$ rpm -qf <i>FILENAME</i></pre>
<br />
Next, run the following command to reset its permissions to the correct values:
{{% if 'rhel' in product %}}
<pre>$ sudo rpm --restore <i>PACKAGENAME</i></pre>
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think in rpm_verify_permissions you need to update also the Bash and Ansible remediations.

@Mab879
Move rpm verify rules to use --restore
06fbf18 
To match the rpm_verify_permissions bash remedation.
@Mab879 Mab879 force-pushed the adjust_rpm_rules_rhel10 branch from 6eb7c1e to 06fbf18 Compare October 7, 2024 12:19
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 7, 2024

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 7, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12413
This image was built from commit: 06fbf18

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12413

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12413 make deploy-local

@codeclimate CodeClimate
Copy link

codeclimate bot commented Oct 7, 2024

Code Climate has analyzed commit 06fbf18 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Collaborator

/packit build

@jan-cerny jan-cerny merged commit 556df81 into ComplianceAsCode:master Oct 9, 2024
95 of 100 checks passed
@Mab879 Mab879 deleted the adjust_rpm_rules_rhel10 branch October 10, 2024 12:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
2 participants
@Mab879 @jan-cerny