fix: idempotency molecule issue fixed for logfiles #173 #175
Conversation
Signed-off-by: rjacobs1990 <ricardojacobs20@gmail.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the Discord Server as well.
…ng 0600 ansible-lockdown#173 Signed-off-by: rjacobs1990 <ricardojacobs20@gmail.com>
…wn#173 Signed-off-by: rjacobs1990 <ricardojacobs20@gmail.com>
|
@uk-bolly could you also verify this PR? This will improve 4.2.3 making it idempotent with molecule (second run) and will not change log files which should be 0600 making this CIS baseline more secure. |
|
hi @rjacobs1990 Thank you for the PR and taking the time to raise this and feedback. By adding the conditional to the loop
Does that still work for you? Many thanks uk-bolly |
|
Hi @uk-bolly , That could be an option, but then it will skip over some files. With the MR i provided it will not skip over the items. If you prefer adding an additional when condition i am OK with it. I did this method on purpose, It will say 0600 is also a valid filemode (OK) instead of skipping! |
hi @rjacobs1990 That is an excellent way to consider it and this is exactly why we have discussions. Your way if actually preferred in my eyes and demonstrates an improvement to the we work on other controls. I am happy to approve and merge this and watch for your work in other up coming changes. :) Thank you again for your time and feedback. kindest regards uk-bolly |
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* change logic thanks to @rjacobs1990 see #175 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @ipruteani-sie #134 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Thanks to @stwongst #125 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @sgomez86 #146 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added updates from #115 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed rp_filter in post added in error Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated yamllint precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated fqcn fo json_query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo for virt type query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* change logic thanks to @rjacobs1990 see ansible-lockdown#175 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @ipruteani-sie ansible-lockdown#134 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Thanks to @stwongst ansible-lockdown#125 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @sgomez86 ansible-lockdown#146 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added updates from ansible-lockdown#115 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed rp_filter in post added in error Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated yamllint precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated fqcn fo json_query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo for virt type query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* change logic thanks to @rjacobs1990 see #175 * 1.2.1 force gpg import rhel * fix missing facts --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* change logic thanks to @rjacobs1990 see ansible-lockdown#175 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @ipruteani-sie ansible-lockdown#134 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Thanks to @stwongst ansible-lockdown#125 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * thanks to @sgomez86 ansible-lockdown#146 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added updates from ansible-lockdown#115 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed rp_filter in post added in error Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated yamllint precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated fqcn fo json_query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo for virt type query Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* change logic thanks to @rjacobs1990 see ansible-lockdown#175 * 1.2.1 force gpg import rhel * fix missing facts --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Pruteanu <ionut.pruteanu@siemens.com>
Overall Review of Changes:
A general description of the changes made that are being requested for merge
4.2.3 | PATCH | Ensure permissions on all logfiles are configured -- this was not idempotent for the audit log.
if the audit.conf has log_group set to root it will rotate the permissions back to 0600. (tested with AWS ec2/ Azure vms)
This caused a failure in my own molecule testing in the second run.
Issue Fixes:
Please list (using linking) any open issues this PR addresses
#173 is fixed with this MR
Enhancements:
Please list any enhancements/features that are not open issue tickets
How has this been tested?:
Please give an overview of how these changes were tested. If they were not please use N/A
Tested from a cis-wrapper role which spins up vagrant vms in aws. First run went fine, second run detected changes. This will fix the prevent changes in de second run on the /var/log/audit/audit.log.