search

ansible-lockdown / RHEL9-CIS

Ansible role for Red Hat 9 CIS Baseline
https://ansible-lockdown.readthedocs.io
MIT License
109 stars 86 forks source link

remove quotes in sudoers file in order to pass openscap security scan #194

Closed brakkio86 closed 2 months ago

brakkio86 commented 5 months ago

Overall Review of Changes: remove quotes in sudoers file in order to pass openscap security scan

Issue Fixes: none

Enhancements: pass openscap scan.

How has this been tested?: local environment.

uk-bolly commented 5 months ago

hi @brakkio86

Thank you for this pull request, unfortunately we are finding more and more scanners looks for some things is a somewhat restrictive way, often creating false positives. Meaning what works for one scanner may fail for another. So we try not to write the code to match a specific scanner but to match what the documentation requests, which is what the scanner should be looking for anyway. In this case is has the following

Example Defaults logfile="/var/log/sudo.log"

As a quick note you have also added another file as part of your pull request.

Many thanks

uk-bolly

brakkio86 commented 5 months ago

Hello, I've corrected my commit. The base idea of this pull request is to remove double bracket around logfile path because openscap scanner (CIS Benchmark for RHEL9 level 2 server) does not match it and apply a fix that duplicates the logfile directive. Thanks, Francesco

uk-bolly commented 5 months ago

Hello, I've corrected my commit. The base idea of this pull request is to remove double bracket around logfile path because openscap scanner (CIS Benchmark for RHEL9 level 2 server) does not match it and apply a fix that duplicates the logfile directive. Thanks, Francesco

hi @brakkio86

Thank you for removing the commited file, I'm afraid as mentioned, we are still trying to make a change to make one scanner work in this case openscap. But this may break another scanner which is looking for the ".

Sorry this is the way but with so many scanners we can't write to match how a scanner looks for it, scanners need to be less brittle in the searches and look for valid syntax not what it wants to see. In this case the CIS benchmark says to have quotes, so we match the benchmark not the scanner.

I hope that makes sense?

Kindest regards

uk-bolly

brakkio86 commented 5 months ago

mmm, intresting... I've a support case to Red Hat in order to check openscap test. I'll mark this as draft. Thanks, Francesco

uk-bolly commented 2 months ago

hi @brakkio86

Wondering if you have managed to get anywhere with redhat on this issue. We see alot of SCAP reports coming back lately that do not match the documentation to test, but instead it to match the example they provide to resolve.

Many thanks

uk-bolly

brakkio86 commented 2 months ago

Hello, few days ago Red Hat have pubblished a fix (https://access.redhat.com/errata/RHBA-2024:3624). Now this PR is obsolete. Thanks, Francesco