Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

change sshd rekey limit to 1G 1 hour in rhel8 ospp #5782

Merged
merged 3 commits into from Jun 1, 2020

Conversation

vojtapolasek
Copy link
Collaborator

Description:

Add 1G to the var_rekey_limit_size.
Add changes to ospp.
Do not propagate changes to derived stig profile.

Rationale:

CC requirements.

@vojtapolasek vojtapolasek added this to the 0.1.51 milestone May 25, 2020
@matejak
Copy link
Member

matejak commented May 26, 2020

/retest

@JAORMX
Copy link
Contributor

JAORMX commented May 27, 2020

/retest

@@ -44,3 +44,6 @@ selections:
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
- sshd_rekey_limit
- var_rekey_limit_size=512M
- var_rekey_limit_time=1hour
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am fine with keeping the OSPP variable changes in the STIG profile because it is such an incredibly minor change and not a drastic change.

@vojtapolasek
Copy link
Collaborator Author

I propagated the change into stig profile.

@mildas
Copy link
Contributor

mildas commented May 28, 2020

Changes identified:
Profile ospp on rhel8:
 Rule removed from ospp profile.
 Rule added to ospp profile.
Profile cui on rhel8:
 CUI profile extends changed OSPP profile.
Profile stig on rhel8:
 STIG profile extends changed OSPP profile.
Profile rhelh-stig on rhel8:
 RHELH-STIG profile extends changed STIG profile.
Profile rhelh-vpp on rhel8:
 RHELH-VPP profile extends changed OSPP profile.
Profile ospp-mls on rhel8:
 OSPP-MLS profile extends changed OSPP profile.
Profile ospp on tests:
 Rule removed from ospp profile.
 Rule added to ospp profile.
Profile stig on tests:
 Rule added to stig profile.
 Rule removed from stig profile.

Recommended tests to execute:
 build_product rhel8
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml rhelh-stig
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml stig
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml ospp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml ospp-mls
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml rhelh-vpp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml cui
 build_product tests
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-tests-ds.xml ospp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-tests-ds.xml stig

@vojtapolasek
Copy link
Collaborator Author

/retest

@openshift-ci-robot
Copy link
Collaborator

@vojtapolasek: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-e8 6623ece link /test e2e-aws-e8

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@yuumasato yuumasato self-assigned this Jun 1, 2020
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.
See also #5782 (comment)

@yuumasato yuumasato merged commit e8b620b into ComplianceAsCode:master Jun 1, 2020
wcushen pushed a commit to wcushen/content that referenced this pull request Jun 24, 2020
…5782)

* Change rekey limit to 1G 1h in rhel8 OSPP and let change propagate to STIG 
* Update stable ospp profile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

7 participants