Fix KICS findings (#356)

Fix KICS findings Our security scanner KICS found some issues with the current version of the code. Some are real issues and others need exceptions to be declared. --------- Signed-off-by: Thomas Widhalm <thomas.widhalm@netways.de>
NETWAYS · Dec 3, 2024 · 87a7dc6 · 87a7dc6
1 parent 6967c27
commit 87a7dc6
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 1 deletion.
diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml
@@ -18,7 +18,7 @@
     elasticstack_full_stack: true
     elasticstack_no_log: false
     logstash_pipeline_unsafe_shutdown: true
-    logstash_redis_password: "ThisIsMyRedisTest"
+    logstash_redis_password: "{{ lookup('ansible.builtin.password', '/tmp/redispassword', chars=['ascii_letters'], length=15) }}"
     redis_requirepass: "{{ logstash_redis_password }}"
     beats_filebeat_syslog_udp: true
     beats_filebeat_syslog_tcp: true

diff --git a/molecule/elasticstack_default/prepare.yml b/molecule/elasticstack_default/prepare.yml
@@ -35,9 +35,13 @@
           - unzip
           - systemd
 
+# KICS complains about packages being updated.
+# In this case, a mere test scenario it is OK, though.
+
     - name: Update all installed packages RHEL
       ansible.builtin.yum:
         name: '*'
+# kics-scan ignore-line
         state: latest
         update_cache: yes
         update_only: yes
@@ -46,6 +50,7 @@
     - name: Update all installed packages Debian
       ansible.builtin.apt:
         name: '*'
+# kics-scan ignore-line
         state: latest
         update_cache: yes
       when: ansible_os_family == "Debian"
diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml
@@ -39,9 +39,12 @@
   when:
     - ansible_os_family == "Debian"
 
+# KICS complains about "latest" package but this is a dedicated update task
+
 - name: Install Auditbeat latest version - rpm - full stack
   ansible.builtin.package:
     name: auditbeat
+# kics-scan ignore-line
     state: latest
     enablerepo:
       - "elastic-{{ elasticstack_release }}.x"

diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml
@@ -268,11 +268,16 @@
     enabled: yes
   register: elasticsearch_freshstart
 
+# The comment in the following task will disable KICS security checks for this
+# very line. In this state of the system we can only communicate without https
+# so the finding is a false positive
+
 - name: Handle cluster setup without security
   when: not elasticsearch_security | bool
   block:
     - name: Check for cluster status without security
       ansible.builtin.uri:
+# kics-scan ignore-line
         url: "http://{{ elasticsearch_api_host }}:{{ elasticstack_elasticsearch_http_port }}/_cluster/health?pretty"
       register: elasticsearch_cluster_status
       ignore_errors: "{{ ansible_check_mode }}"