Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable the RHEL9 prodtype for rules that are expected to work the same on that system #6890

Merged
merged 12 commits into from May 5, 2021
Merged

Enable the RHEL9 prodtype for rules that are expected to work the same on that system #6890

merged 12 commits into from May 5, 2021

Conversation

matejak
Copy link
Member

@matejak matejak commented Apr 26, 2021

The utils/mod_prodtype.py has been used to insert the RHEL9 prodtype, and it reorders the list by the lexicographical order.

Individual commits contain additional information regarding why a set of rules got enabled.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 26, 2021
@openshift-ci-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@matejak matejak added this to the 0.1.56 milestone Apr 26, 2021
@cipherboy
Copy link
Contributor

@matejak Are you building a RHEL-9 profile and adding the rules to that or do you work the other way (add prodtype to rules and then collect relevant rules into a profile)? I have a utility I use to parse a profile (mentioned on #6889) that then automatically adds the prodtype to all rules mentioned in the profile --- I could look into upstreaming it if it'd be useful.

@matejak
Copy link
Member Author

matejak commented Apr 26, 2021

Right now, we proceed by components - whenever we think a component is RHEL9-ready, we flip its rules to be applicable. As more rules get enabled, we will go in the opposite direction as well - making sure that a profile is rule-complete.

@cipherboy
Copy link
Contributor

Cool, thanks @matejak :) Always interested to see how different people use it :)

@matejak matejak marked this pull request as ready for review April 28, 2021 14:17
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 28, 2021
@jan-cerny
Copy link
Collaborator

The Jenkins CI and other CIs don't build the RHEL 9 content.

When I build it locally (./build_product rhel9) I get this error:

Traceback (most recent call last):
  File "/home/jcerny/work/git/scap-security-guide/build-scripts/relabel_ids.py", line 65, in <module>
    main()
  File "/home/jcerny/work/git/scap-security-guide/build-scripts/relabel_ids.py", line 49, in main
    oval_linker.link()
  File "/home/jcerny/work/git/scap-security-guide/ssg/build_renumber.py", line 126, in link
    self._link_oval_tree()
  File "/home/jcerny/work/git/scap-security-guide/ssg/build_renumber.py", line 150, in _link_oval_tree
    raise RuntimeError("\n".join(msg))
RuntimeError: Following extending definitions are missing:
	'package_bind_removed' needed by: ['configure_bind_crypto_policy']
	'package_libreswan_installed' needed by: ['configure_libreswan_crypto_policy']
make[2]: *** [rhel9/CMakeFiles/generate-internal-rhel9-linked-xccdf-oval-ocil.xml.dir/build.make:85: rhel9/xccdf-linked.xml] Error 1
make[1]: *** [CMakeFiles/Makefile2:1454: rhel9/CMakeFiles/generate-internal-rhel9-linked-xccdf-oval-ocil.xml.dir/all] Error 2
make: *** [Makefile:170: all] Error 2

@cipherboy
Copy link
Contributor

(Just to follow up, #6906 was the utility I mentioned above).

matejak added 12 commits May 4, 2021 10:58
@matejak
Enable Crypto Policy-related rules for RHEL9.
d650838 
The only significant change in this component's behavior is no need for the NO_SHA1 module any more.
@matejak
Enabled fapolicyd-related rules for RHEL9.
2e82670
@matejak
Enabled rsyslog rules for RHEL9
ad431cb 
The syntax we use in our rules is getting rusty, but it is still valid.
@matejak
Enabled RPM-related rules for RHEL9
6119218 
The level of RPM that we interact with is stable.
@matejak
Enabled PAM-related rules for RHEL9.
8795a3c 
The component maintainers have reported that there are no breaking changes.
@matejak
Enabled usbguard-related rules for RHEL9.
96d5bd3 
The component maintainers have reported that there are no breaking changes.
@matejak
Enabled audit-related rules for RHEL9.
3aac60b 
The component maintainers have reported that there are no breaking changes in the audit configuration.
@matejak
Enabled package management rules for RHEL9
7dc3329 
The interface for handling keys or configuring gpgcheck remains the same.
RHEL9 just doesn't have a gpg key metadata at this time.
@matejak
Enabled file permission rules for RHEL9.
7b6ea25 
File permission rules are generally backward-compatible.
@matejak
Enabled mount option rule for RHEL9.
3948006 
Mount options are generally compatible.
@matejak
Enabled package removed rules for RHEL9.
b991b4a 
Those rules are generally safe to enable, as they don't cause problems.

The rule for the pigz package has not been enabled for RHEL9 because it is not needed,
but the rese of RHEL8 package removed rules were ported.
@matejak
Enabled some package install rules for RHEL9.
0eaecfd 
While it is difficult to know what packages will land in RHEL9 at this moment,
it is very likely that packages related to this PR will be shipped, because
they are a stable long-term part of the RHEL ecosystem.
@matejak
Copy link
Member Author

matejak commented May 4, 2021

I have added more rules from wider areas, and it should build reliably.

@JAORMX
Copy link
Contributor

JAORMX commented May 4, 2021

/retest

AWS infra issue

@openshift-ci
Copy link

openshift-ci bot commented May 4, 2021
edited

@matejak: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-rhcos4-e8 0eaecfd link /test e2e-aws-rhcos4-e8

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@jan-cerny jan-cerny self-assigned this May 5, 2021
@jan-cerny
Copy link
Collaborator

It builds the rhel9 content now.

@jan-cerny jan-cerny merged commit 6210230 into ComplianceAsCode:master May 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jan-cerny jan-cerny

Labels
None yet
Projects
None yet
Milestone
0.1.56
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@matejak @openshift-ci-robot @cipherboy @jan-cerny @JAORMX