search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.19k stars 695 forks source link

RHEL 7 - `chronyd_or_ntpd_set_maxpoll` failing test scenarios after Ansible remediation #8360

Closed mildas closed 2 years ago

mildas commented 2 years ago

Description of problem:

Two chronyd_or_ntpd_set_maxpoll test scenarios are failing during final stage:

INFO - xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
INFO - Script chrony.pass.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script chrony_no_pool_nor_servers.pass.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script chrony_nothing_done.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage 
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'.
INFO - Script chrony_one_pool_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script chrony_one_pool_misconfigured.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script chrony_one_pool_missing_parameter.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script chrony_one_server_misconfigured.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script ntp.pass.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script ntp_wrong_maxpoll.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage 
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'.

SCAP Security Guide Version:

ece8437

Operating System Version:

RHEL 7

Steps to Reproduce:

  1. python3 tests/test_suite.py rule --libvirt qemu:///session test-suite-rhel7 --datastream build/ssg-rhel7-ds.xml --no-reports chronyd_or_ntpd_set_maxpoll

Actual Results:

Some test scenarios fails

Expected Results:

All test scenarios passes

ggbecker commented 2 years ago

The main problem here is that the lineinfile ansible module only replaces the last occurrence of a line, leaving other matching lines untouched. In this case for example, there are multiple lines of server in the RHEL7 instance and only the last one has the maxpoll added. The correct approach is to use the replace ansible module instead that is able to change all the matching lines.