Debian13 20260702#14851
Conversation
|
Hi @a-skr. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Change in Ansible Please consider using more suitable Ansible module than |
| - l1_server | ||
| - l1_workstation | ||
| rules: | ||
| - var_password_hashing_algorithm_pam=yescrypt |
There was a problem hiding this comment.
The CIS Benchmark allows both SHA512 and yescrypt. You should create and select value that allows both ciphers, see linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var how we did that for RHEL 10.
There was a problem hiding this comment.
will be fixed with next commits
| levels: | ||
| - l2_server | ||
| - l2_workstation | ||
| rules: |
There was a problem hiding this comment.
will be fixed with next commits
| - file_permissions_var_log_gdm | ||
| - file_permissions_var_log_gdm3 | ||
| - file_permissions_var_log_lastlog | ||
| - file_permissions_var_log_cloud-init |
There was a problem hiding this comment.
file_permissions_var_log_cloud-init appears twice
There was a problem hiding this comment.
will be fixed with next commits
| status: automated | ||
|
|
||
| - id: 2.1.16 | ||
| title: Ensure tftp server services are not in use (Automated) |
There was a problem hiding this comment.
The requirement 2.1.16 should be about telnet
2.1.16 Ensure telnet-server services are not in use (Automated)
There was a problem hiding this comment.
it will be fixed in next commits, along with the related rules. That includes updating some template files to handle virtual debian packages properly.
| - l1_server | ||
| - l1_workstation | ||
| rules: | ||
| - sshd_strong_macs=cis_debian12 |
There was a problem hiding this comment.
I'd suggest creating a special selector for Debian 13 even if that would have the same value.
There was a problem hiding this comment.
will be fixed with next commits.
| - id: 3.3.1. | ||
| title: Ensure is configured (Automated) |
There was a problem hiding this comment.
Suspicious. Please remove this item.
There was a problem hiding this comment.
will be fixed with next commits.
| status: automated | ||
|
|
||
| - id: 7.1.4 | ||
| title: Ensure paccess to /etc/group- is configured (Automated) |
There was a problem hiding this comment.
will be fixed with next commits.
| status: pending | ||
|
|
||
| - id: 3.3.2.1 | ||
| title: Ensure Ensure net.ipv6.conf.all.forwarding is configured (Automated) |
There was a problem hiding this comment.
will be fixed with next commits.
jan-cerny
left a comment
There was a problem hiding this comment.
The CI fails can be observed also in other PRs and they aren't caused by contents of this PR.
Wires the Debian 13 test-suite container (added in #14851) and the debian13 product into CI: on PRs touching content, build the ssg-debian13-ds.xml datastream, then run the affected rules against a debian:13 target with bash and ansible remediation — mirroring the existing automatus-debian12 workflow (only product/datastream names differ). Validated locally: Dockerfiles/test_suite-debian13 builds on debian:13 with openscap-scanner 1.4.2, and ./build_product debian13 produces build/ssg-debian13-ds.xml. Signed-off-by: rrskris <rrskris@gmail.com>
Description: