Fix rule applicability for container environments#14590
Open
jan-cerny wants to merge 17 commits intoComplianceAsCode:masterfrom
Open
Fix rule applicability for container environments#14590jan-cerny wants to merge 17 commits intoComplianceAsCode:masterfrom
jan-cerny wants to merge 17 commits intoComplianceAsCode:masterfrom
Conversation
The rule will be applicable only if Kerberos libraries are actually installed. This happens in hummingbird minimal images. On a normal system, they are always installed, because it's a dependency of dnf.
Make these rules applicable only if the `openssl` RPM package is present on the system: - configure_openssl_crypto_policy - configure_openssl_tls_crypto_policy
Typically, normal containers (not bootable containers) don't specify users from LDAP.
The rule `file_etc_security_opasswd` should be applicable only if the `pam` RPM package that provides the `/etc/security/opasswd` file is present.
Checking Bash history makes sense only if `bash` is installed in the system, which isn't the case in some minimal images.
The rules harden_sshd_ciphers_openssh_conf_crypto_policy and harden_sshd_macs_openssh_conf_crypto_policy will be applicable only if the openssh package is present, this will make this rule notapplicable when scanning some minimal container images.
The package `gnutls-utils` contains command line TLS client and server and certificate manipulation tools. It's unlikely that application containers would run these CLI clients or tools. They typically will only use the crypto library. Therefore, let's make the rule not applicable in containers.
…stalled If dnf isn't present on the system, typically in minimal container images, we shouldn't require installing dnf plugins.
The `nss-tools` RPM package provides command-line utilities to manipulate the NSS certificate and key database. We think that in application containers users typically don't need to use these utilities, they will use them on the container host. Therefore, we will make the rule not applicable in application containers.
Mark rule package_openscap-scanner_installed with the system_with_kernel platform because application containers will typically be scanned from outside by `oscap-podman` using `podman mount`.
Application containers typically won't run SSH clients, usually the clients aren't needed in the container but they shall be installed on the host system.
Mark this rule with the system_with_kernel platform because application containers will typically be scanned from outside by `oscap-podman` using `podman mount` and the security content will also be provided externally or on the containerization host.
The `sequoia-sq` package provides the `sq` tool which is a command-line frontend for Sequoia, an implementation of OpenPGP. Application containers typically don't run the `sq` tool directly, instead, they use the `sq` library or verify GPG keys using `rpm`. The package shouldn't be needed in application containers.
This rule shouldn't be applicable on application containers because subscription-manager should be installed on the host and not in the container.
Make rules for SSH client applicable only if the SSH client is installed.
This rule checks DNF configuration, therefore it should be applicable only if DNF is installed. In some minimal container images DNF isn't present.
jan-cerny
requested review from
Mab879,
matusmarhefka and
vojtapolasek
as code owners
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
@@ -1,3 +1,9 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q krb5-libs; then
rm -f /etc/krb5.conf.d/crypto-policies
ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
@@ -1,8 +1,6 @@
-- name: Configure Kerberos to use System Crypto Policy
- ansible.builtin.file:
- src: /etc/crypto-policies/back-ends/krb5.config
- path: /etc/krb5.conf.d/crypto-policies
- state: link
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-80936-8
- NIST-800-53-SC-12(2)
@@ -14,3 +12,21 @@
- low_complexity
- low_disruption
- reboot_required
+
+- name: Configure Kerberos to use System Crypto Policy
+ ansible.builtin.file:
+ src: /etc/crypto-policies/back-ends/krb5.config
+ path: /etc/krb5.conf.d/crypto-policies
+ state: link
+ when: '"krb5-libs" in ansible_facts.packages'
+ tags:
+ - CCE-80936-8
+ - NIST-800-53-SC-12(2)
+ - NIST-800-53-SC-12(3)
+ - NIST-800-53-SC-13
+ - configure_kerberos_crypto_policy
+ - configure_strategy
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - reboot_required
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy'
--- xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
@@ -1 +1 @@
-
+oval:ssg-package_krb5-libs:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q openssl; then
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
@@ -28,3 +30,7 @@
}
remediate_openssl_crypto_policy
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
@@ -1,3 +1,23 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-80938-4
+ - NIST-800-53-AC-17(2)
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-MA-4(6)
+ - NIST-800-53-SC-12(2)
+ - NIST-800-53-SC-12(3)
+ - NIST-800-53-SC-13
+ - PCI-DSS-Req-2.2
+ - configure_openssl_crypto_policy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
+
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
Section
ansible.builtin.find:
@@ -5,6 +25,7 @@
patterns: openssl.cnf
contains: ^\s*\[\s*crypto_policy\s*]
register: test_crypto_policy_group
+ when: '"openssl" in ansible_facts.packages'
tags:
- CCE-80938-4
- NIST-800-53-AC-17(2)
@@ -29,6 +50,7 @@
patterns: openssl.cnf
contains: ^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$
register: test_crypto_policy_include_directive
+ when: '"openssl" in ansible_facts.packages'
tags:
- CCE-80938-4
- NIST-800-53-AC-17(2)
@@ -54,6 +76,7 @@
line: .include /etc/crypto-policies/back-ends/opensslcnf.config
path: /etc/pki/tls/openssl.cnf
when:
+ - '"openssl" in ansible_facts.packages'
- test_crypto_policy_group.matched > 0
- test_crypto_policy_include_directive.matched == 0
tags:
@@ -81,7 +104,9 @@
[crypto_policy]
.include /etc/crypto-policies/back-ends/opensslcnf.config
path: /etc/pki/tls/openssl.cnf
- when: test_crypto_policy_group.matched == 0
+ when:
+ - '"openssl" in ansible_facts.packages'
+ - test_crypto_policy_group.matched == 0
tags:
- CCE-80938-4
- NIST-800-53-AC-17(2)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy'
--- xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
@@ -1 +1 @@
-
+oval:ssg-package_openssl:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy'
--- xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy
@@ -1 +1 @@
-
+oval:ssg-package_openssl:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q openssh; then
sshd_approved_ciphers=''
if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
@@ -14,3 +16,7 @@
printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config"
# Clean up after ourselves.
rm "/etc/crypto-policies/back-ends/openssh.config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-85902-5
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_ciphers_openssh_conf_crypto_policy
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - reboot_required
+ - restrict_strategy
- name: XCCDF Value sshd_approved_ciphers # promote to variable
set_fact:
sshd_approved_ciphers: !!str
@@ -32,6 +44,7 @@
regexp: (?i)^.*Ciphers\s+
line: Ciphers {{ sshd_approved_ciphers }}
state: present
+ when: '"openssh" in ansible_facts.packages'
tags:
- CCE-85902-5
- NIST-800-53-AC-17(2)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy'
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -1 +1 @@
-
+oval:ssg-package_openssh:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q openssh; then
sshd_approved_macs=''
if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
@@ -14,3 +16,7 @@
printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config"
# Clean up after ourselves.
rm "/etc/crypto-policies/back-ends/openssh.config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-85870-4
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_macs_openssh_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
- name: XCCDF Value sshd_approved_macs # promote to variable
set_fact:
sshd_approved_macs: !!str
@@ -32,6 +44,7 @@
regexp: (?i)^.*MACs\s+
line: MACs {{ sshd_approved_macs }}
state: present
+ when: '"openssh" in ansible_facts.packages'
tags:
- CCE-85870-4
- NIST-800-53-AC-17(2)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy'
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -1 +1 @@
-
+oval:ssg-package_openssh:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
+++ xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
@@ -1,4 +1,10 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q kernel-core; then
if ! rpm -q --quiet "gnutls-utils" ; then
yum install -y "gnutls-utils"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
+++ xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
@@ -1,7 +1,6 @@
-- name: Ensure gnutls-utils is installed
- ansible.builtin.package:
- name: gnutls-utils
- state: present
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82395-5
- enable_strategy
@@ -10,3 +9,17 @@
- medium_severity
- no_reboot_needed
- package_gnutls-utils_installed
+
+- name: Ensure gnutls-utils is installed
+ ansible.builtin.package:
+ name: gnutls-utils
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
+ tags:
+ - CCE-82395-5
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_gnutls-utils_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed'
--- xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
+++ xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
@@ -1 +1 @@
-
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_nss-tools_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_nss-tools_installed
+++ xccdf_org.ssgproject.content_rule_package_nss-tools_installed
@@ -1,4 +1,10 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q kernel-core; then
if ! rpm -q --quiet "nss-tools" ; then
yum install -y "nss-tools"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_nss-tools_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_nss-tools_installed
+++ xccdf_org.ssgproject.content_rule_package_nss-tools_installed
@@ -1,7 +1,6 @@
-- name: Ensure nss-tools is installed
- ansible.builtin.package:
- name: nss-tools
- state: present
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82396-3
- enable_strategy
@@ -10,3 +9,17 @@
- medium_severity
- no_reboot_needed
- package_nss-tools_installed
+
+- name: Ensure nss-tools is installed
+ ansible.builtin.package:
+ name: nss-tools
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
+ tags:
+ - CCE-82396-3
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_nss-tools_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_nss-tools_installed'
--- xccdf_org.ssgproject.content_rule_package_nss-tools_installed
+++ xccdf_org.ssgproject.content_rule_package_nss-tools_installed
@@ -1 +1 @@
-
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
+++ xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
@@ -1,4 +1,10 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q kernel-core; then
if ! rpm -q --quiet "openscap-scanner" ; then
yum install -y "openscap-scanner"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
+++ xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
@@ -1,7 +1,6 @@
-- name: Ensure openscap-scanner is installed
- ansible.builtin.package:
- name: openscap-scanner
- state: present
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82220-5
- enable_strategy
@@ -10,3 +9,17 @@
- medium_severity
- no_reboot_needed
- package_openscap-scanner_installed
+
+- name: Ensure openscap-scanner is installed
+ ansible.builtin.package:
+ name: openscap-scanner
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
+ tags:
+ - CCE-82220-5
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_openscap-scanner_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed'
--- xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
+++ xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
@@ -1 +1 @@
-
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
+++ xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
@@ -1,4 +1,10 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q kernel-core; then
if ! rpm -q --quiet "scap-security-guide" ; then
yum install -y "scap-security-guide"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
+++ xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
@@ -1,7 +1,6 @@
-- name: Ensure scap-security-guide is installed
- ansible.builtin.package:
- name: scap-security-guide
- state: present
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82949-9
- enable_strategy
@@ -10,3 +9,17 @@
- medium_severity
- no_reboot_needed
- package_scap-security-guide_installed
+
+- name: Ensure scap-security-guide is installed
+ ansible.builtin.package:
+ name: scap-security-guide
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
+ tags:
+ - CCE-82949-9
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_scap-security-guide_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed'
--- xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
+++ xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
@@ -1 +1 @@
-
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
+++ xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
@@ -1,4 +1,10 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q kernel-core; then
if ! rpm -q --quiet "subscription-manager" ; then
yum install -y "subscription-manager"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
+++ xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
@@ -1,7 +1,6 @@
-- name: Ensure subscription-manager is installed
- ansible.builtin.package:
- name: subscription-manager
- state: present
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82316-1
- enable_strategy
@@ -10,3 +9,17 @@
- medium_severity
- no_reboot_needed
- package_subscription-manager_installed
+
+- name: Ensure subscription-manager is installed
+ ansible.builtin.package:
+ name: subscription-manager
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
+ tags:
+ - CCE-82316-1
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_subscription-manager_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed'
--- xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
+++ xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
@@ -1 +1 @@
-
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps' differs.
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -1,3 +1,6 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q dnf; then
+
found=false
# set value in all files if they contain section or key
@@ -33,3 +36,7 @@
echo -e "[main]\ninstall_weak_deps=0" >> "$file"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps' differs.
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-88727-3
+ - disable_weak_deps
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
- name: Disable Installation of Weak Dependencies in DNF - Disable weak dependencies
community.general.ini_file:
path: /etc/dnf/dnf.conf
@@ -6,6 +18,7 @@
value: 0
create: true
state: present
+ when: '"dnf" in ansible_facts.packages'
tags:
- CCE-88727-3
- disable_weak_deps
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps'
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -1 +1 @@
-
+oval:ssg-package_dnf:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permission_user_bash_history' differs.
--- xccdf_org.ssgproject.content_rule_file_permission_user_bash_history
+++ xccdf_org.ssgproject.content_rule_file_permission_user_bash_history
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q bash; then
readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd)
readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd)
@@ -12,3 +14,7 @@
chmod u-sx,go= "${interactive_users_home[$i]}/.bash_history"
fi
done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permission_user_bash_history' differs.
--- xccdf_org.ssgproject.content_rule_file_permission_user_bash_history
+++ xccdf_org.ssgproject.content_rule_file_permission_user_bash_history
@@ -1,6 +1,19 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-89104-4
+ - file_permission_user_bash_history
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
- name: Ensure User Bash History File Has Correct Permissions - Gather User Info
ansible.builtin.getent:
database: passwd
+ when: '"bash" in ansible_facts.packages'
tags:
- CCE-89104-4
- file_permission_user_bash_history
@@ -17,6 +30,7 @@
register: bash_history_files
with_dict: '{{ ansible_facts.getent_passwd }}'
when:
+ - '"bash" in ansible_facts.packages'
- item.value[4] != "/sbin/nologin"
- item.key not in ["nobody", "nfsnobody"]
- item.value[1] | int >= 1000
@@ -36,6 +50,7 @@
mode: u-sx,go=
with_items: '{{ bash_history_files.results }}'
when:
+ - '"bash" in ansible_facts.packages'
- item.stat is defined
- item.stat.exists
tags:
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_permission_user_bash_history'
--- xccdf_org.ssgproject.content_rule_file_permission_user_bash_history
+++ xccdf_org.ssgproject.content_rule_file_permission_user_bash_history
@@ -1 +1 @@
-
+oval:ssg-package_bash:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_etc_security_opasswd' differs.
--- xccdf_org.ssgproject.content_rule_file_etc_security_opasswd
+++ xccdf_org.ssgproject.content_rule_file_etc_security_opasswd
@@ -1,6 +1,12 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
# Create /etc/security/opasswd if needed
# Owner group mode root.root 0600
[ -f /etc/security/opasswd ] || touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 0600 /etc/security/opasswd
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_etc_security_opasswd' differs.
--- xccdf_org.ssgproject.content_rule_file_etc_security_opasswd
+++ xccdf_org.ssgproject.content_rule_file_etc_security_opasswd
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86140-1
+ - file_etc_security_opasswd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
- name: Verify Permissions and Ownership of Old Passwords File
ansible.builtin.file:
path: /etc/security/opasswd
@@ -7,6 +19,7 @@
state: touch
modification_time: preserve
access_time: preserve
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-86140-1
- file_etc_security_opasswd
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_etc_security_opasswd'
--- xccdf_org.ssgproject.content_rule_file_etc_security_opasswd
+++ xccdf_org.ssgproject.content_rule_file_etc_security_opasswd
@@ -1 +1 @@
-
+oval:ssg-package_pam:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_enable_ldap_client'
--- xccdf_org.ssgproject.content_rule_enable_ldap_client
+++ xccdf_org.ssgproject.content_rule_enable_ldap_client
@@ -1 +1 @@
-
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_openssh-clients_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_openssh-clients_installed
+++ xccdf_org.ssgproject.content_rule_package_openssh-clients_installed
@@ -1,4 +1,10 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q kernel-core; then
if ! rpm -q --quiet "openssh-clients" ; then
yum install -y "openssh-clients"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_openssh-clients_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_openssh-clients_installed
+++ xccdf_org.ssgproject.content_rule_package_openssh-clients_installed
@@ -1,7 +1,6 @@
-- name: Ensure openssh-clients is installed
- ansible.builtin.package:
- name: openssh-clients
- state: present
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82722-0
- enable_strategy
@@ -10,3 +9,17 @@
- medium_severity
- no_reboot_needed
- package_openssh-clients_installed
+
+- name: Ensure openssh-clients is installed
+ ansible.builtin.package:
+ name: openssh-clients
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
+ tags:
+ - CCE-82722-0
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_openssh-clients_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_openssh-clients_installed'
--- xccdf_org.ssgproject.content_rule_package_openssh-clients_installed
+++ xccdf_org.ssgproject.content_rule_package_openssh-clients_installed
@@ -1 +1 @@
-
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
+++ xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q openssh-clients; then
var_ssh_client_rekey_limit_size=''
var_ssh_client_rekey_limit_time=''
@@ -28,3 +30,7 @@
printf '%s\n' "RekeyLimit $var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time" >> "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
# Clean up after ourselves.
rm "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
+++ xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
@@ -1,3 +1,14 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-82880-6
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - ssh_client_rekey_limit
- name: XCCDF Value var_ssh_client_rekey_limit_size # promote to variable
set_fact:
var_ssh_client_rekey_limit_size: !!str
@@ -15,6 +26,7 @@
create: false
regexp: ^\s*RekeyLimit.*$
state: absent
+ when: '"openssh-clients" in ansible_facts.packages'
tags:
- CCE-82880-6
- configure_strategy
@@ -30,6 +42,7 @@
contains: ^[\s]*RekeyLimit.*$
patterns: '*.config'
register: ssh_config_include_files
+ when: '"openssh-clients" in ansible_facts.packages'
tags:
- CCE-82880-6
- configure_strategy
@@ -46,6 +59,7 @@
regexp: ^[\s]*RekeyLimit.*$
state: absent
loop: '{{ ssh_config_include_files.files }}'
+ when: '"openssh-clients" in ansible_facts.packages'
tags:
- CCE-82880-6
- configure_strategy
@@ -64,6 +78,7 @@
line: RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time
}}
state: present
+ when: '"openssh-clients" in ansible_facts.packages'
tags:
- CCE-82880-6
- configure_strategy
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh
+++ xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh
@@ -1,6 +1,12 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q openssh-clients; then
# put line into the file
echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
# remove eventual override in /etc/profile
sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh
+++ xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83349-1
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - ssh_client_use_strong_rng_csh
+
- name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh
ansible.builtin.lineinfile:
path: /etc/profile.d/cc-ssh-strong-rng.csh
@@ -5,6 +17,7 @@
line: setenv SSH_USE_STRONG_RNG 32
state: present
create: true
+ when: '"openssh-clients" in ansible_facts.packages'
tags:
- CCE-83349-1
- configure_strategy
@@ -19,6 +32,7 @@
path: /etc/profile
regexp: ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$
state: absent
+ when: '"openssh-clients" in ansible_facts.packages'
tags:
- CCE-83349-1
- configure_strategy
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh
+++ xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh
@@ -1,6 +1,12 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q openssh-clients; then
# put line into the file
echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
# remove eventual override in /etc/profile
sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh
+++ xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83346-7
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - ssh_client_use_strong_rng_sh
+
- name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh
ansible.builtin.lineinfile:
path: /etc/profile.d/cc-ssh-strong-rng.sh
@@ -5,6 +17,7 @@
line: export SSH_USE_STRONG_RNG=32
state: present
create: true
+ when: '"openssh-clients" in ansible_facts.packages'
tags:
- CCE-83346-7
- configure_strategy
@@ -19,6 +32,7 @@
path: /etc/profile
regexp: ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$
state: absent
+ when: '"openssh-clients" in ansible_facts.packages'
tags:
- CCE-83346-7
- configure_strategy |
Mab879
requested changes
Mar 20, 2026
Member
Mab879
left a comment
Mab879
left a comment
There was a problem hiding this comment.
Check the components of rules.
Collaborator
Author
|
I have fixed the component files |
|
@jan-cerny: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
This PR improves the applicability of rules when scanning minimal container images. Rules that check for packages, files, or configurations that may not be present in containers now correctly report as notapplicable rather than failing, reducing false positives.
Review Hints:
oscap-podmanand confirm the affected rules report notapplicable rather than fail