Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add automation to enable faillock rules #11458

Merged
merged 6 commits into from
Jan 30, 2024
Merged

Add automation to enable faillock rules #11458

merged 6 commits into from
Jan 30, 2024

Conversation

Xeicker
Copy link
Contributor

@Xeicker Xeicker commented Jan 18, 2024

Description:

  • Add OVAL, bash and ansible for rules account_password_pam_faillock_system_auth
    & account_password_pam_faillock_password_auth
  • Add these rules to OL8 STIG profile, and add STIG IDs for OL8 to the rules
  • Add tests for these rules

Rationale:

  • These are a better fit for the mentioned OL8 STIG ids

@Xeicker Xeicker requested a review from a team as a code owner January 18, 2024 21:46
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 18, 2024

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jan 18, 2024
@github-actions GitHub Actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New data stream adds OVAL for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth'.
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth'.
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth'.
New data stream adds OVAL for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth'.
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth'.
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth'.

@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@marcusburghardt marcusburghardt self-assigned this Jan 24, 2024
@marcusburghardt marcusburghardt added Update Rule Issues or pull requests related to Rules updates. Oracle Linux Oracle Linux product related. labels Jan 24, 2024
marcusburghardt
marcusburghardt requested changes Jan 24, 2024
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good contribution. We only need to extend the OVAL to more precisely assess the pam_faillock implementation.

...am/locking_out_password_attempts/account_password_pam_faillock_password_auth/oval/shared.xml Outdated Show resolved Hide resolved
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Jan 28, 2024
marcusburghardt
marcusburghardt requested changes Jan 29, 2024
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the OVAL extension @Xeicker . The rules are working fine. There is a conflict to be solved before we can merge it. So I would ask you to also review the indentation used in OVAL, please. Its minor stuff but would be good to take a look since you need to resolve the conflict anyway.

...-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/oval/shared.xml Show resolved Hide resolved
...-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/oval/shared.xml Outdated Show resolved Hide resolved
@Xeicker
Add automation to faillock rules
0bd3542 
Add OVAL, bash and ansible to account_password_pam_faillock_system_auth
& account_password_pam_faillock_password_auth

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Update OL08-00-020025 & OL08-00-020026 assignment
ef8729a 
Add rules account_password_pam_faillock_system_auth &
account_password_pam_faillock_password_auth to Ol8 STIG profile, and
assign the mentioned STIG ids as references

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Add tests to faillock rules
6660078 
Rules account_password_pam_faillock_system_auth
& account_password_pam_faillock_password_auth

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Set OL8 STIG id in faillock rules
8ab1d7d 
account_password_pam_faillock_system_auth &
account_password_pam_faillock_password_auth missed this info

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Update oval in faillock enable rules
98ae33d 
The rules account_password_pam_faillock_system_auth &
account_password_pam_faillock_password_auth need to check more items
to be considered pass

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Jan 29, 2024
@Xeicker
Fix OVAL identation in faillock rules
fd0e6ef 
account_password_pam_faillock_system_auth &
account_password_pam_faillock_password_auth

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 29, 2024

Code Climate has analyzed commit fd0e6ef and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.3% (0.0% change).

View more on Code Climate.

marcusburghardt
marcusburghardt approved these changes Jan 30, 2024
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Xeicker

@marcusburghardt
Copy link
Member

Overriding CODEOWNERS since a Oracle maintainer is not currently available.

@marcusburghardt marcusburghardt merged commit dd1b746 into ComplianceAsCode:master Jan 30, 2024
39 of 42 checks passed
@Mab879 Mab879 added this to the 0.1.73 milestone May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
needs-ok-to-test Used by openshift-ci bot. Oracle Linux Oracle Linux product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Xeicker @marcusburghardt @Mab879 @openshift-merge-robot