Merge pull request #12469 from Security-Onion-Solutions/reyesj2-patch-4

FIX: EA installers not downloadable from SOC & fix logging
2025-12-06 09:12:45 +01:00 · 2024-02-29 16:21:44 -05:00
parent 1fe8f3d9e4 53761d4dba
commit d911b7bfc4
2 changed files with 15 additions and 12 deletions
--- a/salt/stig/enabled.sls
+++ b/salt/stig/enabled.sls
@@ -48,15 +48,17 @@ update_stig_profile:

 {% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %}
 run_initial_scan:
-  module.run:
-  - name: openscap.xccdf
-  - params: 'eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+  cmd.run:
+    - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+    - success_retcodes:
+      - 2
 {% endif %}

 run_remediate:
-  module.run:
-    - name: openscap.xccdf
-    - params: 'eval --remediate --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_PROFILE_LOCATION }}'
+  cmd.run:
+    - name: 'oscap xccdf eval --remediate --profile {{ OSCAP_PROFILE_NAME }} {{ OSCAP_PROFILE_LOCATION }}'
+    - success_retcodes:
+      - 2

 {# OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction #}
 disable_ctrl_alt_del_action:
@@ -82,9 +84,10 @@ remove_nullok_from_system_auth_auth:
    - backup: '.bak'

 run_post_scan:
-  module.run:
-    - name: openscap.xccdf
-    - params: 'eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+  cmd.run:
+    - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
+    - success_retcodes:
+      - 2

 {%   else %}
 {{sls}}_no_license_detected:
--- a/salt/stig/files/sos-oscap.xml
+++ b/salt/stig/files/sos-oscap.xml
@@ -611,7 +611,7 @@ the release. Additionally, the original security profile has been modified by Se
        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_emergency_expire_date" selected="true" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth" selected="true" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth" selected="true" />
-        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir" selected="true" />
+        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir" selected="false" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_temp_expire_date" selected="true" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_account_unique_id" selected="true" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_accounts_authorized_local_users" selected="true" />
@@ -1007,8 +1007,8 @@ the release. Additionally, the original security profile has been modified by Se
        <ns5:select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring" selected="true" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true" />
-        <ns5:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true" />
-        <ns5:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true" />
+        <ns5:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="false" />
+        <ns5:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="false" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true" />
        <ns5:select idref="xccdf_org.ssgproject.content_rule_service_chronyd_enabled" selected="true" />