From 0316ca4be167bd80e8c74693e8bae99125c49421 Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Tue, 13 Aug 2024 11:41:06 -0600 Subject: [PATCH 1/2] Add ansible remediation For ensure_oracle_gpgkey_installed rule Signed-off-by: Armando Acosta --- .../ansible/shared.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/ansible/shared.yml diff --git a/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/ansible/shared.yml new file mode 100644 index 00000000000..d3f1f20dcfe --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/ansible/shared.yml @@ -0,0 +1,43 @@ +# platform = multi_platform_ol +# reboot = false +# strategy = restrict +# complexity = medium +# disruption = medium + +- name: "{{{ rule_title }}} - Read GPG key directory permission" + ansible.builtin.stat: + path: /etc/pki/rpm-gpg/ + register: gpg_key_directory_permission + check_mode: no + +# It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well. + +- name: "{{{ rule_title }}} - Retrieve GPG key fingerprints information" + # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 + {{% if product in ['ol8', 'ol9'] -%}} + ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" + {{%- else -%}} + ansible.builtin.command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" + {{%- endif %}} + changed_when: False + register: gpg_fingerprints + check_mode: no + +- name: "{{{ rule_title }}} - Set fact for installed fingerprints" + ansible.builtin.set_fact: + gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}" + +- name: "{{{ rule_title }}} - Set fact for valid fingerprints" + ansible.builtin.set_fact: + gpg_valid_fingerprints: + - "{{{ release_key_fingerprint }}}" + - "{{{ auxiliary_key_fingerprint }}}" + +- name: "{{{ rule_title }}} - Import Oracle GPG key securely" + ansible.builtin.rpm_key: + state: present + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle + when: + - gpg_key_directory_permission.stat.mode <= '0755' + - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 + - gpg_installed_fingerprints | length > 0 From 76fac4ef9cb281c24951665e575a5340f367913d Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Tue, 13 Aug 2024 11:43:24 -0600 Subject: [PATCH 2/2] Add test to ensure_oracle_gpgkey_installed Signed-off-by: Armando Acosta --- .../tests/key_installed.pass.sh | 5 +++++ .../tests/missing_key.fail.sh | 12 ++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/tests/key_installed.pass.sh create mode 100644 linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/tests/missing_key.fail.sh diff --git a/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/tests/key_installed.pass.sh b/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/tests/key_installed.pass.sh new file mode 100644 index 00000000000..4c3f513d166 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/tests/key_installed.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# +# platform = multi_platform_ol + +rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle diff --git a/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/tests/missing_key.fail.sh b/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/tests/missing_key.fail.sh new file mode 100644 index 00000000000..32a39a04487 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/tests/missing_key.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# + +# remove all available keys + +KEYS=$(rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\n') + +if [ $? = 0 ]; then + for KEY in $KEYS; do + rpm -e $KEY + done +fi