Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes related to SLE 12/15 for the rules set_min/max_life_existing #10173

Merged
merged 4 commits into from
Feb 10, 2023
Merged

Fixes related to SLE 12/15 for the rules set_min/max_life_existing #10173

merged 4 commits into from
Feb 10, 2023

Conversation

rumch-se
Copy link
Contributor

@rumch-se rumch-se commented Feb 6, 2023

Description:

  • _Fixes in bash/ansible and rule part of 2 SLE 12/15 rules _

Rationale:

  • Fixes cover the following common issues in SLE 12/15 rules accounts_password_set_max_life_existing, and accounts_password_set_min_life_existing: 1)The rules as they exist do not update all rows (all accounts) in /etc/shadow 2)When PAM module is active on the OS - the session token expires during the execution of the rules 3)The rules.yml files do not present fact that the rule is applicable for all users 4)The realization of the rules had differences - for example in both cases we have variables, but for in the one the rules the variable was not used - in general in both cases the approach should be similar

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Feb 6, 2023
@openshift-ci
Copy link

openshift-ci bot commented Feb 6, 2023

Hi @rumch-se. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

github-actions bot commented Feb 6, 2023

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
@@ -1,5 +1,6 @@
 
 var_accounts_maximum_age_login_defs=''
+
 
 
 while IFS= read -r i; do

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
@@ -1,5 +1,6 @@
 
 var_accounts_minimum_age_login_defs=''
+
 
 
 while IFS= read -r i; do

@github-actions
Copy link

github-actions bot commented Feb 6, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

jan-cerny
jan-cerny reviewed Feb 7, 2023
View reviewed changes
...-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml
@@ -11,13 +11,18 @@
register: user_names

- name: Change the maximum time period between password changes
{{% if product not in ["rhel7", "ol7"] %}}
{{% if product in ["rhel7", "ol7","sle12","sle15"] %}}
{{% if product in ["rhel7", "ol7"] %}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can avoid nesting conditions and have an if-elif instead.

...-restrictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml Outdated
register: user_names

- name: Change the minimum time period between password changes
{{% if product not in ["sle12", "sle15"] %}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer the opposite condition instead of using a negative condition.

@marcusburghardt marcusburghardt added SLES SUSE Linux Enterprise Server product related. Update Rule Issues or pull requests related to Rules updates. labels Feb 8, 2023
@rumch-se
Copy link
Contributor Author

rumch-se commented Feb 8, 2023

Hello @jan-cerny
Thank you for your feedback.
The proposed corrections were done.
Have a nice day
Rumen

@codeclimate
Copy link

codeclimate bot commented Feb 9, 2023

Code Climate has analyzed commit c2dfe8a and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.7% (2.2% change).

View more on Code Climate.

@jan-cerny jan-cerny self-assigned this Feb 10, 2023
@jan-cerny jan-cerny added this to the 0.1.67 milestone Feb 10, 2023
@jan-cerny jan-cerny merged commit 772ea9d into ComplianceAsCode:master Feb 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
needs-ok-to-test Used by openshift-ci bot. SLES SUSE Linux Enterprise Server product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.67
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rumch-se @jan-cerny @marcusburghardt