Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sle15 fix ansible pci-dss remediations in check mode #11263

Merged
merged 1 commit into from
Jan 10, 2024
Merged

Sle15 fix ansible pci-dss remediations in check mode #11263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion ...figure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@

- name: {{{ rule_title }}} - Set List of Privileged Commands Found in Eligible Mount Points
ansible.builtin.set_fact:
privileged_commands: "{{( result_privileged_commands_search.results | map(attribute='stdout_lines') | select() | list ) | sum(start=[]) }}"
privileged_commands: "{{ privileged_commands | default([]) + item.stdout_lines }}"
loop: "{{ result_privileged_commands_search.results }}"
when: item is not skipped

- name: {{{ rule_title }}} - Privileged Commands are Present in the System
block:
Expand Down
10 changes: 6 additions & 4 deletions .../system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,17 @@
- name: Parse log file line
command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf
register: log_file_line
when: (log_file_exists.stdout | length > 0)
when: log_file_exists is not skipped and (log_file_exists.stdout | length > 0)

- name: Set default log_file if not set
set_fact:
log_file: "/var/log/audit/audit.log"
when: (log_file_exists is undefined) or (log_file_exists.stdout | length == 0)
when: (log_file_exists is skipped) or (log_file_exists is undefined) or (log_file_exists.stdout | length == 0)

- name: Set log_file from log_file_line if not set already
set_fact:
log_file: "{{ log_file_line.stdout | trim }}"
when: (log_file_line.stdout is defined) and (log_file_line.stdout | length > 0)
when: (log_file_exists is not skipped) and (log_file_line.stdout is defined) and (log_file_line.stdout | length > 0)

{{% if 'ol' not in product and "rhel" not in product %}}
- name: Get log files group
Expand All @@ -33,13 +33,14 @@
- name: Parse log group line
command: awk -F '=' '/log_group/ {print $2}' /etc/audit/auditd.conf
register: log_group
when: (log_group_line.stdout | length > 0)
when: (log_group_line is not skipped) and (log_group_line.stdout | length > 0)

- name: Apply mode to log file when group root
file:
path: "{{ log_file }}"
mode: (( log_group is defined ) and ( ( log_group.stdout | trim ) == 'root' )) | ternary( '0600', '0640')
failed_when: false
when: log_group is not skipped

- name: List all log file backups
find:
Expand All @@ -53,6 +54,7 @@
mode: (( log_group is defined ) and ( ( log_group.stdout | trim ) == 'root' )) | ternary( '0400', '0440')
loop: "{{ backup_files.files| map(attribute='path') | list }}"
failed_when: false
when: backup_files is not skipped

{{% else %}}
- name: Apply mode to log file
Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,5 @@
value: '1'
no_extra_spaces: True
# regex filters grep output for files ending in .repo and matching section names.
loop: "{{ repo_grep_results.stdout | regex_findall( '(.+\\.repo):\\[(.+)\\]\\n?' ) }}"
loop: "{{ repo_grep_results.stdout |regex_findall( '(.+\\.repo):\\[(.+)\\]\\n?' ) if repo_grep_results is not skipped else []}}"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change needed in case we consider the next line with the "when" clause?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well both to answer both to this and the above question the extra checks added are handling the case when run ansible remediation is run in check mode in a similar way:

ansible-playbook -i /root/ansible_inventory.yml sle15-playbook-pci-dss.yml --check --diff

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @vojtapolasek does this PR causes any issues that I am missing, if not can you please approve it 🙏

when: repo_grep_results is not skipped
8 changes: 4 additions & 4 deletions shared/macros/10-ansible.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1268,21 +1268,21 @@ Part of the grub2_bootloader_argument template.
dest: /etc/default/grub
create: yes
mode: '0644'
when: argcheck.rc != 0 and linecheck.rc != 0
when: argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and linecheck.rc != 0

- name: Replace existing {{{ arg_name }}} argument
replace:
path: /etc/default/grub
regexp: '{{{ arg_name }}}=\w+'
replace: '{{{ arg_name_value }}}'
when: argcheck.rc == 0 and linecheck.rc == 0
when: argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and linecheck.rc == 0

- name: Add {{{ arg_name }}} argument
replace:
path: /etc/default/grub
regexp: '(^\s*GRUB_CMDLINE_LINUX=.*)"'
replace: '\1 {{{ arg_name_value }}}"'
when: argcheck.rc != 0 and linecheck.rc == 0
when: argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and linecheck.rc == 0

{{% endif -%}}

Expand Down Expand Up @@ -1316,7 +1316,7 @@ Part of the grub2_bootloader_argument_absent template.
path: /etc/default/grub
regexp: '\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=?[^[:space:]]*\(.*"\)'
replace: '\1 \2'
when: argcheck.rc == 0
when: argcheck is not skipped and argcheck.rc == 0

{{% endif -%}}

Expand Down
8 changes: 6 additions & 2 deletions shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
- name: '{{{ rule_title }}} - Aggregate rsyslog includes'
ansible.builtin.set_fact:
include_config_output: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
when: rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped

- name: '{{{ rule_title }}} - List all config files'
ansible.builtin.find:
Expand All @@ -35,6 +36,7 @@
hidden: no
follow: yes
loop: "{{ include_config_output | list + [rsyslog_etc_config] }}"
when: include_config_output is defined
register: rsyslog_config_files
failed_when: False
changed_when: False
Expand All @@ -45,9 +47,10 @@
grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
awk '{print $NF}' | \
sed -e 's/^-//' || true
loop: "{{ rsyslog_config_files.results | subelements('files') }}"
loop: "{{ rsyslog_config_files.results | default([]) | subelements('files') }}"
register: log_files_old
changed_when: False
when: rsyslog_config_files is not skipped

- name: '{{{ rule_title }}} - Extract log files new format'
ansible.builtin.shell: |
Expand All @@ -56,9 +59,10 @@
grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\""|| true
loop: "{{ rsyslog_config_files.results | subelements('files') }}"
loop: "{{ rsyslog_config_files.results | default([]) | subelements('files') }}"
register: log_files_new
changed_when: False
when: rsyslog_config_files is not skipped

- name: '{{{ rule_title }}} - Sum all log files found'
ansible.builtin.set_fact:
Expand Down
Loading