-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a security policy validation mechanism #128
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
Not so stupid question: who is STIG and what are they doing in YaST?! |
I guess it is a Security Technical Implementation Guide but the Wikipedia article is quite vague. I assume we have openSUSE/SLE specific pointers, please add them. |
This comment was marked as outdated.
This comment was marked as outdated.
d26aeed
to
b94a066
Compare
* SecurityPolicy#validate: runs the validation for the given scope. * Issues are kept in the SecurityPolicy instance.
afbef82
to
dcdcba8
Compare
* #validate and #issues are replaced with just #validate.
* An Y2Issues::List object is enough
Expose RulePresenter class
Set the action to be performed by SCAP on first boot
Use "stig" as profile name for DISA STIG
AutoYaST: adapt to the new schema of the security_policies section
def missing_encryption?(blk_filesystem) | ||
return false if blk_filesystem.encrypted? || blk_filesystem.mount_point.nil? | ||
|
||
!PLAIN_MOUNT_POINTS.include?(blk_filesystem.mount_path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we are sure there are enough validations in place (in AutoYaST and in the UI) to ensure we never get something like "/boot/efi/" here (trailing bar).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hope so ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a quick check since I hope most code to be already double-checked due to the amount of people already involved in the pull request. That being said, it looks good.
✔️ Internal Jenkins job #5 successfully finished |
This PR adds security policy validation to the installer (see https://www.open-scap.org/security-policies/choosing-policy/).
Related PRs:
How it works
See the screenshots below to get an idea of how it works. Once the user enables a security profile (at this point only DISA STIG), YaST:
ssg-apply
) and enable the service at the end of the installation.Installation settings including a 'Security Policy' section
Storage proposal showing found problems with the current configuration
YaST warning about an issue in the expert partitioner
AutoYaST confirmation mode when some rule failed
Do not allow installing the system until all problems are solved
Enabling security policy validation
There are three different ways to enable policy checks:
YAST_SECURITY_POLICIES=stig
at boot time.What is missing?
Write the name of the enabled policies and disabled rules to the file system, so
ssg-apply
can take that information into account.Implementation details