From 87a7dc6ab0149038eb1af145f149e58ad005e145 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Tue, 3 Dec 2024 11:50:47 +0100 Subject: [PATCH] Fix KICS findings (#356) Fix KICS findings Our security scanner KICS found some issues with the current version of the code. Some are real issues and others need exceptions to be declared. --------- Signed-off-by: Thomas Widhalm --- molecule/elasticstack_default/converge.yml | 2 +- molecule/elasticstack_default/prepare.yml | 5 +++++ roles/beats/tasks/auditbeat.yml | 3 +++ roles/elasticsearch/tasks/main.yml | 5 +++++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml index 0aab909e..f2b9fe28 100644 --- a/molecule/elasticstack_default/converge.yml +++ b/molecule/elasticstack_default/converge.yml @@ -18,7 +18,7 @@ elasticstack_full_stack: true elasticstack_no_log: false logstash_pipeline_unsafe_shutdown: true - logstash_redis_password: "ThisIsMyRedisTest" + logstash_redis_password: "{{ lookup('ansible.builtin.password', '/tmp/redispassword', chars=['ascii_letters'], length=15) }}" redis_requirepass: "{{ logstash_redis_password }}" beats_filebeat_syslog_udp: true beats_filebeat_syslog_tcp: true diff --git a/molecule/elasticstack_default/prepare.yml b/molecule/elasticstack_default/prepare.yml index f8f55994..34576572 100644 --- a/molecule/elasticstack_default/prepare.yml +++ b/molecule/elasticstack_default/prepare.yml @@ -35,9 +35,13 @@ - unzip - systemd +# KICS complains about packages being updated. +# In this case, a mere test scenario it is OK, though. + - name: Update all installed packages RHEL ansible.builtin.yum: name: '*' +# kics-scan ignore-line state: latest update_cache: yes update_only: yes @@ -46,6 +50,7 @@ - name: Update all installed packages Debian ansible.builtin.apt: name: '*' +# kics-scan ignore-line state: latest update_cache: yes when: ansible_os_family == "Debian" diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml index 79096455..5a42f385 100644 --- a/roles/beats/tasks/auditbeat.yml +++ b/roles/beats/tasks/auditbeat.yml @@ -39,9 +39,12 @@ when: - ansible_os_family == "Debian" +# KICS complains about "latest" package but this is a dedicated update task + - name: Install Auditbeat latest version - rpm - full stack ansible.builtin.package: name: auditbeat +# kics-scan ignore-line state: latest enablerepo: - "elastic-{{ elasticstack_release }}.x" diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index a1e0c2a2..65db904e 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -268,11 +268,16 @@ enabled: yes register: elasticsearch_freshstart +# The comment in the following task will disable KICS security checks for this +# very line. In this state of the system we can only communicate without https +# so the finding is a false positive + - name: Handle cluster setup without security when: not elasticsearch_security | bool block: - name: Check for cluster status without security ansible.builtin.uri: +# kics-scan ignore-line url: "http://{{ elasticsearch_api_host }}:{{ elasticstack_elasticsearch_http_port }}/_cluster/health?pretty" register: elasticsearch_cluster_status ignore_errors: "{{ ansible_check_mode }}"