Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change applicability of rules configuring idle session timeouts (going to master branch) #10149

Merged
merged 14 commits into from Jan 31, 2023
Merged

Change applicability of rules configuring idle session timeouts (going to master branch) #10149

merged 14 commits into from Jan 31, 2023

Conversation

vojtapolasek
Copy link
Collaborator

This is a port of #10127 to the master branch

Original description and rationale follows.

Description:

  • create new OVAL definition checking if installed OS is RHEL
  • create three new platforms checking if RHEL >= 8.7, if RHEL <=8.5 and RHEL == 9.0
  • use these platforms to limit applicability of logind_session_timeout and sshd_set_idle_timeout

Rationale:

The Systemd feature which can configure session idle timeout is not present in all RHEL releases, therefore the rule does not apply in some cases. To be exact, the feature works only in 9.1 and up and 8.7 and up.
Also the SSH configuration used by sshd_set_idle_timeout has effect only in some cases. It works only up to 8.5.

Testing hints:

  • build RHEL 8 and RHEL 9 content
  • test the following (you can artifically modify RHEL version by editing the ID within /etc/os-release):
  • logind_session_timeout should apply on 8.7 and higher with exception of 9.0
  • sshd_set_idle_timeout should be applicable on 8.5 and lower.
  • consequently, none of these rules would be applicable on 8.6.

vojtapolasek and others added 14 commits January 31, 2023 13:30
@vojtapolasek vojtapolasek added bugfix Fixes to reported bugs. RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates. Update Profile Issues or pull requests related to Profiles updates. RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related. OSPP OSPP benchmark related. pci-dss labels Jan 31, 2023
@vojtapolasek vojtapolasek added this to the 0.1.67 milestone Jan 31, 2023
@vojtapolasek vojtapolasek requested a review from a team as a code owner January 31, 2023 13:27
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@codeclimate
Copy link

codeclimate bot commented Jan 31, 2023

Code Climate has analyzed commit ab1c96d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.5% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 self-assigned this Jan 31, 2023
@Mab879
Copy link
Member

Mab879 commented Jan 31, 2023

/packit retest-failed

@Mab879
Copy link
Member

Mab879 commented Jan 31, 2023

/retest

@openshift-ci
Copy link

openshift-ci bot commented Jan 31, 2023
edited

@vojtapolasek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ocp4-high-node ab1c96d link true /test e2e-aws-ocp4-high-node
ci/prow/e2e-aws-ocp4-cis-node ab1c96d link true /test e2e-aws-ocp4-cis-node
ci/prow/e2e-aws-rhcos4-high ab1c96d link true /test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate ab1c96d link true /test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@Mab879 Mab879 merged commit b4504af into ComplianceAsCode:master Jan 31, 2023
@yuumasato yuumasato added the backported-into-stabilization PRs which were cherry-picked during stabilization process. label Feb 7, 2023
@yuumasato yuumasato modified the milestones: 0.1.67, 0.1.66 Feb 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
backported-into-stabilization PRs which were cherry-picked during stabilization process. bugfix Fixes to reported bugs. OSPP OSPP benchmark related. pci-dss RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.66
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vojtapolasek @Mab879 @yuumasato