Fix AIDE Database option deprecation#14557
Fix AIDE Database option deprecation#14557Azim-Azizov wants to merge 2 commits intoComplianceAsCode:masterfrom
Conversation
|
Hi @Azim-Azizov. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_logrotate_activated' differs.
--- xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
+++ xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
@@ -1,8 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core && { rpm --quiet -q logrotate; }; then
-LOGROTATE_CONF_FILE='/etc/logrotate.conf'
-
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
if ! rpm -q --quiet "crontabs" ; then
yum install -y "crontabs"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -2,6 +2,7 @@
if rpm --quiet -q kernel-core; then
var_sshd_set_keepalive=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -2,6 +2,7 @@
if rpm --quiet -q kernel-core; then
sshd_idle_timeout_value=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -2,6 +2,7 @@
if rpm --quiet -q kernel-core; then
var_sshd_disable_compression=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -2,6 +2,7 @@
if rpm --quiet -q kernel-core; then
var_sshd_set_login_grace_time=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -2,6 +2,7 @@
if rpm --quiet -q kernel-core; then
sshd_max_auth_tries_value=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -2,6 +2,7 @@
if rpm --quiet -q kernel-core; then
var_sshd_max_sessions=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -2,6 +2,7 @@
if rpm --quiet -q kernel-core; then
var_sshd_set_maxstartups=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -2,6 +2,7 @@
if rpm --quiet -q kernel-core && { ( rpm --quiet -q openssh-server && { real="$(epoch=$(rpm -q --queryformat '%{EPOCH}' openssh-server); version=$(rpm -q --queryformat '%{VERSION}' openssh-server); [ "$epoch" = "(none)" ] && echo "0:$version" || echo "$epoch:$version")"; expected="0:7.5"; [[ "$real" != "$expected" ]] && printf "%s\n%s" "$real" "$expected" | sort -VC; } ); }; then
var_sshd_priv_separation=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
@@ -2,6 +2,8 @@
if rpm --quiet -q kernel-core; then
sshd_strong_kex=''
+
+
if [ -e "/etc/ssh/sshd_config" ] ; then
|
|
@Azim-Azizov please see debian 12 test failure ... you might need to support both database and database_in as I've mentioned in #11929 (comment) |
… remediations (updated tests)
Azim-Azizov
requested review from
Mab879,
jan-cerny,
matusmarhefka and
vojtapolasek
as code owners
I think I have completely fixed the issue (if no new bugs get introduced). Let's see the test results :) |
dodys
left a comment
dodys
left a comment
There was a problem hiding this comment.
relates to the CI shellcheck failure
|
|
||
| AIDE_VERSION=$(aide -v | grep -oP 'aide \K[0-9]+\.[0-9]+') | ||
| if [ "$(echo "$AIDE_VERSION >= 0.17" | bc -l)" -eq 1 ]; then | ||
| AIDE_DB__KEY="database_in" |
There was a problem hiding this comment.
should it be AIDE_DB_IN_KEY?
|
|
||
| AIDE_VERSION=$(aide -v | grep -oP 'aide \K[0-9]+\.[0-9]+') | ||
| if [ "$(echo "$AIDE_VERSION >= 0.17" | bc -l)" -eq 1 ]; then | ||
| AIDE_DB__KEY="database_in" |
There was a problem hiding this comment.
should it be AIDE_DB_IN_KEY?
| {{% endif %}} | ||
| AIDE_VERSION=$(aide -v | grep -oP 'aide \K[0-9]+\.[0-9]+') | ||
| if [ "$(echo "$AIDE_VERSION >= 0.17" | bc -l)" -eq 1 ]; then | ||
| AIDE_DB__KEY="database_in" |
There was a problem hiding this comment.
should it be AIDE_DB_IN_KEY?
|
|
||
| AIDE_VERSION=$(aide -v | grep -oP 'aide \K[0-9]+\.[0-9]+') | ||
| if [ "$(echo "$AIDE_VERSION >= 0.17" | bc -l)" -eq 1 ]; then | ||
| AIDE_DB__KEY="database_in" |
There was a problem hiding this comment.
should it be AIDE_DB_IN_KEY?
There was a problem hiding this comment.
Yes, it should be. AI autocompletion messed up. Will do a fix commit.
dodys
left a comment
dodys
left a comment
There was a problem hiding this comment.
did you forget to send the commit?
vojtapolasek
left a comment
vojtapolasek
left a comment
There was a problem hiding this comment.
Hello @Azim-Azizov and thank you.
See my specific comment.
I have two generic points I would like to see fixed in your PR.
Firstly, I see that you define the variable "aide_db_in_key" and few others in ansible/shared.yml. But you then use these facts in ansible/debian.yml and ansible/ubuntu.yml. Please note that in this project, the debian.yml or ubuntu.yml completely replace contents of shared.yml in the final output. This is explained here: https://complianceascode.readthedocs.io/en/latest/manual/developer/06_contributing_with_content.html#rule-directories
My second suggestion goes to usage of the bc tool... I am not sure if this tool is available in all Debian / Ubuntu environments. But I am sure that dpkg has some specific utility for version comparison. Would you consider using this utility instead?
| else | ||
| AIDE_DB_IN_KEY="database" | ||
| fi | ||
| sed -i "s#^$AIDE_DB_IN_KEY}=file:.*#${AIDE_DB_IN_KEY}=file:$DB_PATH/$DB_NAME#" $DB_CONF |
There was a problem hiding this comment.
| sed -i "s#^$AIDE_DB_IN_KEY}=file:.*#${AIDE_DB_IN_KEY}=file:$DB_PATH/$DB_NAME#" $DB_CONF | |
| sed -i "s#^${AIDE_DB_IN_KEY}=file:.*#${AIDE_DB_IN_KEY}=file:$DB_PATH/$DB_NAME#" $DB_CONF |
3 participants
Description:
Rationale:
Review Hints: