-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove jinja condition to make rule applicability to all products in Kerberos rules #9412
Remove jinja condition to make rule applicability to all products in Kerberos rules #9412
Conversation
@Xeicker FYI, I'm removing the jinja conditions here since it should be applicable to all products and the version of the package will determine the applicability... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes LGTM.
But as distros adopt newer versions of krb5
this rule will not be needed anymore.
So how about also restricting the products this rule is available for?
We should avoid removing the rule from a product that already released with this rule.
But explicitly listing the current prodtypes, should avoid automatically adding these rules to new products, or product versions.
And then, in 10 years, when all current products are EOL, these rules can be deleted, :)
a comment on the |
I would prefer to work with "allow list" instead "deny list". We already know the current relevant products, but we don't know about future products. Also, working with "deny list", technically we should increase the list whenever a new product appears.I believe this is avoidable maintenance. In any case, the comment on |
bb5d408
to
4af607b
Compare
I have refreshed the PR with some more changes and I believe it should be good to go. |
6b14943
to
7efdba4
Compare
linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
Outdated
Show resolved
Hide resolved
Kerberos rules in newer OSes should not be applicable since they have kerberos that supports FIPS algorithms and do not pose a threat anymore.
7efdba4
to
b042cbb
Compare
There was a problem in the CPE conditionals which hopefully is fixed by: bbd391e
|
When there would be no bash/ansible conditional stated for a CPE composed using the CPE language, the conditional was returning "( )" resulting in wrong syntax in the remediation.
b042cbb
to
bbd391e
Compare
def to_ansible_conditional(self): | ||
child_ansible_conds = [ | ||
a.to_ansible_conditional() for a in self.args | ||
if a.to_ansible_conditional() != ''] | ||
|
||
if not child_ansible_conds: | ||
return "" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add unit tests that cover your changes in the build_cpe.py.
Code Climate has analyzed commit 5aa839d and detected 3 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 41.2% (0.4% change). View more on Code Climate. |
The Code Climate issues can be waived - the 2 sections in code marked as duplicate actually works with different type and unifying them would not improve the readability; and changing CPEALLogicalTest is out of scope of this PR. |
@ggbecker: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, the unit test is spot in!
Description:
Rationale: