Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security policy checks #1308

Merged
merged 9 commits into from Nov 8, 2022
Merged

Security policy checks #1308

merged 9 commits into from Nov 8, 2022

Conversation

joseivanlopez
Copy link
Contributor

@joseivanlopez joseivanlopez commented Aug 23, 2022
edited

Problem

YaST installer is now able to validate whether a setup fulfills the installation requirements of the DISA STIG security policy, see yast/yast-security#128. Some of those checks affect to the storage setup. But neither Guided Setup nor Expert Partitioner are performing checks for the enabled security policy.

Solution

Perform policy checks and show issues in both the storage proposal dialog and the Expert Partitioner. Note that a policy can be enabled by default with the YAST_SECURITY_POLICY boot parameter, for example YAST_SECURITY_POLICY=stig.

NOTE: this will be merged after yast/yast-security#128.

Testing

  • Added new unit tests
  • Tested manually

Screenshots

Screenshot from 2022-10-03 16-55-32

Screenshot from 2022-10-03 16-56-13

@joseivanlopez joseivanlopez mentioned this pull request Aug 29, 2022
Merged
@joseivanlopez joseivanlopez marked this pull request as ready for review August 31, 2022 07:56
@mvidner
Copy link
Member

mvidner commented Sep 13, 2022

OK, only when seeing this PR do I understand the purpose of scopes in yast/yast-security#131 :
so that a YaST module can run only the relevant part of the security policy which it can configure

mvidner
mvidner requested changes Sep 13, 2022
View reviewed changes
Copy link
Member

@mvidner mvidner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, except the dependencies:

This depends on yast/yast-security#131 and it should be expressed as a RPM dependency.

We can't do a Require on yast2-security because that would make a circular dependency, but this should work:

Conflicts: yast2-security < 4.4.15

@joseivanlopez
Copy link
Contributor Author

joseivanlopez commented Sep 13, 2022
edited

LGTM, except the dependencies:

This depends on yast/yast-security#131 and it should be expressed as a RPM dependency.

We can't do a Require on yast2-security because that would make a circular dependency, but this should work:

Conflicts: yast2-security < 4.4.15

Actually it does not conflict. Policy issues are not shown in that case.

mvidner
mvidner approved these changes Sep 14, 2022
View reviewed changes
Copy link
Member

@mvidner mvidner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now.

OK, my fault, I was basically repeating my request after you have fulfilled it by the comment in commit ee3e555.

I guess it's unsettling to me to see a dependency handled in code and omitted in RPM spec
😆

@joseivanlopez joseivanlopez merged commit 983d36f into yast:SLE-15-SP4 Nov 8, 2022
@yast-bot
Copy link

yast-bot commented Nov 8, 2022

✔️ Internal Jenkins job #8 successfully finished
✔️ Created IBS submit request #283941

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imobachgs imobachgs imobachgs approved these changes

@mvidner mvidner mvidner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@joseivanlopez @mvidner @yast-bot @imobachgs