Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New rule kernel_config_modules #11558

Closed
wants to merge 1 commit into from
Closed

New rule kernel_config_modules #11558

wants to merge 1 commit into from

Conversation

jan-cerny
Copy link
Collaborator

Add a rule that checks if support for kernel modules is disabled. If the system can function without support for kernel modules, the support for them should be disabled. Include the rule to ANSSI R23 as a related rule.

@jan-cerny
New rule kernel_config_modules
1d295a4 
Add a rule that checks if support for kernel modules is disabled.
If the system can function without support for kernel modules, the
support for them should be disabled. Include the rule to ANSSI R23
as a related rule.
@jan-cerny jan-cerny added the ANSSI ANSSI Benchmark related. label Feb 8, 2024
@jan-cerny jan-cerny added this to the 0.1.73 milestone Feb 8, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 8, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@codeclimate CodeClimate
Copy link

codeclimate bot commented Feb 8, 2024

Code Climate has analyzed commit 1d295a4 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.4% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny added the New Rule Issues or pull requests related to new Rules. label Feb 8, 2024
@Mab879 Mab879 self-assigned this Feb 8, 2024
Mab879
Mab879 requested changes Feb 8, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work on this.

However, I do have some reservations about accepting this PR.

If we are not including this in a profile why are creating a rule?

I'm happy to discuss this with you further offline.

controls/anssi.yml
@@ -579,6 +579,9 @@ controls:
- kernel_config_hibernation
- kernel_config_binfmt_misc
- kernel_config_legacy_ptys
related_rules:
# This rule isn't included in any profile therefore it won't appear in the built data stream.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment, doesn't explain the why it here and not in the rules section. Please update this comment to reflect that.

@jan-cerny
Copy link
Collaborator Author

If we are not including this in a profile why are creating a rule?

I assume we wanted to create it to provide broader context in the controls file. But, I don't like it. The rule won't be present in the built data stream, so the rule is useless.

jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this pull request Feb 9, 2024
@jan-cerny
Add a note to ANSSI R23
2f0c44f 
This PR supersedes ComplianceAsCode#11558
where we discovered that if we create a special rule for CONFIG_MODULES
and put it only to related_rules the rule won't be useful because
it won't get into the built data stream.
@jan-cerny jan-cerny mentioned this pull request Feb 9, 2024
Merged
@jan-cerny
Copy link
Collaborator Author

replaced by #11571

@jan-cerny jan-cerny closed this Feb 9, 2024
@jan-cerny jan-cerny removed this from the 0.1.73 milestone Feb 9, 2024
benruland pushed a commit to sig-bsi-grundschutz/content that referenced this pull request Mar 6, 2024
@jan-cerny @benruland
Add a note to ANSSI R23
b3c306c 
This PR supersedes ComplianceAsCode#11558
where we discovered that if we create a special rule for CONFIG_MODULES
and put it only to related_rules the rule won't be useful because
it won't get into the built data stream.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 requested changes

Assignees

@Mab879 Mab879

Labels
ANSSI ANSSI Benchmark related. New Rule Issues or pull requests related to new Rules.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @Mab879