Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add profile for SUSE SAP Public Cloud Images #9571

Merged
merged 2 commits into from
Sep 27, 2022
Merged

Add profile for SUSE SAP Public Cloud Images #9571

merged 2 commits into from
Sep 27, 2022

Conversation

brett060102
Copy link
Contributor

Add profile for SUSE SAP Public Cloud Images

Description:

  • SUSE provides SUSE Linux Enterprise Server for SAP Applications images to public cloud providers. We found that our general (non-SAP) cloud hardened image profile was incompatible with SAP installation. The following rules in the pcs-hardening.profile
    • accounts_umask_etc_login_defs
    • accounts_umask_etc_profile
    • service_firewalld_enabled
    • sshd_disable_root_login
    • sshd_set_max_auth_tries

Rationale:

  • Support a hardened profile for SUSE SAP Public Cloud Images

@brett060102
Add profile for SUSE SAP Public Cloud Images
25b345d 
SUSE provides SUSE Linux Enterprise Server for SAP Applications
images to public cloud providers. We found that our general (non-SAP)
cloud hardened image profile was incompatible with SAP installation.
The following rules in the pcs-hardening.profile
     - accounts_umask_etc_login_defs
     - accounts_umask_etc_profile
     - service_firewalld_enabled
     - sshd_disable_root_login
     - sshd_set_max_auth_tries
Needed to be removed.
@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Sep 26, 2022
@openshift-ci
Copy link

openshift-ci bot commented Sep 26, 2022

Hi @brett060102. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 added SLES SUSE Linux Enterprise Server product related. New Profile Issues or pull requests related to new Profiles. labels Sep 27, 2022
@jan-cerny
Copy link
Collaborator

@brett060102 Have you considered that the pcs-hardening profile could extend the pcs-hardening profile and remove the rules? We do similar thing in RHEL 9 where the stig_gui profile extends the stig profile and removes from it the rule xwindows_remove_packages using exclamation mark: https://github.com/ComplianceAsCode/content/blob/master/products/rhel9/profiles/stig_gui.profile That would help if the profiles need to be kept synchronized.

@jan-cerny jan-cerny self-assigned this Sep 27, 2022
@brett060102
Change to use extend and remove logic
f88cf37 
In response to code review. Instead of duplicating contents of
pcs-hardening, use extend and then remove the rules we don't want.
@brett060102
Copy link
Contributor Author

@jan-cerny Thank you. I did not know about extend and remove until now. It is way cool and just what this change needed.
Thank you.

@codeclimate
Copy link

codeclimate bot commented Sep 27, 2022

Code Climate has analyzed commit f88cf37 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 40.7% (0.0% change).

View more on Code Climate.

jan-cerny
jan-cerny approved these changes Sep 27, 2022
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great! it seems that it works!

@jan-cerny jan-cerny merged commit 10c4a8f into ComplianceAsCode:master Sep 27, 2022
@jan-cerny jan-cerny added this to the 0.1.65 milestone Sep 27, 2022
@brett060102 brett060102 deleted the add-SAP-Hardened branch June 28, 2023 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
needs-ok-to-test Used by openshift-ci bot. New Profile Issues or pull requests related to new Profiles. SLES SUSE Linux Enterprise Server product related.
Projects
None yet
Milestone
0.1.65
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@brett060102 @jan-cerny @Mab879