Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stabilization] Fix accounts_umask_etc_bashrc #11957

Merged
merged 1 commit into from
May 7, 2024
Merged

[stabilization] Fix accounts_umask_etc_bashrc #11957

merged 1 commit into from
May 7, 2024

Conversation

jan-cerny
Copy link
Collaborator

This is a port of #11946 to the stabilization-v0.1.73 branch.

Fix accounts_umask_etc_bashrc content misalignment with RHEL 9 DISA STIG.

Fixes: #11937

@jan-cerny
Fix accounts_umask_etc_bashrc
f743af3 
Fix accounts_umask_etc_bashrc content misalignment with RHEL 9 DISA STIG.

- Only valid umask values (3-digits) will match in OVAL
- Do not concatenate original value with the new value in Ansible
  remediation
- Add a regression test for ComplianceAsCode#11937
- Fix bash quoting in test scenario

Fixes: ComplianceAsCode#11937
@jan-cerny jan-cerny added this to the 0.1.73 milestone May 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
@@ -21,7 +21,7 @@
 - name: Check if umask in /etc/bashrc is already set
   ansible.builtin.lineinfile:
     path: /etc/bashrc
-    regexp: ^[^#]*\bumask\s+
+    regexp: ^[^#]*\bumask\s+\d+$
     state: absent
   check_mode: true
   changed_when: false
@@ -42,8 +42,8 @@
 - name: Replace user umask in /etc/bashrc
   ansible.builtin.replace:
     path: /etc/bashrc
-    regexp: ^([^#]*\b)umask(\s*)
-    replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
+    regexp: ^([^#]*\b)umask\s+\d+$
+    replace: \g<1>umask {{ var_accounts_user_umask }}
   when:
   - '"bash" in ansible_facts.packages'
   - umask_replace.found > 0

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11957
This image was built from commit: f743af3

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11957

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11957 make deploy-local

@Mab879 Mab879 self-assigned this May 7, 2024
@Mab879
Copy link
Member

Mab879 commented May 7, 2024

/packit build

@Mab879 Mab879 merged commit 4bc6a37 into ComplianceAsCode:stabilization-v0.1.73 May 7, 2024
103 checks passed
@jan-cerny jan-cerny added the backported-into-stabilization PRs which were cherry-picked during stabilization process. label May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
backported-into-stabilization PRs which were cherry-picked during stabilization process.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @Mab879