Skip to content

Initial definition of ANSSI BP28 minmal profile for SLE #8540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

teacup-on-rockingchair
Copy link
Contributor

@teacup-on-rockingchair teacup-on-rockingchair commented Apr 13, 2022

Description:

  • Add initial version of the anssi_bp28_minmal.profile

Rationale:

  • Enable sle15 platform for ANSSI needed rules
  • Also add CCE identifiers where needed
  • Add missing rules to ANSSI minimal profile for SLE15
  • Add SLE15 CCE ids to ANSSI rules in minimal profile
  • Enable Bash and Ansible remediations for accounts_password_minlen_login_defs rule
  • Enable Bash and Ansible remediations for accounts_password_pam_unix_rounds_system_auth
  • Enable Bash and Ansible remediations for dnf-automatic_apply_updates rule
  • Add rule accounts_password_pam_unix_rounds_password_auth remediations support for SLE
  • Use SLE specific gpgkey rule
  • Restructure ANSSI SLE15 minimal profile definition
  • Fix ANSSI profiles referencing

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 13, 2022
@openshift-ci
Copy link

openshift-ci bot commented Apr 13, 2022

Hi @teacup-on-rockingchair. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Apr 13, 2022
@github-actions
Copy link

github-actions bot commented Apr 13, 2022

Start a new ephemeral environment with changes proposed in this pull request:

Open in Gitpod

@apatard
Copy link
Contributor

apatard commented Apr 22, 2022

Hi,
I was looking for something else and found this PR. Given I'm not part of this project, I may be missing something but I don't understand why the controls/anssi.yml file is not used as basis. Can someone explain me this ?

@apatard
Copy link
Contributor

apatard commented Apr 22, 2022

Hi, I was looking for something else and found this PR. Given I'm not part of this project, I may be missing something but I don't understand why the controls/anssi.yml file is not used as basis. Can someone explain me this ?

Please forget this comment. Should have read things more closely. Sorry for the noise.

@pep8speaks
Copy link

pep8speaks commented May 2, 2022

Hello @teacup-on-rockingchair! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

Line 151:100: E501 line too long (111 > 99 characters)
Line 152:100: E501 line too long (104 > 99 characters)

Comment last updated at 2022-05-02 14:57:10 UTC

@github-actions
Copy link

github-actions bot commented May 2, 2022

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs:
--- old datastream
+++ new datastream
@@ -37,6 +37,7 @@
 false
 fi
 else
+
 pamFile="/etc/pam.d/password-auth"
 
 if grep -q "rounds=" $pamFile; then

@teacup-on-rockingchair teacup-on-rockingchair force-pushed the add_anssi_minimal_sle_profiles branch from a69381b to 174ced7 Compare May 2, 2022 15:07
- Add initial version of the anssi_bp28_minmal.profile, after covering the whole profile, will use reference to the common definition in controls/anssi.yml
- Enable sle15 platform for ANSSI needed rules
- Also add CCE identifiers where needed
- Add missing rules to ANSSI minimal profile for SLE15
- Add SLE15 CCE ids to ANSSI rules in minimal profile
- Enable Bash and Ansible remediations for accounts_password_minlen_login_defs rule
- Enable Bash and Ansible remediations for accounts_password_pam_unix_rounds_system_auth
- Enable Bash and Ansible remediations for dnf-automatic_apply_updates rule
- Add rule accounts_password_pam_unix_rounds_password_auth remediations support for SLE
- Use SLE specific gpgkey rule
- Restructure ANSSI SLE15 minimal profile definition
- Fix ANSSI profiles referencing
@teacup-on-rockingchair teacup-on-rockingchair force-pushed the add_anssi_minimal_sle_profiles branch from cffdd09 to c048ed6 Compare May 2, 2022 18:48
@teacup-on-rockingchair teacup-on-rockingchair marked this pull request as ready for review May 2, 2022 18:53
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label May 2, 2022
@jan-cerny
Copy link
Collaborator

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels May 4, 2022
@jan-cerny jan-cerny merged commit 49955e9 into ComplianceAsCode:master May 4, 2022
@jan-cerny jan-cerny self-assigned this May 4, 2022
@jan-cerny jan-cerny added this to the 0.1.62 milestone May 4, 2022
@jan-cerny jan-cerny added the SLES SUSE Linux Enterprise Server product related. label May 4, 2022
@vojtapolasek vojtapolasek added the Highlight This PR/Issue should make it to the featured changelog. label May 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Highlight This PR/Issue should make it to the featured changelog. ok-to-test Used by openshift-ci bot. SLES SUSE Linux Enterprise Server product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants