Rule postfix_client_configure_mail_alias aborts ANSSI playbooks

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats

https://complianceascode.readthedocs.io/en/latest/

Other

2.22k stars 697 forks source link

Rule postfix_client_configure_mail_alias aborts ANSSI playbooks #9230

Closed yuumasato closed 2 years ago

yuumasato commented 2 years ago

Description of problem:

Ansible remediation with ANSSI Intermediary, Enhanced and High playbooks fail with same error as reported in #9176

TASK [Make sure that "/etc/aliases" has a defined value for root] **************
changed: [192.168.122.130]

TASK [Update postfix aliases] **************************************************
fatal: [192.168.122.130]: FAILED! => {"changed": false, "cmd": "newaliases", "msg": "[Errno 2] No such file or directory: b'newaliases'", "rc": 2, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

SCAP Security Guide Version:

5caa381157e979f65cba48f5561beab8fa84c75d (stabilization) dff074061b45b20794f5c05c1bf403f6dbbc398f (master)

Operating System Version:

Any

Steps to Reproduce:

Run ANSSI intermediary playbook

Actual Results:

The playbook aborts

Expected Results:

The playbook finish

Additional Information/Debugging Steps:

In case of STIG profile, the assumption was that postifx is expected to be installed. But that is not the case for ANSSI.

yuumasato commented 2 years ago

For the STIG profile we could infer that postfix is wanted installed, but for ANSSI, postfix is not a hard requirement.

Selecting the rule to install postfix in ANSSI profiles seems inadequate to me; Adding platform: postfix to rule postfix_client_configure_mail_alias may work, but it is not a general solution, because it will cause problems for STIG. (If for example postfix_client_configure_mail_alias_postmaster had the platform: postfix, the rule would require two remediation runs to pass. It would result in not applicable in the first run, and then fail in the second run after postfix was installed).

marcusburghardt commented 2 years ago

The newaliases command may be delivered by different MTA packages (postfix, sendmail, exim, ssmtp, etc). Also, the /etc/aliases may be used by different MTAs which not necessarily need to build the an aliases database and consequently don't need the newaliases command. Therefore, the remediation should not assume that the execution of the newaliases command is mandatory.

I suggest to remove the task related to the newaliases command in this remediation or, at least, make it optional. Some alternatives could be:

Create a new rule specific to build the aliases database. It seems too much for the the current goal but could be used by other rules related to other MTAs, if it is the case.
Create conditionals to execute the newaliases command only if it is present. If it is present, this approach assumes the respective MTA needs to rebuild the aliases database in order to apply the changes. I like more this option since it is simpler and more feasible for the moment.