search

OpenSCAP / openscap-daemon

Manages continuous scans of your infrastructure
https://www.open-scap.org/tools/openscap-daemon
GNU Lesser General Public License v2.1
106 stars 32 forks source link

Ignore any error from yum clean during remediation #136

Closed yuumasato closed 6 years ago

yuumasato commented 6 years ago

If host machine is not subscribed, command "yum clean all" executed after remediation script will return error, and cause remediation of image to be aborted.

Below is error from container remediation.

...
Remediating rule 13/14: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember'
Remediating rule 14/14: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf'
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions.
There are no enabled repos.
 Run "yum repolist all" to see the repos you have.
 To enable Red Hat Subscription Management repositories:
     subscription-manager repos --enable <repo>
 To enable custom repositories:
     yum-config-manager --enable <repo>
Cannot build remediated image from fd1ba0b398a82d56900bb798c8b099fbe3166bc49e2c5e947f7973cd38ff1a90: Error during Docker build The command '/bin/sh -c chmod +x /fix.sh; /fix.sh ; yum clean all' returned a non-zero code: 1

This patch prevents any error in "yum clean all" from aborting whole remediation. Only thing that should happen if host machine is not subscribed, is that packages are not installed in remediated container image.

pep8speaks commented 6 years ago

Hello @yuumasato! Thanks for updating the PR.

Line 79:47: E225 missing whitespace around operator

Comment last updated on April 25, 2018 at 11:25 Hours UTC
matejak commented 6 years ago

I am totally in favor of merging this PR, but I suggest that the reason for this is somehow documented in the code, so people don't have tendency to "correct" it back. BTW it is not only about missing subscriptions, but offline machines would also see a failiure here (even if remediation didn't want to install any package).

mpreisler commented 6 years ago

This absolutely needs a comment. If I saw this I would probably assume that this is some testing leftover.

yuumasato commented 6 years ago

I'll have added a comment.

I also made errors from fix.sh not completely ignored.

matejak commented 6 years ago

As we don't make sure that return code of a remediation script reflects remediation result, we can probably safely ignore it for the time being.

yuumasato commented 6 years ago

Agreed, there we some other implementation related problems also. I've dropped the commit.

matejak commented 6 years ago

I liked some of the style improvement you did in that commit, but I will merge this one and you can open a new one whenever you like. Thanks for your contribution!