Fix failing file_permissions_crontab #12807
Open
+6
−7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed'.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -224,5 +224,14 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+2.2.6
+
+[reference]:
+2.2
+
[rationale]:
The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.
+
+[ident]:
+CCE-86178-1
OVAL for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- oval:ssg-package_cron_installed:def:1
+++ oval:ssg-package_cron_installed:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_package_cron_installed:tst:1
+criterion oval:ssg-test_package_cronie_installed:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- ocil:ssg-package_cron_installed_ocil:questionnaire:1
+++ ocil:ssg-package_cron_installed_ocil:questionnaire:1
@@ -1,4 +1,4 @@
-Run the following command to determine if the cron package is installed:
-$ rpm -q cron
+Run the following command to determine if the cronie package is installed:
+$ rpm -q cronie
Is it the case that the package is installed?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,8 +1,8 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-if ! rpm -q --quiet "cron" ; then
- yum install -y "cron"
+if ! rpm -q --quiet "cronie" ; then
+ yum install -y "cronie"
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -2,7 +2,10 @@
package_facts:
manager: auto
tags:
+ - CCE-86178-1
- NIST-800-53-CM-6(a)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
@@ -10,13 +13,16 @@
- no_reboot_needed
- package_cron_installed
-- name: Ensure cron is installed
+- name: Ensure cronie is installed
package:
- name: cron
+ name: cronie
state: present
when: '"kernel" in ansible_facts.packages'
tags:
+ - CCE-86178-1
- NIST-800-53-CM-6(a)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
blueprint remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,4 +1,4 @@
[[packages]]
-name = "cron"
+name = "cronie"
version = "*"
puppet remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,7 +1,7 @@
-include install_cron
+include install_cronie
-class install_cron {
- package { 'cron':
+class install_cronie {
+ package { 'cronie':
ensure => 'installed',
}
}
anaconda remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,2 +1,2 @@
-package --add=cron
+package --add=cronie
kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,2 +1,2 @@
-package install cron
+package install cronie
bootc remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,2 +1,2 @@
-dnf install cron
+dnf install cronie |
|
/packit retest-failed |
|
@jan-cerny I tested locally and your fix works, thank you. Could you please rebase? Those failures on Fedora look strange, I wonder what is going on. Maybe the rebase will fix it. |
The rule `file_permissions_crontab` fails in a scan performed after deployment of a CentOS Stream 9 bootable container image hardened with the PCI-DSS profile. The HTML report shows that the mode of `/etc/crontab` is `0640` but the rule expects the mode of this file should be `0600`. The rule passed during the container image build process because the file `/etc/crontab` didn't exist. The root cause is that the `cronie` RPM package that provides `/etc/crontab` is neither present in the CS 9 base image nor it's installed as a dependency of the PCI-DSS profile. We will fix this problem by including the rule `package_cron_installed` to the profile which will install the `cronie` package before `oscap` and then it will change the `/etc/crontab` mode during remediation.
|
I have rebased this PR on the latest upstream master branch which already contains the workaround for the pcre2.py installation issue. |
|
Code Climate has analyzed commit 64f43d3 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.8% (0.0% change). View more on Code Climate. |
|
/packit retest-failed |
1 similar comment
|
/packit retest-failed |
|
/packit build |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The rule
file_permissions_crontabfails in a scan performed after deployment of a CentOS Stream 9 bootable container image hardened with the PCI-DSS profile. The HTML report shows that the mode of/etc/crontabis0640but the rule expects the mode of this file should be0600. The rule passed during the container image build process because the file/etc/crontabdidn't exist. The root cause is that thecronieRPM package that provides/etc/crontabis neither present in the CS 9 base image nor it's installed as a dependency of the PCI-DSS profile. We will fix this problem by including the rulepackage_cron_installedto the profile which will install thecroniepackage beforeoscapand then it will change the/etc/crontabmode during remediation.