Add CIS support for slmicro5 #12648
Merged
Add CIS support for slmicro5 #12648
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
teacup-on-rockingchair
added
Ansible
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_db_up_to_date' differs.
--- xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
+++ xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if rpm --quiet -q gdm && { rpm --quiet -q kernel; }; then
dconf update
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_db_up_to_date' differs.
--- xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
+++ xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
@@ -18,7 +18,7 @@
cmd: dconf update
when:
- '"gdm" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
tags:
- CCE-81003-6
- PCI-DSS-Req-6.2
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_db_up_to_date'
--- xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
+++ xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_enable_dconf_user_profile'
--- xccdf_org.ssgproject.content_rule_enable_dconf_user_profile
+++ xccdf_org.ssgproject.content_rule_enable_dconf_user_profile
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_warn_age_existing'.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_warn_age_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_warn_age_existing
@@ -33,8 +33,8 @@
8.3
[rationale]:
-Providing an advance warning that a password will be expiring gives users
-time to think of a secure password. Users caught unaware may choose a simple
+Providing an advance warning that a password will be expiring gives users
+time to think of a secure password. Users caught unaware may choose a simple
password or write it down where it may be discovered.
[ident]:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { rpm --quiet -q kernel; }; then
chgrp 0 /boot/grub2/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -24,7 +24,7 @@
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
tags:
- CCE-80800-6
- CJIS-5.5.2.2
@@ -48,7 +48,7 @@
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80800-6
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { rpm --quiet -q kernel; }; then
chown 0 /boot/grub2/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -24,7 +24,7 @@
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
tags:
- CCE-80805-5
- CJIS-5.5.2.2
@@ -48,7 +48,7 @@
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80805-5
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { rpm --quiet -q kernel; }; then
chmod u-xs,g-xwrs,o-xwrt /boot/grub2/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -22,7 +22,7 @@
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
tags:
- CCE-80814-7
- NIST-800-171-3.4.5
@@ -44,7 +44,7 @@
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80814-7
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_uefi_password'
--- xccdf_org.ssgproject.content_rule_grub2_uefi_password
+++ xccdf_org.ssgproject.content_rule_grub2_uefi_password
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_openldap-servers_removed' differs.
--- ocil:ssg-package_openldap-servers_removed_ocil:questionnaire:1
+++ ocil:ssg-package_openldap-servers_removed_ocil:questionnaire:1
@@ -2,6 +2,6 @@
following command:
$ rpm -q openldap-servers
The output should show the following:
-package openldap-servers is not installed
+package openldap-servers is not installed
Is it the case that it does not?
|
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
do-not-merge/work-in-progress
teacup-on-rockingchair
force-pushed
the
add_cis_slem
branch
from
f2181f0 to
55ef3b2
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
jan-cerny
reviewed
Dec 4, 2024
There was a problem hiding this comment.
I have built the data stream for the slmicro5 product and I can see that there are reasonable CIS profiles present there. Great job!
@teacup-on-rockingchair Please consider using automatic assignment of rule references at build time based on controls file data instead of manually adding references to each rule.yml file. Using automatic reference assignment reduces data duplication, prevents inconsistencies and promotes the Control file to a primary source of truth. We are already successfully using automatic assignment of rule references in multiple RHEL profiles. Please see https://complianceascode.readthedocs.io/en/latest/manual/developer/03_creating_content.html#using-controls-for-automated-reference-assignment-to-rules. How does this sound to you?
Mab879
reviewed
Dec 6, 2024
| @@ -28,7 +28,8 @@ identifiers: | |||
| references: | |||
| cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 | |||
| cis@sle12: 3.3.2 | |||
| cis@sle15: 3.3.2 | |||
| cis@sle15: 3.3. | |||
There was a problem hiding this comment.
thx should be handled in latest commit
Added references and identifiers, where needed enabled slmicro5 platform or configured appropriate template variables
Thanks @Mab879 🙇
teacup-on-rockingchair
force-pushed
the
add_cis_slem
branch
from
1588468 to
931bc91
Compare
|
Code Climate has analyzed commit 931bc91 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
|
Waving Automatus since not all rules can be ran on containers. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Add CIS profile scaffold support for SL Micro5 platform
Add references and identifiers, where needed enable slmicro5 platform or configure appropriate template variables