-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve ANSSI R28 #11626
Improve ANSSI R28 #11626
Conversation
Skipping CI for Draft Pull Request. |
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -80,9 +80,6 @@
RHEL-08-010543
[reference]:
-R28
-
-[reference]:
1.1.2.1.1
[reference]: |
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
From the CI results we can see that the new rule conflicts with accounts_polyinstantiated_tmp which is also a part of the ANSSI profile. |
This teamplate generates check for a systemd mount unit enablement.
This rule will check that the systemd tmp.mount unit is enabled. https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ We will add this rule to ANSSI R28 because it aligns with the requirement to clean after reboot or be preferably type tmpfs.
We will not require the parent directory to exist, the OVAL test will pass also if the directory doesn't exist. It isn't mandatory to create the parent directory because when the directory doesn't exist, it gets created automatically by pam. However, if the parent directory exists, it must have correct mode, otherwise the polyinstantiation will fail.
/packit retest-failed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one minor item.
linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml
Outdated
Show resolved
Hide resolved
I have renamed the OCIL macro. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, just a few more things I noticed.
linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Matthew Burket <m@tthewburket.com>
Code Climate has analyzed commit 0aa4ad7 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.8% (0.0% change). View more on Code Climate. |
/packit retest-failed |
Automatus passes locally
|
great! |
Description:
Create new rule
systemd_tmp_mount
that checks if the systemdtmp.mount
mount unit is enabled.This rule uses a new template that is also added by this PR.
This rule conflicts with the current implementation of the rule
accounts_polyinstantiated_tmp
because ruleaccounts_polyinstantiated_tmp
requires the existence of the/tmp/tmp-inst
directory and this directory is removed by systemdtmp.mount
mount unit during reboot. We will address this conflict by removal of the requirement for the existence of/tmp/tmp-inst
. We can do this because this directory is created automatically bypam
if it doesn't exist. We will only check that if the directory exists it has correct mode to prevent fails of the polyinstantiation.For more details, please read commit messages of all commits.
Rationale:
We will add this rule to ANSSI R28 because it aligns with the requirement to clean after reboot or be preferably type tmpfs.