New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update existing rule for RHEL-08-020320 #7303
Conversation
da0a600
to
ffd88d2
Compare
@@ -1,4 +1,4 @@ | |||
# platform = multi_platform_sle | |||
# platform = multi_platform_sle,multi_platform_rhel | |||
# reboot = false | |||
# strategy = restrict | |||
# complexity = low |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seem low to me, do we want to raise it to medium or high? Looking for more guidance on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know how to answer this. Following the documentation here it indicates it's just informative and there is no real impact on anything. This is translated into ansible tags but I doubt people are actually using this meta information in any way.
The estimated complexity or difficulty of applying the fix to the target. Only informative for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My issue is that without tailoring this rule will cause issues when remediated. Setting disruption
to medium or high might be good idea or add warning like in some other rules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. You can add a warning to the rule.yml similar as it's done in: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml#L14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The more I think about it, just deleting users doesn't sit right with me, do want to disable remediation by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The more I think about it, just deleting users doesn't sit right with me, do want to disable remediation by default?
Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By default this will delete all user added local users on the box, for a new system that is fine, but for existing systems this will be highly distributive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, so please remove it. Also, please make sure that the test scenarios will pass.
23e0a78
to
ffd88d2
Compare
@@ -1,4 +1,4 @@ | |||
# platform = multi_platform_sle | |||
# platform = multi_platform_sle,multi_platform_rhel | |||
# reboot = false | |||
# strategy = restrict | |||
# complexity = low |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, so please remove it. Also, please make sure that the test scenarios will pass.
unfortunately we've got some conflicting files, could you fix that? |
@jan-cerny Done, thanks for pointing that you. |
...os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
Outdated
Show resolved
Hide resolved
@Mab879: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
changes look good... I just wonder if we are using the correct users in the regex. From the STIG, it states that:
And in the default RHEL8 there is an account called |
I have found a few discussions around this topic. It's not conclusive and mostly system users are legacy. Since there is a XCCDF variable for users allowed, we can move forward with this. The user's list can be tailored according to the need. |
Description:
Add to profile, clean up, add tests, and moved the rule to a better location. Keeping under SAP did not seem like a good idea.
Rationale: