rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f6303c6fb4f0faac5938f1045bc4fd02351b4455
  2.   SOURCES
  3.   scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch
Blob History Raw
f6303c 
From c27ea9d1987545488b6bca12a9dafd149331b1f9 Mon Sep 17 00:00:00 2001
f6303c 
From: Milan Lysonek <mlysonek@redhat.om>
f6303c 
Date: Fri, 11 Nov 2022 12:27:11 +0100
f6303c 
Subject: [PATCH 1/3] Remove deprecated warn parameter from Ansbile command
f6303c 
 module
f6303c
f6303c 
---
f6303c 
 .../system/accounts/enable_authselect/ansible/shared.yml    | 2 --
f6303c 
 .../audit_rules_privileged_commands/ansible/shared.yml      | 2 --
f6303c 
 .../audit_rules_suid_privilege_function/ansible/shared.yml  | 2 --
f6303c 
 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml   | 6 ------
f6303c 
 .../rpm_verify_ownership/ansible/shared.yml                 | 6 ------
f6303c 
 .../rpm_verify_permissions/ansible/shared.yml               | 6 ------
f6303c 
 .../ensure_redhat_gpgkey_installed/ansible/shared.yml       | 2 --
f6303c 
 8 files changed, 28 deletions(-)
f6303c
f6303c 
diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
f6303c 
index afd658790f7..6a7324a7a64 100644
f6303c 
--- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
f6303c 
@@ -17,8 +17,6 @@
f6303c 
     cmd: rpm -qV pam
f6303c 
   register: result_altered_authselect
f6303c 
   ignore_errors: yes
f6303c 
-  args:
f6303c 
-    warn: False
f6303c 
   when:
f6303c 
     - result_authselect_select is failed
f6303c
f6303c 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
f6303c 
index 68c8497c859..bb1fec9e2b8 100644
f6303c 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
f6303c 
@@ -8,8 +8,6 @@
f6303c 
   shell: |
f6303c 
     set -o pipefail
f6303c 
     find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null
f6303c 
-  args:
f6303c 
-    warn: False
f6303c 
     executable: /bin/bash
f6303c 
   check_mode: no
f6303c 
   register: find_result
f6303c 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
f6303c 
index b25361136af..c46cbbe3950 100644
f6303c 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
f6303c 
@@ -49,8 +49,6 @@
f6303c 
 {{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011
f6303c 
 - name: Reload Auditd
f6303c 
   command: /usr/sbin/service auditd reload
f6303c 
-  args:
f6303c 
-    warn: false
f6303c 
 {{%- endif %}}
f6303c 
   when:
f6303c 
     - (augenrules_audit_rules_privilege_function_update_result.changed or
f6303c 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
index 0241e804b30..0d66cb349c0 100644
f6303c 
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
@@ -22,8 +22,6 @@
f6303c
f6303c 
 - name: "Read files with incorrect hash"
f6303c 
   command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module
f6303c 
   register: files_with_incorrect_hash
f6303c 
   changed_when: False
f6303c 
   failed_when: files_with_incorrect_hash.rc > 1
f6303c 
@@ -32,8 +30,6 @@
f6303c
f6303c 
 - name: Create list of packages
f6303c 
   command: rpm -qf "{{ item }}"
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module
f6303c 
   with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
f6303c 
   register: list_of_packages
f6303c 
   changed_when: False
f6303c 
@@ -44,8 +40,6 @@
f6303c
f6303c 
 - name: "Reinstall packages of files with incorrect hash"
f6303c 
   command: "{{ package_manager_reinstall_cmd }} '{{ item }}'"
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager
f6303c 
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
f6303c 
   when:
f6303c 
     - files_with_incorrect_hash.stdout_lines is defined
f6303c 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
f6303c 
index ed490498a1d..f43b9bcef1c 100644
f6303c 
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
f6303c 
@@ -5,8 +5,6 @@
f6303c 
 # disruption = medium
f6303c 
 - name: "Read list of files with incorrect ownership"
f6303c 
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module
f6303c 
   register: files_with_incorrect_ownership
f6303c 
   failed_when: files_with_incorrect_ownership.rc > 1
f6303c 
   changed_when: False
f6303c 
@@ -14,8 +12,6 @@
f6303c
f6303c 
 - name: Create list of packages
f6303c 
   command: rpm -qf "{{ item }}"
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module
f6303c 
   with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
f6303c 
   register: list_of_packages
f6303c 
   changed_when: False
f6303c 
@@ -24,7 +20,5 @@
f6303c
f6303c 
 - name: "Correct file ownership with RPM"
f6303c 
   command: "rpm --quiet --setugids '{{ item }}'"
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module
f6303c 
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
f6303c 
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
f6303c 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
f6303c 
index 419ef95a323..0bd8e7e8ad5 100644
f6303c 
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
f6303c 
@@ -5,8 +5,6 @@
f6303c 
 # disruption = medium
f6303c 
 - name: "Read list of files with incorrect permissions"
f6303c 
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module
f6303c 
   register: files_with_incorrect_permissions
f6303c 
   failed_when: files_with_incorrect_permissions.rc > 1
f6303c 
   changed_when: False
f6303c 
@@ -14,8 +12,6 @@
f6303c
f6303c 
 - name: Create list of packages
f6303c 
   command: rpm -qf "{{ item }}"
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module
f6303c 
   with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
f6303c 
   register: list_of_packages
f6303c 
   changed_when: False
f6303c 
@@ -24,7 +20,5 @@
f6303c
f6303c 
 - name: "Correct file permissions with RPM"
f6303c 
   command: "rpm --setperms '{{ item }}'"
f6303c 
-  args:
f6303c 
-    warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module
f6303c 
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
f6303c 
   when: (files_with_incorrect_permissions.stdout_lines | length > 0)
f6303c 
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
f6303c 
index f6f590820e1..6ab9bdee767 100644
f6303c 
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
f6303c 
@@ -18,8 +18,6 @@
f6303c 
   {{%- else -%}}
f6303c 
   command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
f6303c 
   {{%- endif %}}
f6303c 
-  args:
f6303c 
-    warn: False
f6303c 
   changed_when: False
f6303c 
   register: gpg_fingerprints
f6303c 
   check_mode: no
f6303c
f6303c 
From 5617aa675132782d53a8714738bd2187d9b2e3ab Mon Sep 17 00:00:00 2001
f6303c 
From: Milan Lysonek <mlysonek@redhat.om>
f6303c 
Date: Tue, 15 Nov 2022 10:00:49 +0100
f6303c 
Subject: [PATCH 2/3] Fix rpm_verify_* ansible remediations
f6303c
f6303c 
---
f6303c 
 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 +-
f6303c 
 .../rpm_verification/rpm_verify_ownership/ansible/shared.yml    | 2 +-
f6303c 
 2 files changed, 2 insertions(+), 2 deletions(-)
f6303c
f6303c 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
index 0d66cb349c0..fd850def318 100644
f6303c 
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
@@ -12,7 +12,7 @@
f6303c 
 - name: "Set fact: Package manager reinstall command (yum)"
f6303c 
   set_fact:
f6303c 
     package_manager_reinstall_cmd: yum reinstall -y
f6303c 
-  when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")
f6303c 
+  when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "OracleLinux")
f6303c
f6303c 
 - name: "Read files with incorrect hash"
f6303c 
   command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
f6303c 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
f6303c 
index f43b9bcef1c..5c39628ff4c 100644
f6303c 
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
f6303c 
@@ -19,6 +19,6 @@
f6303c 
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
f6303c
f6303c 
 - name: "Correct file ownership with RPM"
f6303c 
-  command: "rpm --quiet --setugids '{{ item }}'"
f6303c 
+  command: "rpm --setugids '{{ item }}'"
f6303c 
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
f6303c 
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
f6303c
f6303c 
From 957d0439e89ebe5c665aafa16e107c6611d83f6b Mon Sep 17 00:00:00 2001
f6303c 
From: Milan Lysonek <mlysonek@redhat.om>
f6303c 
Date: Tue, 15 Nov 2022 17:20:02 +0100
f6303c 
Subject: [PATCH 3/3] Make rpm_verify_hashes ansible remediation applicable on
f6303c 
 all RHELs
f6303c
f6303c 
---
f6303c 
 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 +-
f6303c 
 1 file changed, 1 insertion(+), 1 deletion(-)
f6303c
f6303c 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
index fd850def318..178a7711a54 100644
f6303c 
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
f6303c 
@@ -1,5 +1,5 @@
f6303c 
 # and the regex_findall does not filter out configuration files the same as bash remediation does
f6303c 
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
f6303c 
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
f6303c 
 # reboot = false
f6303c 
 # strategy = restrict
f6303c 
 # complexity = high

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation