Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix rule ubtu 20 010066 #12296

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

yunimoo
Copy link
Contributor

@yunimoo yunimoo commented Aug 13, 2024

Description:

  • Fix UBTU-20-010066
  • Add Ansible remediation for ubuntu
  • Fix OVAL Definition to regex check for a semicolon ; (smartcard_configure_crl)

Original PR: #11078

Rationale:

  • Part of Ubuntu 20.04 DISA STIG v1r12 profile upgrade

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes with Ansible:

ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010066

To test changes with bash, run the remediation section: xccdf_org.ssgproject.content_rule_install_smartcard_packages and xccdf_org.ssgproject.content_rule_smartcard_configure_crl. The install_smartcard_packages is required so that tasks in smartcard_configure_crl can run.

Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.

git checkout yunimoo:update-manual-stig-ubtu-20-v1r12

This STIG can be tested with the latest Ubuntu 2004 Benchmark SCAP. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Aug 13, 2024
Copy link

openshift-ci bot commented Aug 13, 2024

Hi @yunimoo. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copy link

Start a new ephemeral environment with changes proposed in this pull request:

ubuntu2004 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_smartcard_configure_crl'.

@dodys dodys requested a review from a team August 13, 2024 08:41
@dodys dodys self-assigned this Aug 13, 2024
@dodys dodys added Ansible Ansible remediation update. Ubuntu Ubuntu product related. STIG STIG Benchmark related. labels Aug 13, 2024
Copy link

github-actions bot commented Aug 13, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12296
This image was built from commit: 200c341

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12296

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12296 make deploy-local

@dodys
Copy link
Contributor

dodys commented Aug 13, 2024

Could you take a look at the failed tests, specially the Automatus Ubuntu 22.04

@dodys dodys added this to the 0.1.75 milestone Aug 13, 2024
@yunimoo
Copy link
Contributor Author

yunimoo commented Aug 13, 2024

Could you take a look at the failed tests, specially the Automatus Ubuntu 22.04

I think this one might be related to the fact that conditional fails if package is not properly installed beforehand, leading to that notapplicable error? So the fix might be adding in the template for ensuring that package is installed.

This commit will add in ansible remediation for ubuntu for ensuring the proper definition is defined for smartcards.
Add semicolon (;) to string comparison
@dodys
Copy link
Contributor

dodys commented Aug 14, 2024

Could you take a look at the failed tests, specially the Automatus Ubuntu 22.04

I think this one might be related to the fact that conditional fails if package is not properly installed beforehand, leading to that notapplicable error? So the fix might be adding in the template for ensuring that package is installed.

the package needed is part of the tests dependencies:
# packages = libpam-pkcs11

@Mab879 do you have any insights on why it seems that the needed package is not getting installed? Is it a bug in ubuntu's automatus?

@jan-cerny
Copy link
Collaborator

Installing packages
ssh -o Port=33623 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@localhost DEBIAN_FRONTEND=noninteractive apt install -y libpam-pkcs11
STDOUT: Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  libpcsclite1
Suggested packages:
  pcscd
The following NEW packages will be installed:
  libpam-pkcs11 libpcsclite1
0 upgraded, 2 newly installed, 0 to remove and 4 not upgraded.
Need to get 175 kB of archives.
After this operation, 1038 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpcsclite1 amd64 1.9.5-3ubuntu1 [19.8 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy/universe amd64 libpam-pkcs11 amd64 0.6.11-4build2 [155 kB]
Fetched 175 kB in 0s (1220 kB/s)
Selecting previously unselected package libpcsclite1:amd64.
(Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 102542 files and directories currently installed.)
Preparing to unpack .../libpcsclite1_1.9.5-3ubuntu1_amd64.deb ...
Unpacking libpcsclite1:amd64 (1.9.5-3ubuntu1) ...
Selecting previously unselected package libpam-pkcs11.
Preparing to unpack .../libpam-pkcs11_0.6.11-4build2_amd64.deb ...
Unpacking libpam-pkcs11 (0.6.11-4build2) ...
Setting up libpcsclite1:amd64 (1.9.5-3ubuntu1) ...
Setting up libpam-pkcs11 (0.6.11-4build2) ...
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
STDERR: Warning: Permanently added '[localhost]:33623' (ED25519) to the list of known hosts.

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

debconf: delaying package configuration, since apt-utils is not installed

the last line looks suspicious to me

@dodys
Copy link
Contributor

dodys commented Aug 15, 2024

debconf: delaying package configuration, since apt-utils is not installed

that's not really an issue:
https://stackoverflow.com/questions/51023312/docker-having-issues-installing-apt-utils

and installing apt-utils will cause other problems

@yunimoo
Copy link
Contributor Author

yunimoo commented Aug 15, 2024

Thank you for the helpful conversations on this. Seems like the packages are installing properly but I am curious, would the test fail / not be applicable if a command is invalid? (i.e., https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/tests/commented.fail.sh#L6)

The cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example does not exist in the container so I assume that this would fail.

I have also tried a simpler test:

#!/bin/bash
# platform = multi_platform_ubuntu
# packages = libpam-pkcs11

mkdir -p /etc/pam_pkcs11
echo "cert_policy = ca,signature,ocsp_on,crl_auto;" > /etc/pam_pkcs11/pam_pkcs11.conf

Which also results in a failure / not applicable when it should pass given the OVALs. Any thoughts on this?

@yunimoo
Copy link
Contributor Author

yunimoo commented Aug 17, 2024

The packages (Dependencies) do not seem to be the problem. I was able to fix the environment setup and will add in a temporary WIP commit for the tests. I'm noticing that the environment sets up properly but openscap is still showing up as notapplicable when:

  • Verified that libpam-pkcs11 package is installed
  • Path to /etc/pam_pkcs11/pam_pkcs11.conf exists

Errors also seem to persist on master branch... I have also tried testing out the extended criteria install_smartcard_packages which results in notapplicable. So perhaps these errors may be related together in some way?

Copy link

codeclimate bot commented Aug 20, 2024

Code Climate has analyzed commit 200c341 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Ansible Ansible remediation update. needs-ok-to-test Used by openshift-ci bot. STIG STIG Benchmark related. Ubuntu Ubuntu product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants