Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vSphere][7.0][VCLD-70-000013] Is not properly enforced when enabled in the Ansible playbook #52

Open
HerbBoy opened this issue Dec 6, 2021 · 5 comments
Open

[vSphere][7.0][VCLD-70-000013] Is not properly enforced when enabled in the Ansible playbook #52

HerbBoy opened this issue Dec 6, 2021 · 5 comments
Labels
ansible bug Something isn't working

Comments

@HerbBoy
Copy link
Contributor

HerbBoy commented Dec 6, 2021

Hi,

Vuln: VCLD-70-000013
Issue: There is a logic issue, stemming from the way lineinfile is used to enforce STIG requirements.
Fix: This can be fixed by first leveraging the lineinfile module to find and remove the entire block:

- name: VCLD-70-000013 - VAMI must remove all mappings to unused scripts - Part 1 of 2
  lineinfile:
    path: '{{ var_conf_path }}'
    state: absent
    regex: '{{ item }}'
  with_items:
    - 'cgi.assign                 = \( \".pl\"  => \"/usr/bin/perl\",'
    - '\".cgi\" => \"/usr/bin/perl\",'
    - '\".rb\"  => \"/usr/bin/ruby\",'
    - '\".erb\" => \"/usr/bin/eruby\",'
    - '\".py\"  => \"/usr/bin/python\" \)'
  tags:
  - VCLD-70-000013
  - conf
  notify:
  - restart vami
  when:
  - run_conf_set_cgi_assign | bool

Note: In the event this block of code changes, each item (or line) of code would need to be updated. Or this block could be dynamically put in place by first running a cat of the file and finding this block of code, registering the output then placing it in line by line.

Then once the block is removed add in required items:

- name: VCLD-70-000013 - VAMI must remove all mappings to unused scripts - Part 2 of 2
  blockinfile:
    path: '{{ var_conf_path }}'
    state: present
    insertafter: "## For PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini."
    block:  |
      cgi.assign                 = (
                                ".py"  => "/usr/bin/python",
                                ".cgi" => "/usr/bin/python",
                                # 2
                                )
  tags:
  - VCLD-70-000013
  - conf
  notify:
  - restart vami
  when:
  - run_conf_set_cgi_assign | bool

This code has already been implemented into the forked branch I created: https://github.com/HerbBoy/dod-compliance-and-automation
HerbBoy added a commit to HerbBoy/dod-compliance-and-automation that referenced this issue Dec 6, 2021
@HerbBoy
fixed VCLD-70-000013 ISSUE vmware#52 of main branch
af4f0df
@rlakey
Copy link
Contributor

rlakey commented Dec 17, 2021

I think we need a new way to handle this one without so many assumptions being made. For example the lines you are trying to remove we are assuming are the only possible options and then we are assuming that comment exists and is exactly that.

Not sure of the best way to handle this.

@HerbBoy
Copy link
Contributor Author

HerbBoy commented Dec 18, 2021

@rlakey I agree. This is to me was a patch job as the existing logic did not work.

I have been exploring potential options but still no solution.

To your point though, what are the potential options? if we knew what they were it would make solving this quite simple. iterate through potential lines and for those that exist, remove them.

Second issue, i do not know but i doubt the location in which this statement is placed within the file matters, therefore a solution could be implemented that simply placed these commands at the bottom of the file - after deleting the previous part.

@freddyfeelgood
Copy link
Contributor

freddyfeelgood commented Dec 20, 2021
edited
Loading

@HerbBoy can you test the below to see if it handles all your use cases? It includes tab characters, as that is how the original values appear in the vCenter config file.

# Title: VCLD-70-000013 - VAMI must remove all mappings to unused scripts (requires Ansible >= 2.4)
- name: See if cgi.assign exists in file
  shell: cat '{{ var_conf_path }}' | grep -e "^cgi\.assign\b" | wc -l
  register: exists
  changed_when: false

- name: Replace all between parens if it does not match (tabs match original vCenter value)
  ansible.builtin.replace:
    path: '{{ var_conf_path }}'
    after: 'cgi\.assign(\s*)=(\s*)\('
    before: '\)'
    regexp: '([^\)]+)'
    replace: ' ".py"  => "/usr/bin/python",\n\t\t\t       ".cgi" =>"/usr/bin/python" '
  tags:
  - VCLD-70-000013
  - conf
  notify:
  - restart vami
  when:
  - exists.stdout == "1"
  - run_conf_set_cgi_assign | bool

- name: Add cgi.assign setting to end of file if it is not there, with two values (tabs match original vCenter value)
  ansible.builtin.lineinfile:
    path: '{{ var_conf_path }}'
    line: "{{ item }}"
    create: yes
  with_items:
      - "cgi.assign                 = ( \".py\"  => \"/usr/bin/python\","
      - "\t\t\t       \".cgi\" =>\"/usr/bin/python\" )"
  tags:
  - VCLD-70-000013
  - conf
  notify:
  - restart vami
  when:
  - exists.stdout == "0"
  - run_conf_set_cgi_assign | bool

@HerbBoy
Copy link
Contributor Author

HerbBoy commented Jan 26, 2022

@freddyfeelgood This will work for the use cases i have tested. Apologies on the delay.

@rlakey
Copy link
Contributor

rlakey commented May 3, 2022

Values changed for this one again in U3d so need to see if those new entries can be removed.

@rlakey rlakey added bug Something isn't working ansible labels Mar 23, 2023
@rlakey rlakey changed the title VCLD-70-000013 || Is not properly enforced when enabled [vSphere][7.0][VCLD-70-000013] Is not properly enforced when enabled in the Ansible playbook Mar 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ansible bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@freddyfeelgood @rlakey @HerbBoy