Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Profile to V1R6 #2

Merged
merged 100 commits into from
Dec 9, 2022
Merged

Update Profile to V1R6 #2

merged 100 commits into from
Dec 9, 2022

Conversation

aaronlippold
Copy link
Member

@aaronlippold aaronlippold commented Nov 23, 2022

Changelog

TODO Items

--

New Controls from V1R1 - > V1R6

  • SV ...
  • SV ...

Updates

  • Merged in base work from community partners
  • Linted controls and profile to follow current standards
  • Updated README

Enhancements

  • Added container aware logic for containers for Not Applicable
    • Then sub-logic for community edition, ubuntu Pro FIPS 140-2 builds etc
  • Added logic to know when we are on the Community Edition vs the Ubuntu Pro with FIPS 140-2 modules etc
  • ...

Fixes

  • Used core resources when possible
  • ...

@aaronlippold aaronlippold added the enhancement New feature or request label Nov 23, 2022
Copy link

@em-c-rod em-c-rod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Preliminary review on several controls. Left some comments and questions. Has this profile been run against the target? If so, can the results be posted in this PR? Also, whether in this PR or another, we should add a GitHub workflow to run the profile.

impact 0.5
tag severity: "medium "
tag gtitle: "SRG-OS-000002-GPOS-00002 "
tag gid: "V-238196 "

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the gid be updated to SV or is it correct to have V-? Also, is it fine to have spaces at the end of the tags?

# banner_text = input('banner_text')
# clean_banner = banner_text.gsub(/[\r\n\s]/, '')
# gdm3_defaults_file="/etc/gdm3/greeter.dconf-defaults"
# describe 'The SSHD Banner is set to the standard banner and has the correct text' do

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this commented out?

it { should be_installed }
end

describe sshd_config do

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For another control that looks at a config file, first there is a check if config_file_exists. Is this a situation where this logic should also be encapsulated to make sure the thing it is checking exists and we don't have errors?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The resources themselves should do this an bubble up an error if the object was not found, you can check the file resource or file_reader utility to see if this is in there by default

HackerShark and others added 21 commits November 28, 2022 12:28
…turns a number to better handle the logic loop. Using parse_config_file resource rather than file resource.

Signed-off-by: HackerShark <[email protected]>
…ation to inputs where it made sense.

Signed-off-by: HackerShark <[email protected]>
Signed-off-by: HackerShark <[email protected]>
Signed-off-by: HackerShark <[email protected]>
Signed-off-by: HackerShark <[email protected]>
Signed-off-by: HackerShark <[email protected]>
Signed-off-by: HackerShark <[email protected]>
Signed-off-by: HackerShark <[email protected]>
aaronlippold and others added 19 commits December 8, 2022 12:10
…ed off pip3 ansible install

Signed-off-by: Aaron Lippold <[email protected]>
…trols to better use inputs.

Signed-off-by: Aaron Lippold <[email protected]>
…more controls in the container context, fixed a few control style issues, updated all thresholds for current values

Signed-off-by: Aaron Lippold <[email protected]>
…s for NA conditions, small style fixes

Signed-off-by: Aaron Lippold <[email protected]>
Signed-off-by: Aaron Lippold <[email protected]>
@aaronlippold aaronlippold changed the title Refactor and Rebase to the current V1R6 Update Profile to V1R6 Dec 9, 2022
@@ -0,0 +1,3 @@
---
compliance.min: 48

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I notice that issue #8 addresses this low value

@wdower
Copy link
Contributor

wdower commented Dec 9, 2022

This PR has snowballed into something unwieldy, since we did the kitchen implementation in the same branch we were doing the profile update in.

However, the profile is in a better state after this update than it was before, and the new Test Kitchen pipeline is not reporting any broken tests. We should merge this into main, rebranch, and continue refining the tests.

LGTM for now

@wdower wdower closed this Dec 9, 2022
@wdower wdower reopened this Dec 9, 2022
@wdower wdower merged commit 886f7be into main Dec 9, 2022
@wdower wdower deleted the ubuntu-updates branch December 9, 2022 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants