import ipa-healthcheck-0.12-4.module+el8.10.0+22138+e77d88cf

6 months ago · 2ef822f7da
parent a64771f963
commit 2ef822f7da
4 changed files with 271 additions and 1 deletions
--- a/SOURCES/0006-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
+++ b/SOURCES/0006-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
@ -0,0 +1,47 @@
+From e0c09f9f1388bbce43775f40a39266e692e231da Mon Sep 17 00:00:00 2001
+From: Thorsten Scherf <tscherf@redhat.com>
+Date: Wed, 13 Mar 2024 12:57:34 +0100
+Subject: [PATCH 1/4] Fixes log file permissions as per CIS benchmark
+
+As per CIS benchmark the log file permissions should be 640 for some log
+files but if we change /var/log/ipa-custodia.audit.log permissions to
+640 then "ipa-healthcheck" reports a permission issue.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/325
+Signed-off-by: Thorsten Scherf <tscherf@redhat.com>
+---
+ src/ipahealthcheck/ipa/files.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py
+index b7ca116..d914014 100644
+--- a/src/ipahealthcheck/ipa/files.py
+++ b/src/ipahealthcheck/ipa/files.py
+@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                 self.files.append((filename, 'root', 'root', '0600'))
+ 
+         self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
+-                          'root', 'root', '0644'))
+                          'root', 'root', '0644', '0640'))
+ 
+         self.files.append((paths.KADMIND_LOG, 'root', 'root',
+                           ('0600', '0640')))
+@@ -133,11 +133,13 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+         self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst,
+                            constants.DS_USER, constants.DS_GROUP, '0600'))
+ 
+-        self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644'))
+        self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
+                           '0644', '0640'))
+ 
+         for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
+             self.files.append(
+-                (globpath, constants.PKI_USER, constants.PKI_GROUP, "0644")
+                (globpath, constants.PKI_USER, constants.PKI_GROUP,
+                 "0644", "0640")
+             )
+ 
+         for globpath in glob.glob(
+-- 
+2.45.0
+
--- a/SOURCES/0007-Fix-some-file-mode-format-issues.patch
+++ b/SOURCES/0007-Fix-some-file-mode-format-issues.patch
@ -0,0 +1,189 @@
+From 54e2e9b8bff0bc84b6179eac44993b460f02ad02 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 21 Jun 2024 15:15:36 -0400
+Subject: [PATCH 1/2] Fix some file mode format issues
+
+When specifying multiple possible modes for a file the values must
+be a tuple. There were two occurances where they were listed
+separately.
+
+Add in a pre-check on the formatting to raise an error for badly
+formatted files. This may be annoying for users if one sneaks in
+again but the CI should catch it.
+
+Related: https://github.com/freeipa/freeipa-healthcheck/issues/325
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/core/files.py | 12 +++++-
+ src/ipahealthcheck/ipa/files.py  |  6 +--
+ tests/test_core_files.py         | 71 +++++++++++++++++++++++++++++++-
+ tests/util.py                    |  1 +
+ 4 files changed, 85 insertions(+), 5 deletions(-)
+
+diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py
+index 59e8b76..58dd74a 100644
+--- a/src/ipahealthcheck/core/files.py
+++ b/src/ipahealthcheck/core/files.py
+@@ -28,7 +28,17 @@ class FileCheck:
+ 
+     @duration
+     def check(self):
+-        for (path, owner, group, mode) in self.files:
+        # first validate that the list of files to check is in the correct
+        # format
+        process_files = []
+        for file in self.files:
+            if len(file) == 4:
+                process_files.append(file)
+            else:
+                yield Result(self, constants.ERROR, key=file,
+                             msg='Code format is incorrect for file')
+
+        for (path, owner, group, mode) in process_files:
+             if not isinstance(owner, tuple):
+                 owner = tuple((owner,))
+             if not isinstance(group, tuple):
+diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py
+index d914014..c80fd5b 100644
+--- a/src/ipahealthcheck/ipa/files.py
+++ b/src/ipahealthcheck/ipa/files.py
+@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                 self.files.append((filename, 'root', 'root', '0600'))
+ 
+         self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
+-                          'root', 'root', '0644', '0640'))
+                          'root', 'root', ('0644', '0640')))
+ 
+         self.files.append((paths.KADMIND_LOG, 'root', 'root',
+                           ('0600', '0640')))
+@@ -134,12 +134,12 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                            constants.DS_USER, constants.DS_GROUP, '0600'))
+ 
+         self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
+-                           '0644', '0640'))
+                           ('0644', '0640')))
+ 
+         for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
+             self.files.append(
+                 (globpath, constants.PKI_USER, constants.PKI_GROUP,
+-                 "0644", "0640")
+                 ("0644", "0640"))
+             )
+ 
+         for globpath in glob.glob(
+diff --git a/tests/test_core_files.py b/tests/test_core_files.py
+index 6e3ec38..09fc216 100644
+--- a/tests/test_core_files.py
+++ b/tests/test_core_files.py
+@@ -2,14 +2,22 @@
+ # Copyright (C) 2019 FreeIPA Contributors see COPYING for license
+ #
+ 
+from ldap import OPT_X_SASL_SSF_MIN
+ import pwd
+ import posix
+from util import m_api
+from util import capture_results
+
+from ipahealthcheck.core import config
+ from ipahealthcheck.core.files import FileCheck
+ from ipahealthcheck.core import constants
+ from ipahealthcheck.core.plugin import Results
+from ipahealthcheck.ipa.files import IPAFileCheck
+from ipahealthcheck.system.plugin import registry
+ from unittest.mock import patch
+from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient, LDAPEntry
+ 
+-from util import capture_results
+ 
+ nobody = pwd.getpwnam('nobody')
+ 
+@@ -20,6 +28,37 @@ files = (('foo', 'root', 'root', '0660'),
+          ('fiz', ('root', 'bin'), ('root', 'bin'), '0664'),
+          ('zap', ('root', 'bin'), ('root', 'bin'), ('0664', '0640'),))
+ 
+bad_modes = (('biz', ('root', 'bin'), ('root', 'bin'), '0664', '0640'),)
+
+
+class mock_ldap:
+    SCOPE_BASE = 1
+    SCOPE_ONELEVEL = 2
+    SCOPE_SUBTREE = 4
+
+    def __init__(self, ldapentry):
+        """Initialize the results that we will return from get_entries"""
+        self.results = ldapentry
+
+    def get_entry(self, dn, attrs_list=None, time_limit=None,
+                  size_limit=None, get_effective_rights=False):
+        return []  # the call doesn't check the value
+
+
+class mock_ldap_conn:
+    def set_option(self, option, invalue):
+        pass
+
+    def get_option(self, option):
+        if option == OPT_X_SASL_SSF_MIN:
+            return 256
+
+        return None
+
+    def search_s(self, base, scope, filterstr=None,
+                 attrlist=None, attrsonly=0):
+        return tuple()
+
+ 
+ def make_stat(mode=33200, uid=0, gid=0):
+     """Return a mocked-up stat.
+@@ -197,3 +236,33 @@ def test_files_not_found(mock_exists):
+         for result in my_results.results:
+             assert result.result == constants.SUCCESS
+             assert result.kw.get('msg') == 'File does not exist'
+
+
+def test_bad_modes():
+    f = FileCheck()
+    f.files = bad_modes
+
+    results = capture_results(f)
+
+    for result in results.results:
+        assert result.result == constants.ERROR
+        assert result.kw.get('msg') == 'Code format is incorrect for file'
+
+
+@patch('ipaserver.install.krbinstance.is_pkinit_enabled')
+def test_ipa_files_format(mock_pkinit):
+    mock_pkinit.return_value = True
+
+    fake_conn = LDAPClient('ldap://localhost', no_schema=True)
+    ldapentry = LDAPEntry(fake_conn, DN(m_api.env.container_dns,
+                          m_api.env.basedn))
+    framework = object()
+    registry.initialize(framework, config.Config)
+    f = IPAFileCheck(registry)
+
+    f.conn = mock_ldap(ldapentry)
+
+    results = capture_results(f)
+
+    for result in results.results:
+        assert result.result == constants.SUCCESS
+diff --git a/tests/util.py b/tests/util.py
+index 8081595..5dcb0cd 100644
+--- a/tests/util.py
+++ b/tests/util.py
+@@ -140,6 +140,7 @@ m_api.env.container_host = DN(('cn', 'computers'), ('cn', 'accounts'))
+ m_api.env.container_sysaccounts = DN(('cn', 'sysaccounts'), ('cn', 'etc'))
+ m_api.env.container_service = DN(('cn', 'services'), ('cn', 'accounts'))
+ m_api.env.container_masters = DN(('cn', 'masters'))
+m_api.env.container_dns = DN(('cn', 'dns'))
+ m_api.Backend = Mock()
+ m_api.Command = Mock()
+ m_api.Command.ping.return_value = {
+-- 
+2.45.0
+
--- a/SOURCES/0008-Allow-WARNING-in-the-files-test.patch
+++ b/SOURCES/0008-Allow-WARNING-in-the-files-test.patch
@ -0,0 +1,28 @@
+From 79cca342b3c440a045cadbff871ff977e35222c6 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 20 Jun 2024 14:27:16 -0400
+Subject: [PATCH] Allow WARNING in the files test
+
+We are only validating the format and don't need to actually
+enforce the results in CI. The validation raises ERROR.
+
+Related: https://github.com/freeipa/freeipa-healthcheck/issues/325
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ tests/test_core_files.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test_core_files.py b/tests/test_core_files.py
+index e7010a9..d308410 100644
+--- a/tests/test_core_files.py
+++ b/tests/test_core_files.py
+@@ -302,4 +302,4 @@ def test_ipa_files_format(mock_pkinit):
+     results = capture_results(f)
+ 
+     for result in results.results:
+-        assert result.result == constants.SUCCESS
+        assert result.result in (constants.SUCCESS, constants.WARNING)
+-- 
+2.45.0
+
--- a/SPECS/ipa-healthcheck.spec
+++ b/SPECS/ipa-healthcheck.spec
@ -8,7 +8,7 @@

 Name:           ipa-healthcheck
 Version:        0.12
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Health check tool for IdM
 BuildArch:      noarch
 License:        GPLv3
@ -21,6 +21,9 @@ Patch0002:      0002-Disable-two-failing-tests.patch
 Patch0003:      0003-Fix-logging-issue-related-to-dtype.patch
 Patch0004:      0004-Skip-AD-domains-with-posix-ranges-in-the-catalog-che.patch
 Patch0005:      0005-Don-t-error-in-DogtagCertsConnectivityCheck-with-ext.patch
+Patch0006:      0006-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
+Patch0007:      0007-Fix-some-file-mode-format-issues.patch
+Patch0008:      0008-Allow-WARNING-in-the-files-test.patch

 Requires:       %{name}-core = %{version}-%{release}
 Requires:       ipa-server
@ -124,6 +127,9 @@ install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man5/%{long


 %changelog
+* Fri Jun 21 2024 Rob Crittenden <rcritten@redhat.com> - 0.12-4
+- Change log file permissions of IPA as per CIS benchmark (RHEL-38929)
+
 * Sun Dec 10 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 0.12-3
 - Rebuilt for MSVSphere 8.8