-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries #9344
Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries #9344
Conversation
The OVAL doesn't work in offline mode and it was the last rule that was still using this extended check. All other templated rules check if the package is installed instead.
This datastream diff is auto generated by the check Click here to see the full diffOVAL definition oval:ssg-sshd_set_max_auth_tries:def:1 differs:
--- old datastream
+++ new datastream
- extend_definition oval:ssg-service_sshd_disabled:def:1
+ criteria AND
+ extend_definition oval:ssg-sshd_not_required_or_unset:def:1
+ extend_definition oval:ssg-package_openssh-server_removed:def:1
+ criteria AND
+ extend_definition oval:ssg-sshd_required_or_unset:def:1
+ extend_definition oval:ssg-package_openssh-server_installed:def:1 |
Code Climate has analyzed commit c865809 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
@ggbecker: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason of the problem of Ansible remediation is that the generated playbook contains tests for container environment and the tasks are skipped if the tests are run in container and we use container back ends in our GitHub Actions jobs. When I execute the tests locally they pass:
[jcerny@thinkpad scap-security-guide{pr/9344}]$ python3 tests/automatus.py rule --remediate-using ansible --libvirt qemu:///system ssgts_rhel8 sshd_set_max_auth_tries
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-08-16-0933/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_less_than.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
Description:
still using this extended check. All other templated rules check if the
package is installed instead.
Rationale: