Prevent unqualified CIS and STIGID references #6871
Conversation
cipherboy
added
enhancement
|
Hello @cipherboy! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found: There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻 Comment last updated at 2021-04-23 13:02:23 UTC |
|
Changes identified: Show detailsOthers: Recommended tests to execute: |
cipherboy
force-pushed
the
prevent-unqualified-cis-references
branch
from
641ea53
to
f89770b
Compare
|
/retest |
linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml
Outdated
Show resolved
Hide resolved
|
Thanks for checking the RHEL references, @yuumasato! |
|
I'm checking the rest. I think I submitted the review by accident. |
|
Tip, when in "Changed files" tab, you can batch the approval of suggestions. Edited for clarity. |
linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml
Outdated
Show resolved
Hide resolved
..._os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml
Outdated
Show resolved
Hide resolved
..._configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
Outdated
Show resolved
Hide resolved
...configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
Outdated
Show resolved
Hide resolved
...onfigure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
Outdated
Show resolved
Hide resolved
|
@brett060102 @teacup-on-rockingchair @freddieRv @iokomin Hi, just a heads up that this will affect some CIS references for some rules available for OL and SLE. |
Per discussion on ComplianceAsCode#6416, I don't think it is generally valid to have a unqualified (by product) CIS reference identifier. While there is a hierarchy to the CIS benchmarks (from General Linux to e.g., Debian Family to e.g., Ubuntu), references aren't necessarily the same across families (e.g., Ubuntu to RHEL) and order of the sections can differ significantly. The same holds for STIG: unless a product undergoes STIG certification (thus assigning rules a specific STIG ID for the product), we shouldn't reuse one product's STIG IDs for other, unrelated products. In the future, we might want to offer a "hybrid" form (e.g., cis@ubuntu) applying to all versions of a product, but otherwise I think this is the best route to go. Start enforcing this at build time, to ensure we (and other contributors) don't accidentally undo this work in the future. Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
Mostly this has been replaced with rhel7/rhel8 references (my apologies to the SUSE and Oracle contributors), but one Fedora-specific and one OL-specific rule was caught and fixed appropriately. Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
cipherboy
force-pushed
the
prevent-unqualified-cis-references
branch
from
b41263f
to
1bd59f5
Compare
These fix up various CIS identifiers in RHEL 7 and RHEL 8 content. Co-authored-by: Watson Yuuma Sato <wsato@redhat.com> Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
cipherboy
force-pushed
the
prevent-unqualified-cis-references
branch
from
1bd59f5
to
f9b0e28
Compare
|
I guess the only other question I have left is, do we want this as part of build or as part of test suite? It seems easy enough to add it here during build and enforces logic we already had, so I'm inclined to leave it as submitted in this PR. |
linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/rule.yml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I guess the only other question I have left is, do we want this as part of build or as part of test suite? It seems easy enough to add it here during build and enforces logic we already had, so I'm inclined to leave it as submitted in this PR.
Yeah, I'd rather check this during build time. The sooner the better.
linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/rule.yml
Outdated
Show resolved
Hide resolved
…nstalled/rule.yml Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
/retest |
|
Seems OCP infra is having issues deploying clusters for testing :/ |
|
/retest |
|
All products build and pass CI. |
Description:
Prevent unqualified CIS and STIGID references just about sums it up. A couple of rules have unqualified CIS references; this removes them and enforces it at build time.
Rationale:
See also: comment thread on #6416.