Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RHEL-09-433015 should be configured as high disruption #60

Open
PrymalInstynct opened this issue Nov 4, 2024 · 5 comments
Open

RHEL-09-433015 should be configured as high disruption #60

PrymalInstynct opened this issue Nov 4, 2024 · 5 comments
Assignees
Labels
bug Something isn't working

Comments

@PrymalInstynct
Copy link
Contributor

PrymalInstynct commented Nov 4, 2024

Describe the Issue
In testing this role I have been running it with the rhel9stig_disruption_high variable set to true against a brand new Rocky 9.4 VM. This is in an effort to identify what may break by locking down the host as tightly as possible.

I found that after enabling the fapolicyd daemon and rebooting the VM any subsequent ansible tasks that utilize the ansible.builtin.template module will fail.

Expected Behavior
template tasks do not fail

Actual Behavior
tasks fail because fapolicyd rules

Control(s) Affected
RHEL-09-433015

Environment (please complete the following information):

  • branch being used: devel
  • Ansible Version: 2.17.5
  • Host Python Version: 3.9.18
  • Ansible Server Python Version: 3.12.7
  • Additional Details:

Additional Notes

  • Ansible Log
TASK [ansible-laurel-logging : Enable laurel via Audispd] ***********************************************************************************************************
Monday 04 November 2024  09:02:14 -0700 (0:00:04.623)       0:02:02.709 ******* 
[WARNING]: sftp transfer mechanism failed on [10.10.1.203]. Use ANSIBLE_DEBUG=1 to see detailed information
[WARNING]: scp transfer mechanism failed on [10.10.1.203]. Use ANSIBLE_DEBUG=1 to see detailed information
[WARNING]: piped transfer mechanism failed on [10.10.1.203]. Use ANSIBLE_DEBUG=1 to see detailed information
fatal: [10.10.1.203]: FAILED! => {"msg": "failed to transfer file to /home/user/.ansible/tmp/ansible-local-10915435lwcvi3y/tmp92srharo /home/user/.ansible/tmp/ansible-tmp-1730736134.6760302-1093048-219062877573207/AnsiballZ_stat.py:\n\ndd: failed to open '/home/user/.ansible/tmp/ansible-tmp-1730736134.6760302-1093048-219062877573207/AnsiballZ_stat.py': Operation not permitted\n"}
  • Fapolicyd Debug Log
rule=11 dec=deny_audit perm=open auid=1000 pid=14020 exe=/usr/libexec/openssh/sftp-server : path=/home/user/.ansible/tmp/ansible-tmp-1730736134.6760302-1093048-219062877573207/AnsiballZ_stat.py ftype=text/x-python trust=0
rule=11 dec=deny_audit perm=open auid=1000 pid=14035 exe=/usr/libexec/openssh/sftp-server : path=/home/user/.ansible/tmp/ansible-tmp-1730736134.6760302-1093048-219062877573207/AnsiballZ_stat.py ftype=text/x-python trust=0
rule=11 dec=deny_audit perm=open auid=1000 pid=14050 exe=/usr/bin/dd : path=/home/user/.ansible/tmp/ansible-tmp-1730736134.6760302-1093048-219062877573207/AnsiballZ_stat.py ftype=text/x-python trust=0
  • Fapolicyd rule 11
%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,application/javascript,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-nftables,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
11. deny_audit perm=any all : ftype=%languages

Possible Solution

  1. Only run tasks associated with RHEL-09-433015 if rhel9stig_disruption_high so it only impacts users who enable this ssetting
  2. Figure out how to tune the fapolicyd rules to not deny tasks coming from ansible and add a task to address this in the role
@PrymalInstynct PrymalInstynct added the bug Something isn't working label Nov 4, 2024
@uk-bolly uk-bolly self-assigned this Nov 12, 2024
@uk-bolly
Copy link
Member

hi @PrymalInstynct

Thank you as always for the feedback, it really does help us to be able to extend and improve the product. I have changed it slightly with the new araible that needs to be set in order to add the policy.
I have added a fix for this into a new branch Nov24_issues. If you find that helps?

many thanks

uk-bolly

@PrymalInstynct
Copy link
Contributor Author

PrymalInstynct commented Nov 12, 2024

Your fix appears to have addressed the issue.

Two recommendations though, set the group to fapolicyd to match the rest of the files in that directory

    - name: MEDIUM | RHEL-09-433015 | PATCH | RHEL 9 fapolicy module must be enabled. | Policy
      when: rhel9stig_add_fapolicy_policy
      ansible.builtin.template:
        src: 'etc/fapolicyd/rules.d/99-stig-whitelist.rules.j2'
        dest: '/etc/fapolicyd/rules.d/99-stig-whitelist.rules'
        mode: '0644'
        owner: root
        group: fapolicyd
      notify:
        - Generate fapolicyd rules
        - Restart fapolicyd

Also, delete the rhel9stig_fapolicy_white_list variable you created in defaults/main.yml since the task is actually using a template instead.

@uk-bolly
Copy link
Member

hi @PrymalInstynct

Thank you again for the feedback, i have updated the group and moved the template to use the variable as it should have been, so the variable still exists and controllable by the user. Shouldn't really be changing the cotent itself ideally.
Update to branch has ben pushed.

Many thanks again

uk-bolly

@PrymalInstynct
Copy link
Contributor Author

I did test this more in another environment and ran into the same issue I had originally reported even with the custom fapolicy rules applied. I can't pull data from that environment so I will have to recreate it elsewhere and provide another update.

@PrymalInstynct
Copy link
Contributor Author

I have yet to be able to recreate the issue I experienced in my Dev environment last week in my Test environment today. Despite using the exact same variable configuration.

If you want to close the issue go for it, and I can open up another issue if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants