Remove nullok from common-auth on Ubuntu#14414
Open
mpurg wants to merge 1 commit intoComplianceAsCode:masterfrom
Open
Remove nullok from common-auth on Ubuntu#14414mpurg wants to merge 1 commit intoComplianceAsCode:masterfrom
mpurg wants to merge 1 commit intoComplianceAsCode:masterfrom
Conversation
mpurg
requested review from
Mab879,
jan-cerny,
matusmarhefka and
vojtapolasek
as code owners
Contributor
|
@mpurg could you check the failed tests for 22.04 and 24.04? |
mpurg
force-pushed
the
ubuntu2204_UBTU-22-611060
branch
from
fda48d2 to
05e221d
Compare
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' differs.
--- oval:ssg-installed_OS_is_vendor_supported:def:1
+++ oval:ssg-installed_OS_is_vendor_supported:def:1
@@ -11,5 +11,4 @@
extend_definition oval:ssg-installed_OS_is_sle16:def:1
extend_definition oval:ssg-installed_OS_is_slmicro5:def:1
extend_definition oval:ssg-installed_OS_is_slmicro6:def:1
-extend_definition oval:ssg-installed_OS_is_ubuntu2204:def:1
extend_definition oval:ssg-installed_OS_is_ubuntu2404:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -4,8 +4,8 @@
[description]:
If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed, locked
-or have their UID changed.
+be investigated and the accounts other than root should be removed or have
+their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' differs.
--- ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1
+++ ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1
@@ -2,7 +2,5 @@
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
-Also make sure that if non-root account with UID "0" exist, it is locked:
-$ grep -E '^[^:]+:[!*][^:]*:.*$' /etc/shadow
Is it the case that any accounts other than "root" have a UID of "0"?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' differs.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -44,7 +44,7 @@
- name: Lock the password of the user accounts other than root with uid 0
ansible.builtin.command: passwd -l {{ item.key }}
- loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''equalto'', ''root'')
+ loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'')
| list }}'
when:
- '"kernel-core" in ansible_facts.packages'
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs' differs.
--- ocil:ssg-file_groupownership_system_commands_dirs_ocil:questionnaire:1
+++ ocil:ssg-file_groupownership_system_commands_dirs_ocil:questionnaire:1
@@ -1,4 +1,5 @@
Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:
+
$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
Is it the case that any system commands are returned and is not group-owned by a required system account?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled'.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -9,18 +9,15 @@
SELINUX=enforcing
OR
SELINUX=permissive
-If SELinux is currently disabled or not configured, ensure that all files have correct SELinux
-labels by running:
+Ensure that all files have correct SELinux labels by running:
fixfiles onboot
Then reboot the system.
[warning]:
-The automated remediation checks the SELinux configuration in /etc/selinux/config.
-If SELinux is already set to "enforcing" or "permissive", the current state is preserved
-and no changes are made. If SELinux is "disabled" or not configured, the remediation will
-adopt a conservative approach and set it to "permissive" in order to avoid any system
-disruption and give the administrator the opportunity to assess the impact and necessary
-efforts before setting it to "enforcing", which is strongly recommended.
+In case the SELinux is "disabled", the automated remediation will adopt a more
+conservative approach and set it to "permissive" in order to avoid any system disruption
+and give the administrator the opportunity to assess the impact and necessary efforts
+before setting it to "enforcing", which is strongly recommended.
[reference]:
1.3.1.4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -1,17 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-# Check current SELinux state in config file
-selinux_current_state=""
-if [ -f "/etc/selinux/config" ]; then
- selinux_current_state=$(grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config || true)
-fi
-
-# Only remediate if SELinux is disabled or not configured
-# If already set to enforcing or permissive, it's compliant - preserve the current state
-if [ "$selinux_current_state" != "enforcing" ] && [ "$selinux_current_state" != "permissive" ]; then
- # SELinux is disabled or not configured, set to permissive as a conservative approach
- if [ -e "/etc/selinux/config" ] ; then
+if [ -e "/etc/selinux/config" ] ; then
LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
else
@@ -25,8 +15,8 @@
printf '%s\n' "SELINUX=permissive" >> "/etc/selinux/config"
# Clean up after ourselves.
rm "/etc/selinux/config.bak"
- fixfiles onboot
-fi
+
+fixfiles onboot
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -10,13 +10,12 @@
- restrict_strategy
- selinux_not_disabled
-- name: Ensure SELinux is Not Disabled - Check current SELinux configuration
+- name: Ensure SELinux is Not Disabled - Check current SELinux state
ansible.builtin.command:
- cmd: grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config
- register: selinux_config_state
+ cmd: getenforce
+ register: current_selinux_state
check_mode: false
changed_when: false
- failed_when: false
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86151-8
@@ -27,49 +26,35 @@
- restrict_strategy
- selinux_not_disabled
-- name: Ensure SELinux is Not Disabled - Set SELinux state to permissive if disabled
- or not configured
+- name: Ensure SELinux is Not Disabled
block:
- - name: Ensure SELinux is Not Disabled
- block:
+ - name: Check for duplicate values
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
- - name: Check for duplicate values
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- state: absent
- check_mode: true
- changed_when: false
- register: dupes
+ - name: Deduplicate values from /etc/selinux/config
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
- - name: Deduplicate values from /etc/selinux/config
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- state: absent
- when: dupes.found is defined and dupes.found > 1
-
- - name: Insert correct line to /etc/selinux/config
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- line: SELINUX=permissive
- state: present
-
- - name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next
- boot
- ansible.builtin.file:
- path: /.autorelabel
- state: touch
- access_time: preserve
- modification_time: preserve
- when:
- - '"kernel-core" in ansible_facts.packages'
- - selinux_config_state.stdout not in ['enforcing', 'permissive']
+ - name: Insert correct line to /etc/selinux/config
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ line: SELINUX=permissive
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86151-8
- high_severity
@@ -78,3 +63,21 @@
- reboot_required
- restrict_strategy
- selinux_not_disabled
+
+- name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next boot
+ ansible.builtin.file:
+ path: /.autorelabel
+ state: touch
+ access_time: preserve
+ modification_time: preserve
+ when:
+ - '"kernel-core" in ansible_facts.packages'
+ - current_selinux_state.stdout | lower != "permissive"
+ tags:
+ - CCE-86151-8
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - reboot_required
+ - restrict_strategy
+ - selinux_not_disabled
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -8,7 +8,9 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+
OTHER_FILTERS="-C uid!=euid -F euid=0"
+
AUID_FILTERS=""
SYSCALL="execve"
@@ -326,7 +328,9 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+
OTHER_FILTERS="-C gid!=egid -F egid=0"
+
AUID_FILTERS=""
SYSCALL="execve"
|
Aligns with Ubuntu 22.04 STIG rule V2R7 (UBTU-22-611060 Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords)
mpurg
force-pushed
the
ubuntu2204_UBTU-22-611060
branch
from
05e221d to
c5f576e
Compare
Contributor
Author
|
/retest-required |
|
@mpurg: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
mpurg
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Aligns with: