Handler should verify STIG rule to enable service before blinding restarting service - e.g., RHEL-08-040136: true = fapolicyd restarted #277
Assignees
Labels
bug
Something isn't working
Comments
|
Regarding usbguard, the current approach isn't a handler. I.e., it is NOT in the main YAML for Handlers. The service enable/restart is in the control itself. Line 6532 in 18d8335 For consistency, and so things aren't problematic during the execution of the Ansible Playbook, and left until the very end, it might make sense to move to the main YAML for Handlers. If so, the control would be RHEL-08-040141 (rhel_08_040141). |
uk-bolly
added a commit
that referenced
this issue
Jul 16, 2024
Signed-off-by: Mark Bolwell <[email protected]>
|
Merged to main uk-bolly |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Issue
Handlers should verify that any service to be restarted has the STIG rule to enable that service is true, and not false.
I.e., Handlers may 'trip' if 'reconfigured' under one or more (1+) control(s), but another control could actually enable the service. This is a very common scenario
E.g., fapolicyd is covered by multiple Findings/IDs -- e.g., RHEL-08-040135, 040136 & 040137). One or more (1+) may notify to restart fapolicyd.
Indeed, at least (1) control, RHEL-08-040137 which reconfigures fapolicyd
RHEL8-STIG/tasks/fix-cat2.yml
Line 6478 in 18d8335
Will notify the fapolicyd handler to restart in at least two (2) cases.
RHEL8-STIG/tasks/fix-cat2.yml
Line 6495 in 18d8335
RHEL8-STIG/tasks/fix-cat2.yml
Line 6510 in 18d8335
And this is the handler notified.
RHEL8-STIG/handlers/main.yml
Line 55 in 18d8335
But only one (1), different control, RHEL-08-040136, defines if RHEL8 fapolicyd is actually enabled, in addition to other controls to configure fapolicyd and possibly notify.
RHEL8-STIG/tasks/fix-cat2.yml
Line 6462 in 18d8335
Currently there is no such conditional on RHEL-08-040136 (rhel_08_040136), and fapolicyd -- even if not running, and not enabled to run, not even after Ansible Lockdown -- will execute. So if the enable control is set to false, then the handler for fapolicyd (restarted) should NOT restart fapolicyd blindly.
Expected Behavior
For services with a STIG rule to enable, that STIG rule should be checked if true.
E.g., Handler should actually check if rhel-08-040136 is defined as true, and fapolicyd is enabled, before restarting it.
RHEL8-STIG/handlers/main.yml
Line 55 in 18d8335
Actual Behavior
Ansible-Lockdown restarts service that is not enabled, and was explicitly set to false in the site.yml variable or other file. In some cases, this may prevent further playbook execution and/or interaction, especially given the system is not rebooted by default.
E.g., like fapolicyd, no further execution could occur, and all logins are rejected, once restarted. usbguard could be another if the KB/Mouse serial has not been recorded/saved.
Control(s) Affected
Will vary based on service, but for fapolicyd
And the Handler:
RHEL8-STIG/handlers/main.yml
Line 55 in 18d8335
Environment (please complete the following information):
Possible Solution
As above, add a simple conditional at a minimum. E.g., with fapolicyd
RHEL8-STIG/handlers/main.yml
Line 55 in 18d8335
The text was updated successfully, but these errors were encountered: