Update existing rule for RHEL-08-020320 #7303
Conversation
Mab879
added
DISA RHEL8 STIG Alignment
Update Rule
Mab879
force-pushed
the
RHEL-08-020320
branch
3 times, most recently
from
da0a600
to
ffd88d2
Compare
| @@ -1,4 +1,4 @@ | |||
| # platform = multi_platform_sle | |||
| # platform = multi_platform_sle,multi_platform_rhel | |||
| # reboot = false | |||
| # strategy = restrict | |||
| # complexity = low | |||
There was a problem hiding this comment.
This seem low to me, do we want to raise it to medium or high? Looking for more guidance on this.
There was a problem hiding this comment.
I don't know how to answer this. Following the documentation here it indicates it's just informative and there is no real impact on anything. This is translated into ansible tags but I doubt people are actually using this meta information in any way.
The estimated complexity or difficulty of applying the fix to the target. Only informative for now
There was a problem hiding this comment.
My issue is that without tailoring this rule will cause issues when remediated. Setting disruption to medium or high might be good idea or add warning like in some other rules.
There was a problem hiding this comment.
I agree. You can add a warning to the rule.yml similar as it's done in: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml#L14
There was a problem hiding this comment.
The more I think about it, just deleting users doesn't sit right with me, do want to disable remediation by default?
There was a problem hiding this comment.
The more I think about it, just deleting users doesn't sit right with me, do want to disable remediation by default?
Why?
There was a problem hiding this comment.
By default this will delete all user added local users on the box, for a new system that is fine, but for existing systems this will be highly distributive.
There was a problem hiding this comment.
OK, so please remove it. Also, please make sure that the test scenarios will pass.
Mab879
force-pushed
the
RHEL-08-020320
branch
2 times, most recently
from
23e0a78
to
ffd88d2
Compare
| @@ -1,4 +1,4 @@ | |||
| # platform = multi_platform_sle | |||
| # platform = multi_platform_sle,multi_platform_rhel | |||
| # reboot = false | |||
| # strategy = restrict | |||
| # complexity = low | |||
There was a problem hiding this comment.
OK, so please remove it. Also, please make sure that the test scenarios will pass.
|
unfortunately we've got some conflicting files, could you fix that? |
|
@jan-cerny Done, thanks for pointing that you. |
...os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
Outdated
Show resolved
Hide resolved
|
@Mab879: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
changes look good... I just wonder if we are using the correct users in the regex. From the STIG, it states that:
And in the default RHEL8 there is an account called |
I have found a few discussions around this topic. It's not conclusive and mostly system users are legacy. Since there is a XCCDF variable for users allowed, we can move forward with this. The user's list can be tailored according to the need. |
marcusburghardt
added
RHEL8
Description:
Add to profile, clean up, add tests, and moved the rule to a better location. Keeping under SAP did not seem like a good idea.
Rationale: