create_srg_export: Enable reading check and fix from controls even if they have rules listed #10769
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
@Mab879 are you OK with this approach? |
|
/packit rebuild-failed |
utils/create_srg_export.py
Outdated
| old["SRGID"] = old["SRGID"] + "," + new["SRGID"] | ||
|
|
||
|
|
||
| def extend_results(results: list, rows: list, prefer_controls: bool) -> list: |
There was a problem hiding this comment.
The return type list doesn't match the None returned by this method.
There was a problem hiding this comment.
thanks, I refactored the code but forgot to refactor the signature
utils/create_srg_export.py
Outdated
| return True | ||
|
|
||
|
|
||
| def merge_rows(old: dict, new: dict): |
There was a problem hiding this comment.
| def merge_rows(old: dict, new: dict): | |
| def merge_rows(old: dict, new: dict) -> None: |
There was a problem hiding this comment.
suggestion taken, thanks
|
@Mab879 does this patch look any better now? |
utils/create_srg_export.py
Outdated
|
|
||
| # We didn't find any match, so we just add the row as new | ||
| results.extend(rows) | ||
|
|
There was a problem hiding this comment.
Please remove the spaces on line 427.
| @@ -7,4 +7,62 @@ controls: | |||
| rules: | |||
| - audit_rules_sysadmin_actions | |||
| - audit_rules_usergroup_modification | |||
| check: |- | |||
| Verify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect ""/etc/shadow"". | |||
There was a problem hiding this comment.
| Verify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect ""/etc/shadow"". | |
| Verify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". |
There was a problem hiding this comment.
oops, thanks. I was grabbing this data from the spreadsheet with a script and for some reason the script read double quotes from the spredsheet..gotta fix that. Thanks!
…om the control over rules The OCP4 STIG if a bit of an weird case. First, it mixes OCP4 and RHCOS controls into a single stig and second, because of how the MachineConfig remediations are not exactly user-friendly, we often lumped several MachineConfigs from several rules into a single SRG row in the STIG spreadsheet. The current script presumes that every rule would emit a single row in the sheet and that every rule's policy would be used exactly ones. The most straightforward way of solving this is to just put the checks and the fixes in the controls and then let the script optionally, with a new command line flag that this patch adds, prefer those over policy files. That way, we can have a single row even if the control specifies several rules. Additionally, because the current script presumes that rows whose check and fix are read from the control files are either NA or IM and should be separate in the resulting sheet, the script implements a rudimentary deduplication of duplicate rows. This behaviour is opt-in and would only be used by the OCP4 STIG for the time being.
To enable the create_srg_export to create a single row for these SRGs and later dedup them, let's add the check and the fix to the controls directly.
Mab879
added
Infrastructure
|
Code Climate has analyzed commit 6f5b204 and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.5% (0.0% change). View more on Code Climate. |
|
For now, I don't think it's worth fix the last code climate issues. |
Description:
The OCP4 STIG if a bit of an weird case. First, it mixes OCP4 and RHCOS
controls into a single stig and second, because of how the MachineConfig
remediations are not exactly user-friendly, we often lumped several
MachineConfigs from several rules into a single SRG row in the STIG
spreadsheet.
The current script presumes that every rule would emit a single row in
the sheet and that every rule's policy would be used exactly ones. The
most straightforward way of solving this is to just put the checks and
the fixes in the controls and then let the script optionally, with a new
command line flag that this patch adds, prefer those over policy files.
That way, we can have a single row even if the control specifies several
rules.
Additionally, because the current script presumes that rows whose check
and fix are read from the control files are either NA or IM and should
be separate in the resulting sheet, the script implements a rudimentary
deduplication of duplicate rows.
This behaviour is opt-in and would only be used by the OCP4 STIG for
the time being.
The other patches actually add check and fix to several control files and
enable the new flag for SRG export in GH actions for the OCP4 product.
Rationale:
Review Hints: