Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address issues in 4.1.1.2 and 4.1.1.3 including idempotent status #188

Merged
merged 3 commits into from
Mar 14, 2024
Merged

Address issues in 4.1.1.2 and 4.1.1.3 including idempotent status #188

merged 3 commits into from
Mar 14, 2024

Conversation

RoboPickle
Copy link
Contributor

Overall Review

4.1.1.2 and 4.1.1.3 Do not accurately determine the current state of the Kernel audit and audit backlog limits. As such they always trigger, spoiling idempotency.

Issue Fixes:

Fixes #187: Idempotent and other issues in 4.1.1.2 and 4.1.1.3
Fixes #160

Enhancements:

None other than the fixes identified

How has this been tested?:

Tested against a minimally configured Alma Linux 9 VM.

audit task 4.1.1.2

  1. Ran numerous combinations of 1 and 0 and Off (in various case upper/lower/mixed)
    • Correctly identified when it needed to run and when not
  2. Ran against a single kernel, so a single response from grubby
    • Correctly identified when it needed to run and when not
  3. Ran against multiple kernels, so an array response from grubby
    • Correctly identified when it needed to run and when not
  4. Ran test against none of the kernels having the arg set
    • Correctly identified that it needed to run
  5. Repeated runs do not trigger grubby to update
    • Correctly identified that it did not need to run

audit backlog limit task 4.1.1.3

  1. Ran numerous combinations of different elements in the array being below the target
    • Correctly identified when it needed to run and when not
  2. Ran against a single kernel, so a single response from grubby
    • Correctly identified when it needed to run and when not
  3. Ran against multiple kernels, so an array response from grubby
    • Correctly identified when it needed to run and when not
  4. Ran test against none of the kernels having the arg set
    • Correctly identified that it needed to run
  5. Repeated runs do not trigger grubby to update
    • Correctly identified that it did not need to run

@RoboPickle
Fixed issues with 4.1.1.2 and 4.1.1.3
2db001e 
Now handle multiple kernels and are idempotent

Signed-off-by: John Foster <[email protected]>
@RoboPickle
Fixed issues with 4.1.1.2 and 4.1.1.3
28ca5d1 
Now handle multiple kernels and are idempotent

Removed debug messages

Signed-off-by: John Foster <[email protected]>
@RoboPickle
Merge branch 'devel' into bug_4112
dcf8f0b 
Signed-off-by: John Foster <[email protected]>
uk-bolly
uk-bolly approved these changes Mar 14, 2024
View reviewed changes
Copy link
Member

@uk-bolly uk-bolly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great change thank you

@uk-bolly uk-bolly merged commit 6eeae19 into ansible-lockdown:devel Mar 14, 2024
4 checks passed
ipruteanu-sie pushed a commit to siemens/RHEL9-CIS that referenced this pull request Mar 26, 2024
@RoboPickle @ipruteanu-sie
Address issues in 4.1.1.2 and 4.1.1.3 including idempotent status (an…
3a633d6 
…sible-lockdown#188)

* Fixed issues with 4.1.1.2 and 4.1.1.3
Now handle multiple kernels and are idempotent

Signed-off-by: John Foster <[email protected]>

* Fixed issues with 4.1.1.2 and 4.1.1.3
Now handle multiple kernels and are idempotent

Removed debug messages

Signed-off-by: John Foster <[email protected]>

---------

Signed-off-by: John Foster <[email protected]>
@uk-bolly uk-bolly mentioned this pull request Apr 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uk-bolly uk-bolly uk-bolly approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@RoboPickle @uk-bolly