Improve ansible remediation of configure_crypto_policy
#13932
Conversation
|
/packit retest-failed |
ggbecker
force-pushed
the
ansible-idempotency-configure_crypto_policy
branch
2 times, most recently
from
dd7749f to
458e7e1
Compare
| {{% endif %}} | ||
|
|
||
| - name: "{{{ rule_title }}}" | ||
| - name: "{{{ rule_title }}} - Set Crypto Policy" |
There was a problem hiding this comment.
With your change, many Automatus test scenarios start to fail. Please take a look into this.
Here is my output on RHEL9:
jcerny@fedora:~/work/git/scap-security-guide (pr/13932)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible configure_crypto_policy
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-09-30-0929/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_configure_crypto_policy
INFO - Script policy_default_cis_l1.pass.sh using profile xccdf_org.ssgproject.content_profile_cis_server_l1 OK
INFO - Script policy_default_cis_l1.pass.sh using profile xccdf_org.ssgproject.content_profile_cis_workstation_l1 OK
INFO - Script policy_default_nosha1_set.pass.sh using profile xccdf_org.ssgproject.content_profile_e8 OK
INFO - Script cis_l2.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script cis_l2.pass.sh using profile xccdf_org.ssgproject.content_profile_cis_workstation_l2 OK
INFO - Script config_and_current_same_time.pass.sh using profile (all) OK
INFO - Script config_newer_than_current.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
INFO - Script missing_nss_config.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
INFO - Script missing_policy.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
INFO - Script missing_policy_file.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
INFO - Script nss_config_as_file.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script nss_config_as_symlink.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
WARNING - Script policy_default_set.pass.sh - profile xccdf_org.ssgproject.content_profile_standard not found in data stream
INFO - Script policy_fips_ospp_set.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script wrong_policy.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
There was a problem hiding this comment.
@jan-cerny I have extended the ansible playbook to cover all automatus test scenarios. It means there are more conditions for when the update-crypto-policies might get executed in the ansible playbook.
|
|
||
| - name: Verify that Crypto Policy is Set (runtime) | ||
| - name: "{{{ rule_title }}} - Check current crypto policy (runtime)" | ||
| ansible.builtin.command: /usr/bin/update-crypto-policies --show |
There was a problem hiding this comment.
This will show the state after modifying the /etc/crypto-policies/config by the previous task. This causes that the next task that runs --set will never be executed.
I suggest removing the task that modifies /etc/crypto-policies/config above.
This current crypto policy file is set by the update-crypto-policies command, if there is a mismatch, the OVAL will detect and result in fail.
ggbecker
force-pushed
the
ansible-idempotency-configure_crypto_policy
branch
from
458e7e1 to
07be9d4
Compare
This is to mimic the OVAL that does the same check.
ggbecker
force-pushed
the
ansible-idempotency-configure_crypto_policy
branch
from
07be9d4 to
04f7eb2
Compare
jan-cerny
left a comment
jan-cerny
left a comment
There was a problem hiding this comment.
I have run automatus TSs locally on a RHEL 9 VM back end and they pass for me. THen. I used the generated per-rule Ansible Playbook build/rhel9/playbooks/cis/configure_crypto_policy.yml to configure a VM and with the second run all tasks are ok or skipped.
|
@ggbecker: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/packit build |
4 similar comments
|
/packit build |
|
/packit build |
|
/packit build |
|
/packit build |
3 participants
Description:
/usr/bin/update-crypto-policies --setonly when the current crypto-policy is different than the expected.