Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add grub2_systemd_debug-shell_argument_absent #9100

Merged
merged 3 commits into from
Jul 11, 2022
Merged

Add grub2_systemd_debug-shell_argument_absent #9100

merged 3 commits into from
Jul 11, 2022

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Jul 6, 2022
edited

Description:

  • Create rule that ensure that systemd.debug-shell=1 is not defined for the kernel command line.
    • For GRUB2 and zIPL.
  • Select rule for RHEL9 OSPP

Rationale:

@github-actions
Copy link

github-actions bot commented Jul 6, 2022

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 added New Rule Issues or pull requests related to new Rules. RHEL9 Red Hat Enterprise Linux 9 product related. OSPP OSPP benchmark related. labels Jul 6, 2022
@Mab879 Mab879 self-assigned this Jul 6, 2022
Mab879
Mab879 requested changes Jul 6, 2022
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. I a few suggestions for you to take a look at.

linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
Make sure that debug-shell service is not enabled with the following
command:
<pre>grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub</pre>
If the command returns a line, it means that debug-shell service is being enabled.
Copy link
Member

@Mab879 Mab879 Jul 6, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be useful in the STIG this should line be in the OCIL clause.

Copy link
Member Author

@yuumasato yuumasato Jul 7, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't get your suggestion here.

Copy link
Member

@ggbecker ggbecker Jul 7, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe he is trying to suggest that the line 36 should be something like:

ocil_clause: the command returns a line or something

which will translate into this in the RHEL9 STIG spreadsheet for example:

If the command returns a line, then this is a finding.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. This line is duplicative of the OCIL clause.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And how does the the ocil_clause and RHEL9 STIG spreadsheet stack with the ocil question Is it the case that ...?
Is it better if the ocil question is Is it the case that the command returns a line?;
rather than Is it the case that debug-shell service is enabled?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the OCIL text ever used without the clause? If it's not I think we can go with We have been moving forwards with things like "Is it the case that the command returns a line" to help with the STIG.

Copy link
Member Author

@yuumasato yuumasato Jul 8, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I don't think it it is used anywhere else.
I think I have adjusted the line as you wanted

@yuumasato yuumasato requested a review from a team as a code owner July 7, 2022 08:15
@yuumasato yuumasato force-pushed the grub_debug_shell branch 2 times, most recently from 3f9fccf to a5ab6f5 Compare July 7, 2022 08:58
@yuumasato
Add grub2_systemd_debug-shell_argument_absent
86fcd3d 
Create rule that ensure that systemd.debug-shell=1 is not defined for
the kernel command line.
@yuumasato
Add zipl_systemd_debug-shell_argument_absent
14381ef 
Create rule that ensures systemd.debug-shell=1 is not defined for the
kernel command line in zIPL.
@yuumasato
Select grub debug-shell rule in RHEL9 OSPP
2af504b
@codeclimate
Copy link

codeclimate bot commented Jul 8, 2022

Code Climate has analyzed commit 2af504b and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

@openshift-ci
Copy link

openshift-ci bot commented Jul 8, 2022

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-e8 2af504b link true /test e2e-aws-rhcos4-e8
ci/prow/e2e-aws-rhcos4-high 2af504b link true /test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate 2af504b link true /test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@yuumasato
Copy link
Member Author

The failures in Automatus are due to inability to test grub2 rules in containers.

@yuumasato
Copy link
Member Author

The Ansible lint issues are fixed in #9123

@Mab879
Copy link
Member

Mab879 commented Jul 11, 2022

Tests pass locally.

@Mab879 Mab879 merged commit c1484f7 into ComplianceAsCode:master Jul 11, 2022
@yuumasato yuumasato deleted the grub_debug_shell branch July 11, 2022 12:47
@yuumasato yuumasato added this to the 0.1.63 milestone Jul 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ggbecker ggbecker ggbecker left review comments

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
New Rule Issues or pull requests related to new Rules. OSPP OSPP benchmark related. RHEL9 Red Hat Enterprise Linux 9 product related.
Projects
None yet
Milestone
0.1.63
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@yuumasato @Mab879 @ggbecker