Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Updates for Merge #5

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

Conversation

TSterling76
Copy link
Contributor

No description provided.

controls/SV-221584.rb Outdated Show resolved Hide resolved
controls/SV-221588.rb Show resolved Hide resolved
inspec.yml Outdated Show resolved Hide resolved
controls/SV-221584.rb Outdated Show resolved Hide resolved
@TSterling76
Copy link
Contributor Author

Like this?

controls/SV-221584.rb Outdated Show resolved Hide resolved
controls/SV-221588.rb Outdated Show resolved Hide resolved
controls/SV-221588.rb Outdated Show resolved Hide resolved
inspec.yml Outdated Show resolved Hide resolved
@TSterling76
Copy link
Contributor Author

@HenryXiaoHX @aaronlippold ?

controls/SV-221584.rb Outdated Show resolved Hide resolved
@TSterling76
Copy link
Contributor Author

Wait, I just noticed the domain_role variable isn't returning the version number. Is it a syntax error? @em-c-rod @HenryXiaoHX

controls/SV-221584.rb Outdated Show resolved Hide resolved
@aaronlippold
Copy link
Member

Any updates to push to this?

@TSterling76
Copy link
Contributor Author

SV-221584 is giving me trouble, I can push what I have soon

@aaronlippold
Copy link
Member

Odd we don't seem to be getting data back from inspec ... aka from the run in Actions we are getting a lot of NULL in our got --- this seems like some kind of permission issue

@aaronlippold
Copy link
Member

https://github.com/mitre/google-chrome-v2r6-stig-baseline/runs/8102680830?check_suite_focus=true -- under the Run InSpec section ... our expected has values but not our got

Copy link
Member

@aaronlippold aaronlippold left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this profile will need to be run as Admin correct given it is looking at the registry

controls/SV-221588.rb Outdated Show resolved Hide resolved
@aaronlippold aaronlippold added the enhancement New feature or request label Aug 30, 2022
@HenryXiaoHX
Copy link
Contributor

https://github.com/mitre/google-chrome-v2r6-stig-baseline/runs/8102680830?check_suite_focus=true -- under the Run InSpec section ... our expected has values but not our got

I think this is the expected outcome because google chrome is not hardened yet. Therefore the corresponding property, such as 'DownloadRestrictions', does not yet exist in the registry key.

@TSterling76
Copy link
Contributor Author

Quick question, If i install the newest version of Inspec, would it come with SAF Heimdall?

@TSterling76
Copy link
Contributor Author

Also, do you guys use Mattermost?

@aaronlippold
Copy link
Member

Quick question, If i install the newest version of Inspec, would it come with SAF Heimdall?

Heimdall supports all versions of inspec but you have to install both of them yourself.

@aaronlippold
Copy link
Member

Also, do you guys use Mattermost?

MITRE uses Slack, Teams and use Mattermost with our cutomers but they run that and we join via accounts they provide.

@TSterling76
Copy link
Contributor Author

Was there anything else you guys wanted me to add to this?

TSterling76 added 2 commits September 8, 2022 18:56
@TSterling76
Copy link
Contributor Author

Not sure why the checks failed....

@TSterling76
Copy link
Contributor Author

Is the check failing for you as well

@TSterling76
Copy link
Contributor Author

?

@Amndeep7
Copy link

@TSterling76 I think your latest commit where you changed the type to Numeric from String is what's causing the issue. If you look at the output from the test, you can see under the "Run InSpec" step that it says Input 'google_chrome_version' with value '74.0.0' does not validate to type 'Numeric'. It's still proceeding on to the next step since inspec exec . --reporter=cli json:results.json || true in the workflow has that "or true" step which means that the command will succeed regardless of what occurred, which I think in this case even includes when the command fails entirely and doesn't generate a results.json. You can see that when you look at the next step, "Display the results summary", where it complains that it can't find the file: Error: ENOENT: no such file or directory, open 'results.json'.

It'll probably be insightful to look at this issue from the InSpec repo: inspec/inspec#2147. Maybe there's been updates since 2017, but it seems like there isn't that nice of a possible resolution other than treating it as a String and using cmp. I think the issue is going to be you comparing a 4 block semver (105.0.5195.102) with a 3 block one (74.0.0).

Maybe someone else can chime in, but the resolution I would be going for would be to see if the input I was getting from stdout was 3 or 4 block semver, and then comparing it with the appropriate string (i.e. if you see a 4 block semver, then you should compare it with 74.0.0.0 instead of 74.0.0).

Maybe @aaronlippold @em-c-rod @brett-w or @HenryXiaoHX have a better possible resolution.

@TSterling76
Copy link
Contributor Author

TSterling76 commented Sep 20, 2022

Could we leave this check blank for now? If we can't find a solution. @aaronlippold

@TSterling76
Copy link
Contributor Author

I'm not sure why these are failing @aaronlippold @Amndeep7

This reverts commit 5548f7e.
This reverts commit a6881a4.
This reverts commit 45b86cf.
This reverts commit db1b11d.
This reverts commit fe967ea.
This reverts commit 394cd85.
…ontrol, but also place us back before there was some experimentation to resolve issues that were happening. This commit is also a test to see if making the input a four block semver would resolve the immediate problem.

Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
Copy link

Amndeep7 commented Oct 5, 2022

That key worked on my vm, but it seems like the registry key wasn't there on the github vm. I see why @TSterling76 used the registry key that he used (https://github.com/actions/runner-images/blob/main/images/win/scripts/Installers/Install-Chrome.ps1#L52), but that's not been working either. Need to continue to do research on how github is setting all the registry keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants