rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   f6303c6fb4f0faac5938f1045bc4fd02351b4455
  2.   SOURCES
  3.   scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch
Blob Blame History Raw 
From c27ea9d1987545488b6bca12a9dafd149331b1f9 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Fri, 11 Nov 2022 12:27:11 +0100
Subject: [PATCH 1/3] Remove deprecated warn parameter from Ansbile command
 module

---
 .../system/accounts/enable_authselect/ansible/shared.yml    | 2 --
 .../audit_rules_privileged_commands/ansible/shared.yml      | 2 --
 .../audit_rules_suid_privilege_function/ansible/shared.yml  | 2 --
 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml   | 6 ------
 .../rpm_verify_ownership/ansible/shared.yml                 | 6 ------
 .../rpm_verify_permissions/ansible/shared.yml               | 6 ------
 .../ensure_redhat_gpgkey_installed/ansible/shared.yml       | 2 --
 8 files changed, 28 deletions(-)

diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
index afd658790f7..6a7324a7a64 100644
--- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
@@ -17,8 +17,6 @@
     cmd: rpm -qV pam
   register: result_altered_authselect
   ignore_errors: yes
-  args:
-    warn: False
   when:
     - result_authselect_select is failed
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
index 68c8497c859..bb1fec9e2b8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -8,8 +8,6 @@
   shell: |
     set -o pipefail
     find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null
-  args:
-    warn: False
     executable: /bin/bash
   check_mode: no
   register: find_result
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
index b25361136af..c46cbbe3950 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
@@ -49,8 +49,6 @@
 {{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011
 - name: Reload Auditd
   command: /usr/sbin/service auditd reload
-  args:
-    warn: false
 {{%- endif %}}
   when:
     - (augenrules_audit_rules_privilege_function_update_result.changed or
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index 0241e804b30..0d66cb349c0 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -22,8 +22,6 @@
 
 - name: "Read files with incorrect hash"
   command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
-  args:
-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module
   register: files_with_incorrect_hash
   changed_when: False
   failed_when: files_with_incorrect_hash.rc > 1
@@ -32,8 +30,6 @@
 
 - name: Create list of packages
   command: rpm -qf "{{ item }}"
-  args:
-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module
   with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
   register: list_of_packages
   changed_when: False
@@ -44,8 +40,6 @@
 
 - name: "Reinstall packages of files with incorrect hash"
   command: "{{ package_manager_reinstall_cmd }} '{{ item }}'"
-  args:
-    warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
   when:
     - files_with_incorrect_hash.stdout_lines is defined
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
index ed490498a1d..f43b9bcef1c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
@@ -5,8 +5,6 @@
 # disruption = medium
 - name: "Read list of files with incorrect ownership"
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode
-  args:
-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module
   register: files_with_incorrect_ownership
   failed_when: files_with_incorrect_ownership.rc > 1
   changed_when: False
@@ -14,8 +12,6 @@
 
 - name: Create list of packages
   command: rpm -qf "{{ item }}"
-  args:
-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module
   with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
   register: list_of_packages
   changed_when: False
@@ -24,7 +20,5 @@
 
 - name: "Correct file ownership with RPM"
   command: "rpm --quiet --setugids '{{ item }}'"
-  args:
-    warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
index 419ef95a323..0bd8e7e8ad5 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
@@ -5,8 +5,6 @@
 # disruption = medium
 - name: "Read list of files with incorrect permissions"
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup
-  args:
-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module
   register: files_with_incorrect_permissions
   failed_when: files_with_incorrect_permissions.rc > 1
   changed_when: False
@@ -14,8 +12,6 @@
 
 - name: Create list of packages
   command: rpm -qf "{{ item }}"
-  args:
-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module
   with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
   register: list_of_packages
   changed_when: False
@@ -24,7 +20,5 @@
 
 - name: "Correct file permissions with RPM"
   command: "rpm --setperms '{{ item }}'"
-  args:
-    warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
   when: (files_with_incorrect_permissions.stdout_lines | length > 0)
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index f6f590820e1..6ab9bdee767 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -18,8 +18,6 @@
   {{%- else -%}}
   command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
   {{%- endif %}}
-  args:
-    warn: False
   changed_when: False
   register: gpg_fingerprints
   check_mode: no

From 5617aa675132782d53a8714738bd2187d9b2e3ab Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Tue, 15 Nov 2022 10:00:49 +0100
Subject: [PATCH 2/3] Fix rpm_verify_* ansible remediations

---
 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 +-
 .../rpm_verification/rpm_verify_ownership/ansible/shared.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index 0d66cb349c0..fd850def318 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -12,7 +12,7 @@
 - name: "Set fact: Package manager reinstall command (yum)"
   set_fact:
     package_manager_reinstall_cmd: yum reinstall -y
-  when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")
+  when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "OracleLinux")
 
 - name: "Read files with incorrect hash"
   command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
index f43b9bcef1c..5c39628ff4c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
@@ -19,6 +19,6 @@
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
 
 - name: "Correct file ownership with RPM"
-  command: "rpm --quiet --setugids '{{ item }}'"
+  command: "rpm --setugids '{{ item }}'"
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)

From 957d0439e89ebe5c665aafa16e107c6611d83f6b Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Tue, 15 Nov 2022 17:20:02 +0100
Subject: [PATCH 3/3] Make rpm_verify_hashes ansible remediation applicable on
 all RHELs

---
 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index fd850def318..178a7711a54 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -1,5 +1,5 @@
 # and the regex_findall does not filter out configuration files the same as bash remediation does
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = high

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation