Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some small patches for SLE15 CIS related remediations #12921

Merged
merged 5 commits into from
Jan 29, 2025
Merged

Some small patches for SLE15 CIS related remediations #12921

merged 5 commits into from
Jan 29, 2025
+13 −3

Conversation

teacup-on-rockingchair
Copy link
Contributor

Description:

  • Some minor patches for remediations in the context of CIS

Rationale:

  • Add multi_platform_sle support in ansible remediation for chronyd_run_as_chrony_user
  • Make sure accounts_passwords_pam_tally2_deny_root rule doesn't conflict with accounts_passwords_pam_tally2
  • Add ansible remediation for ensure_shadow_group_empty

@teacup-on-rockingchair teacup-on-rockingchair added Ansible Ansible remediation update. Bash Bash remediation update. SLES SUSE Linux Enterprise Server product related. labels Jan 28, 2025
@teacup-on-rockingchair teacup-on-rockingchair added this to the 0.1.76 milestone Jan 28, 2025
Mab879
Mab879 requested changes Jan 28, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

I have a few comments.

...pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml Outdated
{{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'deny', "{{ var_password_pam_tally2 }}", '') }}}
{{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File needs new line at end of file

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx should be fixed in 9e95276 🙇

...counts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml Outdated

- name: Ensure interactive local users are the owners of their respective initialization files
ansible.builtin.shell:
cmd: sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File needs new line at end of file

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx should be fixed in 9e95276 🙇

...counts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml Outdated

- name: Ensure interactive local users are the owners of their respective initialization files
ansible.builtin.shell:
cmd: sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might be able to do this with lineinfile vs shell and that would be preferred.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx should be fixed in 9e95276 🙇

@teacup-on-rockingchair
Fix file endings and fix ansible
9e95276 
- fix EOF warngins
- replace executing of bash command from ansible with more standard approach using lineinfile

Thanks to @Mab879 for the notes 🙇
@teacup-on-rockingchair
Add ansible header
bfcec76
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 29, 2025

Code Climate has analyzed commit bfcec76 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 self-assigned this Jan 29, 2025
Mab879
Mab879 approved these changes Jan 29, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waving Automatus tests as tests are not found, this is expected.

@Mab879 Mab879 merged commit 1bd83d3 into ComplianceAsCode:master Jan 29, 2025
105 of 109 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
Ansible Ansible remediation update. Bash Bash remediation update. SLES SUSE Linux Enterprise Server product related.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
2 participants
@teacup-on-rockingchair @Mab879