Fix ansible remediation for audispd plugin UBTU-20-010216

[ghost]

Description:

• This commit will fix ansible remediation for audispd plugin which also ensures that the plugin is enabled within au-remote.conf.

Original PR: #11093

Rationale:

• Apply ubuntu specific remediation for ansible
• Align existing ansible remediation tasks to proper format
• Part of Ubuntu 2004 STIG v1r12 profile upgrade

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes with Ansible:

ansible-playbook build/ansible/ubuntu2004-playbook-stig.yml --tags "DISA-STIG-UBTU-20-010216"

Checkout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.

git checkout yunimoo:update-manual-stig-ubtu-20-v1r12

For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/

[openshift-ci]

Hi @yunimoo. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
@@ -15,8 +15,9 @@
   tags:
     - always
 
-- name: Make sure that a remote server is configured for Audispd
-  lineinfile:
+- name: Configure audispd Plugin To Send Logs To Remote Server - Make sure that a
+    remote server is configured for Audispd
+  ansible.builtin.lineinfile:
     path: /etc/audit/audisp-remote.conf
     line: remote_server = {{ var_audispd_remote_server }}
     regexp: ^\s*remote_server\s*=.*$

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12293
This image was built from commit: 293f09c

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12293

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12293 make deploy-local

[jan-cerny]

The test scenarios for this rule, eg. ubuntu_correct.pass.sh, use a capital A in Active, however, this remediation and the rule description use small a in `active. The OVAL seems to correctly use a case-insensitive regex modifier. Could you investigate this discrepancy about the A case?

[ghost]

Good catch! Thanks for the feedback, I will take a look at this

[ghost]

Not sure how you would like to proceed since the STIG and man page seem to use active over Active. Though, I don't think this would matter as it is case insensitive. The bash remediation is also active instead of capital A.

Not sure if this is helpful, but I found these related docs:

• https://linux.die.net/man/8/audispd
• https://manpages.debian.org/unstable/auditd/audispd.conf.5.en.html ("All option names and values are case insensitive.")

[jan-cerny]

Thanks for confirming that these options are case insensitive. Based on that, I think that:

• in the rule description we can use whatever we want, ie. it can stay lowercase
• in the OVAL we should use case-insentive check, which we already have
• the Ansible and Bash remediations should be able to set the correct option value regardless of the case used in the file (it can change it to lowercase during the remediation if that's convenient for us)
• the test scenarios should be testing multiple different letter cases.

[dodys]

the bash remediation makes use of set_config_file macro which has a insensitive parameter. Perhaps ansible needs the same parameter, as ansible_set_config_file doesn't have one.

[ghost]

This is a good idea, I'll work on adding the insensitive capabilities for ansible_set_config_file. Should this change be here or should I open up a new PR?

[jan-cerny]

@dodys excellent idea!

@yunimoo If the change of the macro would be large it would be better to have it as a separate PR.

[codeclimate]

Code Climate has analyzed commit 293f09c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[jan-cerny]

/packit build

[dodys]

lgtm, thanks!

@jan-cerny if you agree we can merge this and the other PR was open in #12314 (currently WIP)