Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RHEL-08-010690 / RHEL-08-010770 | Failure in Multiple Steps #127

Closed
Rwarcards762 opened this issue Oct 7, 2022 · 2 comments
Closed

RHEL-08-010690 / RHEL-08-010770 | Failure in Multiple Steps #127

Rwarcards762 opened this issue Oct 7, 2022 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@Rwarcards762
Copy link

Rwarcards762 commented Oct 7, 2022

Describe the Issue / Expected vs Actual Behaviors

In prelim.yml, the RHEL-08-010690 task calls to gather local interactive home directories with this line:

 shell: "getent passwd {'{{ rhel8stig_int_gid }}'..24339} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'"

However, when this is actually run, the single quotes are INTERPRETED, causing the actual run command to come out as:

getent passwd {'1000'..24339} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'

instead of:

getent passwd {1000..24339} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'

This causes RHEL-08-010770 to not perform work, as no local interactive home directories are found.

However, even after this is remedied, the next step in line pulls "INI files" in the found directory. For example, let's say the above getent returned /home/testuser.

The followup, "RHEL-08-010660 | RHEL-08-010770 | AUDIT | FInd ini files for interactive users", finds results and saves them in list form -- without the corresponding home folder they were pulled from. This would be fine if the full paths were being fetched -- but they aren't.

This leaves the stdout for the above command to look something like this:

.bash_logout
.bash_profile
.bashrc

Which is not usable by Ansible, as it doesn't give enough information. These incomplete paths get written to rhel_08_stig_interactive_homedir_results which then get set as a fact to rhel_08_stig_interactive_homedir_inifiles as a list of lists:

rhel_08_stig_interactive_homedir_inifiles: [[".bash_logout", ".bash_profile", ".bashrc"]]

The final flaw is the way the with_items is called in the actual remediation for RHEL-08-010770, as it is passed in a way that preserves the sub-lists instead of flattening them into items... it ends up trying to pass THE ENTIRE list of incomplete filepaths to be remedied at once (the entire list per home directory discovered.)

Control(s) Affected

RHEL-08-010690, RHEL-08-010770

Possible Solution

First -- in the PRELIM | RHEL-08010690 | Gather local interactive user directories in prelim.yml, the shell command must be revised to use formatting that does not leave remnant single quotes, such as utilizing the Raw template marker in Jinja2 to wrap the curly braces i the getent command itself:

shell: "getent passwd {% raw %}{{% endraw %}{{ rhel8stig_int_gid }}..24339{% raw %}}{% endraw %} | # rest of string is correct after this

From there, I would then alter the Find ini files for interactive users step of the prelim.yml to include whole paths, instead of just the filename, by replacing the logic to just filter out for files that start with a .:

find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*'

This output gets written to a variable (as a list) which then gets added into another variable (making it a list of lists.) This is then called by the RHEL-08-010770 patch in fix-cat2.yml. However, the rhel_08_stig_interactive_homedir_inifiles is being incorrectly passed. It is passed to the with_items as a single entry in a list, causing a THREE LEVEL deep list. This means when with_items flattens, it only flattens one level, causing the lists of files to be passed in all at once. This is an easy fix, by simply moving the variable to the same line as with_items (removing the extra listing level):

file:
    path: "{{ item }}"
    mode: "{{ rhel8stig_local_int_perm }}"
with_items: "{{ rhel_08_stig_interactive_homedir_inifiles }}" 
# Note how this is now on the same line, meaning its entries will get flattened and processed correctly

I have tested this fix and can confirm it to be functional, however this was only in a minimal scenario.

@Rwarcards762 Rwarcards762 added the bug Something isn't working label Oct 7, 2022
@uk-bolly uk-bolly self-assigned this Oct 26, 2022
uk-bolly added a commit that referenced this issue Oct 26, 2022
Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly uk-bolly mentioned this issue Oct 26, 2022
@uk-bolly
Copy link
Member

hi @Rwarcards762

Thanks again for all your work on this.

uk-bolly

@georgenalen
Copy link
Contributor

This issue is fixed in release 2.6.0, thank you for opening the issue!

-George

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants