Introduce CCN profiles for RHEL9 #10860
Conversation
Two rules in related_rules were not included in A.11.SEC-RHEL3 because they were already included in previous requirements.
package_cryptsetup-luks_installed rule should be enough to complete this requirement but it was not yet tested in RHEL9. It can be done in a separate PR.
enable_authselect and dconf_db_up_to_date are special rules used to ensure the system is using the tools necessary for other rules. It was included CCN references from requirements where these impacted rules mentioned at the first time.
A.30.SEC-RHEL1 requirements asks the value of 8 for var_accounts_passwords_pam_faillock_deny variable.
A.5.SEC-RHEL5 requirement asks different values for the var_accounts_maximum_age_login_defs and var_accounts_password_warn_age_login_defs variables.
marcusburghardt
added
Highlight
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
|
|
I will take a look in these product stability tests and try restrict the changes to rhel9 only. |
Currently, the RHEL9 is the only product using the CCN policy.
Done |
|
Code Climate has analyzed commit 4d16377 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.4% (0.0% change). View more on Code Climate. |
| @@ -242,6 +242,9 @@ | |||
| anssi=Reference( | |||
| id="anssi", name="ANSSI", url=anssi_ns, | |||
| regex_with_groups=r"BP28\(R(\d+)\)"), | |||
| ccn=Reference( | |||
| id="ccn", name="CCN", url="", | |||
| regex_with_groups=r"A.(\d+).SEC-RHEL(\d+)"), | |||
There was a problem hiding this comment.
This fine for now, but if other products (SUSE, etc) need a CCN reference we will need to change this.
Description:
The #10801 introduced a new control file for CCN Policy for RHEL9.
This PRs reviewed all
related_rulesin the planned items, included the CCN reference in these rules, moved them torulesand updated the requirementstatus.Finally, it was created three new profiles for RHEL9, each based on a CCN level:
At this initial version, about 70% of the requirements are automated.
Rationale:
New profile to attend RHEL9 users interested in
CCN-STIC-610A22Review Hints:
I carefully ensured that only rules already enabled for RHEL9 and used in other common profiles, like CIS and STIG, were included in this initial version. That way we can have stable profiles much less prone to unexpected issues.
I recommend to review this PR in two steps.
First we can check if the profiles are working as expected:
2.1. This is to disable some rules which cause issues in the test environment.
rhel9VM:3.1. ./tests/automatus.py profile --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --remediate-using bash ccn_advanced
3.2. ./tests/automatus.py profile --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --remediate-using bash ccn_intermediate
3.3. ./tests/automatus.py profile --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --remediate-using bash ccn_basic
The second step would be to check the references included in the rules.
For this step the best approach is to check commit by commit, individually.
Don't be scared by the number of commits. They are quite small and are separated for better organization, with a better review experience in mind. ;)