Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.2.3 | PATCH | Ensure permissions on all logfiles are configured - Not idempotent with Molecule #173

Closed
rjacobs1990 opened this issue Feb 12, 2024 · 2 comments
Closed

4.2.3 | PATCH | Ensure permissions on all logfiles are configured - Not idempotent with Molecule #173

rjacobs1990 opened this issue Feb 12, 2024 · 2 comments
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@rjacobs1990
Copy link
Contributor

rjacobs1990 commented Feb 12, 2024
edited
Loading

Describe the Issue
4.2.3 | PATCH | Ensure permissions on all logfiles are configured. Unfortunately this step is not idempotent.
When running a cis-wrapper role which is calling this role i noticed that the audit.log kept changing during the molecule idempotency run on aws/azure alma or rhel machines.
changed: [almalinux-9-x86_64] => (item=/var/log/audit/audit.log)

Expected Behavior
I would like to see no changes in file permissions during the second run.

Actual Behavior
The second run is changing the following files:
changed: [almalinux-9-x86_64] => (item=/var/log/audit/audit.log)

Control(s) Affected
What controls are being affected by the issue
4.2.3 | PATCH | Ensure permissions on all logfiles are configured.

Environment (please complete the following information):

  • branch being used: v1.0.1
  • Ansible Version: [2.15]
  • Host Python Version: 3.12
  • Ansible Server Python Version: n/a
  • Additional Details:
    i think the issue is partially caused by the audit.conf where the log_group is set to root. During rotation it will set the permissions back to 600.

Additional Notes
N/A

Possible Solution
Below code could be a potential fix for the issue:

        - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
          ansible.builtin.file:
            path: "{{ item.path }}"
            mode: "{% if item.mode != '0600' %}0640{% endif %}"
          loop: "{{ logfiles.files }}"
          loop_control:
            label: "{{ item.path }}"
          when:
            - item.path != "/var/log/btmp"
            - item.path != "/var/log/utmp"
            - item.path != "/var/log/wtmp"
@rjacobs1990 rjacobs1990 added the bug Something isn't working label Feb 12, 2024
rjacobs1990 added a commit to rjacobs1990/RHEL9-CIS that referenced this issue Feb 12, 2024
@rjacobs1990
fix: idempotency molecule issue fixed for logfiles ansible-lockdown#173
c805ee3 
Signed-off-by: rjacobs1990 <[email protected]>
@rjacobs1990 rjacobs1990 mentioned this issue Feb 12, 2024
Merged
rjacobs1990 added a commit to rjacobs1990/RHEL9-CIS that referenced this issue Feb 12, 2024
@rjacobs1990
fix: idempotency molecule issue fixed for logfiles and prevent skippi…
8652390 
…ng 0600 ansible-lockdown#173

Signed-off-by: rjacobs1990 <[email protected]>
@rjacobs1990
Copy link
Contributor Author

rjacobs1990 commented Feb 12, 2024
edited
Loading

updated the mode setting to: "{{ '0600' if item.mode == '0600' else '0640' }}"
this prevents skips on the 0600.

rjacobs1990 added a commit to rjacobs1990/RHEL9-CIS that referenced this issue Feb 12, 2024
@rjacobs1990
fix: more readable condition and prevent skipping 0600 ansible-lockdo…
742165c 
…wn#173

Signed-off-by: rjacobs1990 <[email protected]>
@uk-bolly
Copy link
Member

hi @rjacobs1990

Great work on the issue and PR i have feedback on the PR.

Many thanks again

uk-bolly

uk-bolly added a commit that referenced this issue Feb 19, 2024
@uk-bolly
Merge pull request #175 from rjacobs1990/bugfix/fix-permissions-logfiles
06ec3de 
fix: idempotency molecule issue fixed for logfiles #173
@uk-bolly uk-bolly self-assigned this Feb 19, 2024
ipruteanu-sie pushed a commit to siemens/RHEL9-CIS that referenced this issue Feb 21, 2024
@rjacobs1990 @ipruteanu-sie
fix: idempotency molecule issue fixed for logfiles ansible-lockdown#173
707dc3a 
Signed-off-by: rjacobs1990 <[email protected]>
ipruteanu-sie pushed a commit to siemens/RHEL9-CIS that referenced this issue Feb 21, 2024
@rjacobs1990 @ipruteanu-sie
fix: idempotency molecule issue fixed for logfiles and prevent skippi…
087b936 
…ng 0600 ansible-lockdown#173

Signed-off-by: rjacobs1990 <[email protected]>
ipruteanu-sie pushed a commit to siemens/RHEL9-CIS that referenced this issue Feb 21, 2024
@rjacobs1990 @ipruteanu-sie
fix: more readable condition and prevent skipping 0600 ansible-lockdo…
6f92ed8 
…wn#173

Signed-off-by: rjacobs1990 <[email protected]>
ipruteanu-sie pushed a commit to siemens/RHEL9-CIS that referenced this issue Mar 11, 2024
@rjacobs1990 @ipruteanu-sie
fix: idempotency molecule issue fixed for logfiles ansible-lockdown#173
7db85fd 
Signed-off-by: rjacobs1990 <[email protected]>
ipruteanu-sie pushed a commit to siemens/RHEL9-CIS that referenced this issue Mar 11, 2024
@rjacobs1990 @ipruteanu-sie
fix: idempotency molecule issue fixed for logfiles and prevent skippi…
31d52d8 
…ng 0600 ansible-lockdown#173

Signed-off-by: rjacobs1990 <[email protected]>
ipruteanu-sie pushed a commit to siemens/RHEL9-CIS that referenced this issue Mar 11, 2024
@rjacobs1990 @ipruteanu-sie
fix: more readable condition and prevent skipping 0600 ansible-lockdo…
ef01e3e 
…wn#173

Signed-off-by: rjacobs1990 <[email protected]>
@uk-bolly uk-bolly mentioned this issue Apr 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uk-bolly @rjacobs1990