Update select rules for RHEL not to modify systemd units in /usr

[Mab879]

Description:

• Update require_singleuser_auth to use drop in files
• Update require_emergency_target_auth to use drop in files

Rationale:

Help with RPM verify pass.

[github-actions[bot]]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions[bot]]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

```diff OVAL for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs. --- oval:ssg-require_emergency_target_auth:def:1 +++ oval:ssg-require_emergency_target_auth:def:1 @@ -1,5 +1,9 @@ +criteria OR criteria AND criterion oval:ssg-test_require_emergency_service:tst:1 criterion oval:ssg-test_require_emergency_service_emergency_target:tst:1 criterion oval:ssg-test_no_custom_emergency_target:tst:1 criterion oval:ssg-test_no_custom_emergency_service:tst:1 +criterion oval:ssg-test_require_emergency_target_auth_drop_in_config_exist:tst:1 +criteria ONE +criterion oval:ssg-test_require_emergency_service_drop_in:tst:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs. --- xccdf_org.ssgproject.content_rule_require_emergency_target_auth +++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth @@ -1,17 +1,16 @@ # Remediation is applicable only in certain platforms if rpm --quiet -q kernel; then -service_file="/usr/lib/systemd/system/emergency.service" +service_dropin_cfg_dir="/etc/systemd/system/emergency.service.d" +service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf" sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency" -if grep "^ExecStart=.*" "$service_file" ; then - sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" -else - echo "ExecStart=-$sulogin" >> "$service_file" -fi +mkdir -p "${service_dropin_cfg_dir}" +echo "[Service]" >> "${service_dropin_file}" +echo "ExecStart=-$sulogin" >> "${service_dropin_file}" else >&2 echo 'Remediation is not applicable, nothing was done' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs. --- xccdf_org.ssgproject.content_rule_require_emergency_target_auth +++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth @@ -17,11 +17,12 @@ - restrict_strategy - name: Require emergency mode password - lineinfile: + ansible.builtin.blockinfile: create: true - dest: /usr/lib/systemd/system/emergency.service - regexp: ^#?ExecStart= - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + dest: /etc/systemd/system/emergency.service.d/10-oscap.conf + block: |- + [Service] + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency when: '"kernel" in ansible_facts.packages' tags: - CCE-82186-8 bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs. --- xccdf_org.ssgproject.content_rule_require_singleuser_auth +++ xccdf_org.ssgproject.content_rule_require_singleuser_auth @@ -1,14 +1,37 @@ # Remediation is applicable only in certain platforms if rpm --quiet -q kernel; then -service_file="/usr/lib/systemd/system/rescue.service" +found=false -sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" +# set value in all files if they contain section or key +for f in $(echo -n "/etc/systemd/system/rescue.service.d/10-oscap.conf"); do + if [ ! -e "$f" ]; then + continue + fi -if grep "^ExecStart=.*" "$service_file" ; then - sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" -else - echo "ExecStart=-$sulogin" >> "$service_file" + # find key in section and change value + if grep -qzosP "[[:space:]]*\[Service\]([^\n\[]*\n+)+?[[:space:]]*ExecStart" "$f"; then + + sed -i "s/ExecStart[^(\n)]*/ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue/" "$f" + + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[Service\]" "$f"; then + + sed -i "/[[:space:]]*\[Service\]/a ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" "$f" + + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/systemd/system/rescue.service.d/10-oscap.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + + echo -e "[Service]\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> "$file" + fi else ansible remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs. --- xccdf_org.ssgproject.content_rule_require_singleuser_auth +++ xccdf_org.ssgproject.content_rule_require_singleuser_auth @@ -16,12 +16,13 @@ - require_singleuser_auth - restrict_strategy -- name: Require single user mode password - lineinfile: - create: true - dest: /usr/lib/systemd/system/rescue.service - regexp: ^#?ExecStart= - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue +- name: Require Authentication for Single User Mode - Require emergency user mode + password + community.general.ini_file: + path: /etc/systemd/system/rescue.service.d/10-oscap.conf + section: Service + option: ExecStart + value: -/usr/lib/systemd/systemd-sulogin-shell rescue when: '"kernel" in ansible_facts.packages' tags: - CCE-80855-0 ```

[github-actions[bot]]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:12486 This image was built from commit: b560bc10eb7f6a7aa79bb877c5f5922c501cbd12

Click here to see how to deploy it

If you alread have Compliance Operator deployed: ```utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12486``` Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: ```CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12486 make deploy-local```

[codeclimate[bot]]

Code Climate has analyzed commit 903b8519 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

[Mab879]

@mildas We can use the FQCN for community.general.ini_file?

[mildas]

@Mab879 Test doesn't accept community.general/ansible.posix modules FQCN. I have proposed a fix for the test and will re-run CI when it's merged.

[jan-cerny]

This looks fine now:

jcerny@fedora:~/work/git/scap-security-guide (pr/12486)$ python3 tests/automatus.py  rule --libvirt qemu:///system ssgts_rhel9 require_singleuser_auth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-10-31-1442/test_suite.log
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
WARNING - Script correct_value.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_require_singleuser_auth
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_dropin.pass.sh using profile (all) OK
INFO - Script wrong_dropin.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12486)$ python3 tests/automatus.py  rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible require_singleuser_auth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-10-31-1443/test_suite.log
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
WARNING - Script correct_value.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_require_singleuser_auth
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_dropin.pass.sh using profile (all) OK
INFO - Script wrong_dropin.fail.sh using profile (all) OK