[vSphere][7.0][VCLD-70-000013] Is not properly enforced when enabled in the Ansible playbook

[HerbBoy]

Hi,

Vuln: VCLD-70-000013
Issue: There is a logic issue, stemming from the way lineinfile is used to enforce STIG requirements.
Fix: This can be fixed by first leveraging the lineinfile module to find and remove the entire block:

- name: VCLD-70-000013 - VAMI must remove all mappings to unused scripts - Part 1 of 2
  lineinfile:
    path: '{{ var_conf_path }}'
    state: absent
    regex: '{{ item }}'
  with_items:
    - 'cgi.assign                 = \( \".pl\"  => \"/usr/bin/perl\",'
    - '\".cgi\" => \"/usr/bin/perl\",'
    - '\".rb\"  => \"/usr/bin/ruby\",'
    - '\".erb\" => \"/usr/bin/eruby\",'
    - '\".py\"  => \"/usr/bin/python\" \)'
  tags:
  - VCLD-70-000013
  - conf
  notify:
  - restart vami
  when:
  - run_conf_set_cgi_assign | bool

Note: In the event this block of code changes, each item (or line) of code would need to be updated. Or this block could be dynamically put in place by first running a cat of the file and finding this block of code, registering the output then placing it in line by line.

Then once the block is removed add in required items:

- name: VCLD-70-000013 - VAMI must remove all mappings to unused scripts - Part 2 of 2
  blockinfile:
    path: '{{ var_conf_path }}'
    state: present
    insertafter: "## For PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini."
    block:  |
      cgi.assign                 = (
                                ".py"  => "/usr/bin/python",
                                ".cgi" => "/usr/bin/python",
                                # 2
                                )
  tags:
  - VCLD-70-000013
  - conf
  notify:
  - restart vami
  when:
  - run_conf_set_cgi_assign | bool

This code has already been implemented into the forked branch I created: https://github.com/HerbBoy/dod-compliance-and-automation

[rlakey]

I think we need a new way to handle this one without so many assumptions being made. For example the lines you are trying to remove we are assuming are the only possible options and then we are assuming that comment exists and is exactly that.

Not sure of the best way to handle this.

[HerbBoy]

@rlakey I agree. This is to me was a patch job as the existing logic did not work.

I have been exploring potential options but still no solution.

To your point though, what are the potential options? if we knew what they were it would make solving this quite simple. iterate through potential lines and for those that exist, remove them.

Second issue, i do not know but i doubt the location in which this statement is placed within the file matters, therefore a solution could be implemented that simply placed these commands at the bottom of the file - after deleting the previous part.

[freddyfeelgood]

@HerbBoy can you test the below to see if it handles all your use cases? It includes tab characters, as that is how the original values appear in the vCenter config file.

# Title: VCLD-70-000013 - VAMI must remove all mappings to unused scripts (requires Ansible >= 2.4)
- name: See if cgi.assign exists in file
  shell: cat '{{ var_conf_path }}' | grep -e "^cgi\.assign\b" | wc -l
  register: exists
  changed_when: false

- name: Replace all between parens if it does not match (tabs match original vCenter value)
  ansible.builtin.replace:
    path: '{{ var_conf_path }}'
    after: 'cgi\.assign(\s*)=(\s*)\('
    before: '\)'
    regexp: '([^\)]+)'
    replace: ' ".py"  => "/usr/bin/python",\n\t\t\t       ".cgi" =>"/usr/bin/python" '
  tags:
  - VCLD-70-000013
  - conf
  notify:
  - restart vami
  when:
  - exists.stdout == "1"
  - run_conf_set_cgi_assign | bool

- name: Add cgi.assign setting to end of file if it is not there, with two values (tabs match original vCenter value)
  ansible.builtin.lineinfile:
    path: '{{ var_conf_path }}'
    line: "{{ item }}"
    create: yes
  with_items:
      - "cgi.assign                 = ( \".py\"  => \"/usr/bin/python\","
      - "\t\t\t       \".cgi\" =>\"/usr/bin/python\" )"
  tags:
  - VCLD-70-000013
  - conf
  notify:
  - restart vami
  when:
  - exists.stdout == "0"
  - run_conf_set_cgi_assign | bool

[HerbBoy]

@freddyfeelgood This will work for the use cases i have tested. Apologies on the delay.

[rlakey]

Values changed for this one again in U3d so need to see if those new entries can be removed.