[template]: fixes in file_owner template

[alanmcanonical]

Description:

• Add uid_or_name parameter for template file_owner similar to fixes in file_groupownership template #10666

Rationale:

• We need to dynamically read uid from /etc/passwd to be more reliable

[openshift-ci]

Hi @alanmcanonical. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_owner_systemmap
@@ -1,2 +1,2 @@
 
-find -L /boot/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*System\.map.*$' -exec chown -L 0 {} \;
+find -L /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*System\.map.*$' -exec chown -L 0 {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_owner_systemmap
@@ -1,6 +1,6 @@
 - name: Find /boot/ file(s) matching ^.*System\.map.*$
-  command: find -H /boot/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex
-    "^.*System\.map.*$"
+  command: find -H /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended
+    -regex "^.*System\.map.*$"
   register: files_found
   changed_when: false
   failed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
@@ -1 +1,8 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q rsyslog; then
+
 chgrp 4 /var/log/syslog
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
@@ -1,7 +1,19 @@
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - configure_strategy
+  - file_groupowner_var_log_syslog
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+
 - name: Test for existence /var/log/syslog
   stat:
     path: /var/log/syslog
   register: file_exists
+  when: '"rsyslog" in ansible_facts.packages'
   tags:
   - configure_strategy
   - file_groupowner_var_log_syslog
@@ -14,7 +26,9 @@
   file:
     path: /var/log/syslog
     group: '4'
-  when: file_exists.stat is defined and file_exists.stat.exists
+  when:
+  - '"rsyslog" in ansible_facts.packages'
+  - file_exists.stat is defined and file_exists.stat.exists
   tags:
   - configure_strategy
   - file_groupowner_var_log_syslog

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog'
--- xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
@@ -1 +1 @@
-
+oval:ssg-package_rsyslog:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
@@ -1 +1,8 @@
-chown 104 /var/log/syslog
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q rsyslog; then
+
+chown syslog /var/log/syslog
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
@@ -1,7 +1,6 @@
-- name: Test for existence /var/log/syslog
-  stat:
-    path: /var/log/syslog
-  register: file_exists
+- name: Gather the package facts
+  package_facts:
+    manager: auto
   tags:
   - configure_strategy
   - file_owner_var_log_syslog
@@ -10,11 +9,11 @@
   - medium_severity
   - no_reboot_needed
 
-- name: Ensure owner 104 on /var/log/syslog
-  file:
+- name: Test for existence /var/log/syslog
+  stat:
     path: /var/log/syslog
-    owner: '104'
-  when: file_exists.stat is defined and file_exists.stat.exists
+  register: file_exists
+  when: '"rsyslog" in ansible_facts.packages'
   tags:
   - configure_strategy
   - file_owner_var_log_syslog
@@ -22,3 +21,18 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
+- name: Ensure owner syslog on /var/log/syslog
+  file:
+    path: /var/log/syslog
+    owner: syslog
+  when:
+  - '"rsyslog" in ansible_facts.packages'
+  - file_exists.stat is defined and file_exists.stat.exists
+  tags:
+  - configure_strategy
+  - file_owner_var_log_syslog
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog'
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
@@ -1 +1 @@
-
+oval:ssg-package_rsyslog:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -1,8 +1,8 @@
 
-find  /lib/  -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find  /lib/  -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
 
-find  /lib64/  -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find  /lib64/  -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
 
-find  /usr/lib/  -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find  /usr/lib/  -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
 
-find  /usr/lib64/  -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find  /usr/lib64/  -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -1,5 +1,5 @@
 - name: Find /lib/ file(s) matching ^.*$ recursively
-  command: find -H /lib/  -type f ! -uid 0 -regextype posix-extended -regex "^.*$"
+  command: find -H /lib/  -type f ! -user 0 -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -40,7 +40,7 @@
   - no_reboot_needed
 
 - name: Find /lib64/ file(s) matching ^.*$ recursively
-  command: find -H /lib64/  -type f ! -uid 0 -regextype posix-extended -regex "^.*$"
+  command: find -H /lib64/  -type f ! -user 0 -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -81,7 +81,7 @@
   - no_reboot_needed
 
 - name: Find /usr/lib/ file(s) matching ^.*$ recursively
-  command: find -H /usr/lib/  -type f ! -uid 0 -regextype posix-extended -regex "^.*$"
+  command: find -H /usr/lib/  -type f ! -user 0 -regextype posix-extended -regex "^.*$"
   register: files_found
   changed_when: false
   failed_when: false
@@ -122,7 +122,7 @@
   - no_reboot_needed
 
 - name: Find /usr/lib64/ file(s) matching ^.*$ recursively
-  command: find -H /usr/lib64/  -type f ! -uid 0 -regextype posix-extended -regex
+  command: find -H /usr/lib64/  -type f ! -user 0 -regextype posix-extended -regex
     "^.*$"
   register: files_found
   changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_cron_allow_exists' differs.
--- xccdf_org.ssgproject.content_rule_file_cron_allow_exists
+++ xccdf_org.ssgproject.content_rule_file_cron_allow_exists
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel; then
 
 touch /etc/cron.allow
-    chown 0 /etc/cron.allow
     chmod 0600 /etc/cron.allow
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_cron_allow_exists' differs.
--- xccdf_org.ssgproject.content_rule_file_cron_allow_exists
+++ xccdf_org.ssgproject.content_rule_file_cron_allow_exists
@@ -14,7 +14,6 @@
   file:
     path: /etc/cron.allow
     state: touch
-    owner: '0'
     mode: '0600'
   when: '"kernel" in ansible_facts.packages'
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q kernel; then
 
-find -L /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*_key$' -exec chown -L 0 {} \;
+find -L /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*_key$' -exec chown -L 0 {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
@@ -11,7 +11,7 @@
   - no_reboot_needed
 
 - name: Find /etc/ssh/ file(s) matching ^.*_key$
-  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended
+  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended
     -regex "^.*_key$"
   register: files_found
   changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q kernel; then
 
-find -L /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*\.pub$' -exec chown -L 0 {} \;
+find -L /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*\.pub$' -exec chown -L 0 {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
@@ -11,7 +11,7 @@
   - no_reboot_needed
 
 - name: Find /etc/ssh/ file(s) matching ^.*\.pub$
-  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended
+  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended
     -regex "^.*\.pub$"
   register: files_found
   changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -1,9 +1,9 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q audit && rpm --quiet -q kernel; then
 
-find -L /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*audit(\.rules|d\.conf)$' -exec chown -L 0 {} \;
+find -L /etc/audit/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*audit(\.rules|d\.conf)$' -exec chown -L 0 {} \;
 
-find -L /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*\.rules$' -exec chown -L 0 {} \;
+find -L /etc/audit/rules.d/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*\.rules$' -exec chown -L 0 {} \;
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -11,7 +11,7 @@
   - no_reboot_needed
 
 - name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
-  command: find -H /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended
+  command: find -H /etc/audit/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended
     -regex "^.*audit(\.rules|d\.conf)$"
   register: files_found
   changed_when: false
@@ -49,7 +49,7 @@
   - no_reboot_needed
 
 - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
-  command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended
+  command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended
     -regex "^.*\.rules$"
   register: files_found
   changed_when: false

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[alanmcanonical]

The audit pkg issue caused by rule file_ownership_audit_configuration # packages = audit, I checked ubi8 image which yum search audit indeed return no result. So probably rhel needs a package override.