-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail build if profiles or controls contain invalid rule selections #11135
Commits on Sep 25, 2023
-
Configuration menu - View commit details
-
Copy full SHA for afe2ed2 - Browse repository at this point
Copy the full SHA afe2ed2View commit details -
Remove rule service_zebra_disabled from RHEL 9 E8 profile
The rule service_zebra_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
Configuration menu - View commit details
-
Copy full SHA for 8bb8de2 - Browse repository at this point
Copy the full SHA 8bb8de2View commit details -
Remove service_rexec_disabled from RHEL 9 HIPAA profile
The rule service_rexec_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
Configuration menu - View commit details
-
Copy full SHA for 1e1c27a - Browse repository at this point
Copy the full SHA 1e1c27aView commit details -
Remove rule service_zebra_disabled from RHEL 9 HIPAA profile
The rule service_zebra_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
Configuration menu - View commit details
-
Copy full SHA for 56da855 - Browse repository at this point
Copy the full SHA 56da855View commit details -
Remove locking_out_password_attempts from profiles
`locking_out_password_attempts` is an invalid rule ID, this rule doesn't exist, it's a group instead.
Configuration menu - View commit details
-
Copy full SHA for 7603178 - Browse repository at this point
Copy the full SHA 7603178View commit details -
Add missing prodtypes to rule package_iptables_installed
The rule `package_iptables_installed` is a part of multiple profiles in products but doesn't have prodtypes in these products.
Configuration menu - View commit details
-
Copy full SHA for 53c51f1 - Browse repository at this point
Copy the full SHA 53c51f1View commit details -
Remove rules from SLE15 standard profile
These rules don't have the sle15 prodtype and therefore they don't exist in the sle15 benchmark.
Configuration menu - View commit details
-
Copy full SHA for f7eba54 - Browse repository at this point
Copy the full SHA f7eba54View commit details -
Configuration menu - View commit details
-
Copy full SHA for 02b9964 - Browse repository at this point
Copy the full SHA 02b9964View commit details -
Remove audit_rules_privileged_commands_pt_chown from Fedora OSPP
This rule isn't a part of Fedora according to the rule `prodtype`.
Configuration menu - View commit details
-
Copy full SHA for bffafe8 - Browse repository at this point
Copy the full SHA bffafe8View commit details -
Add package_python3-abrt-addon_removed to OL 8
This rule is a part of the RHEL 8 OSPP profile, but the rule doesn't have ol8 in prodtype. I think we can enable this rule on OL 8 because the rule exists also in RHEL 8.
Configuration menu - View commit details
-
Copy full SHA for 458d2c0 - Browse repository at this point
Copy the full SHA 458d2c0View commit details -
Add kerberos_disable_no_keytab to OL 9
This rule is selected by OL 9 OSPP profile but it doesn't have the prodtype.
Configuration menu - View commit details
-
Copy full SHA for b1877ce - Browse repository at this point
Copy the full SHA b1877ceView commit details -
Add sysctl_kernel_exec_shield to OL 9
This rule is selected by the E8 profile for OL 9 but it doesn't have OL 9 in the prodtype
Configuration menu - View commit details
-
Copy full SHA for 49e99d7 - Browse repository at this point
Copy the full SHA 49e99d7View commit details -
firefox_preferences-dod_root_certificate is a group the correct rule ID is firefox_preferences-dod_root_certificate_installed
Configuration menu - View commit details
-
Copy full SHA for 6ada948 - Browse repository at this point
Copy the full SHA 6ada948View commit details -
Configuration menu - View commit details
-
Copy full SHA for 11a4e65 - Browse repository at this point
Copy the full SHA 11a4e65View commit details -
The rules changed by this commit are used by the OpenEmbedded standard profile but don't have the product ID in the prodtype key.
Configuration menu - View commit details
-
Copy full SHA for d62f8ab - Browse repository at this point
Copy the full SHA d62f8abView commit details -
Add accounts_users_own_home_directories to Ubuntu 22.04
The rule accounts_users_own_home_directories is a part of the Ubuntu 22.04 Standard profile, but the rule doesn't have this product in its prodtype.
Configuration menu - View commit details
-
Copy full SHA for 296f430 - Browse repository at this point
Copy the full SHA 296f430View commit details -
First, rename the function `resolve_selections_with_rules` to `apply_filter` to better express the purpose of this function. Second, move the call of `apply_filter` to a correct place. Previously, the function was checking if a rule ID is a rule that exists and is applicable to the currently built product. It removed the selections that selected the rules that don't exist. However, this operation shadowed a check in `resolve` that served to raise an exception if a rule isn't available. This exception could never be raised because at the moment of the check guarding the exception the selections already contained only existing rules. This flaw is fixed by moving the `apply_filter` call after the exception and removing the duplicate check.
Configuration menu - View commit details
-
Copy full SHA for 890ce49 - Browse repository at this point
Copy the full SHA 890ce49View commit details -
Fail build if controls contain invalid rule IDs
We will raise an exception and terminate the build if a control selects a rule that doesn't exist. To do that, we need to get a list of all existing rules in the project. Unfortunately, we can't reuse a list of the rules available in the currently built product because control files can contain all rules from all benchmarks from all products. Control files are product agnostic and benchmark agnostic.
Configuration menu - View commit details
-
Copy full SHA for d28a6e7 - Browse repository at this point
Copy the full SHA d28a6e7View commit details -
Add a simple unit test that verifies if the `Control.load()` method raises an exception if a control selects an invalid rule ID.
Configuration menu - View commit details
-
Copy full SHA for 29cbc8f - Browse repository at this point
Copy the full SHA 29cbc8fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 70cbe76 - Browse repository at this point
Copy the full SHA 70cbe76View commit details