Fail build if profiles or controls contain invalid rule selections #11135
Commits on Sep 25, 2023
-
Remove rule service_zebra_disabled from RHEL 9 E8 profile
The rule service_zebra_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
-
Remove service_rexec_disabled from RHEL 9 HIPAA profile
The rule service_rexec_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
-
Remove rule service_zebra_disabled from RHEL 9 HIPAA profile
The rule service_zebra_disabled doesn't apply to RHEL 9 because of its `prodtype`, that means this rule shouldn't be a part of the RHEL 9 profile.
-
Remove locking_out_password_attempts from profiles
`locking_out_password_attempts` is an invalid rule ID, this rule doesn't exist, it's a group instead.
-
Add missing prodtypes to rule package_iptables_installed
The rule `package_iptables_installed` is a part of multiple profiles in products but doesn't have prodtypes in these products.
-
Remove rules from SLE15 standard profile
These rules don't have the sle15 prodtype and therefore they don't exist in the sle15 benchmark.
-
-
Remove audit_rules_privileged_commands_pt_chown from Fedora OSPP
This rule isn't a part of Fedora according to the rule `prodtype`.
-
Add package_python3-abrt-addon_removed to OL 8
This rule is a part of the RHEL 8 OSPP profile, but the rule doesn't have ol8 in prodtype. I think we can enable this rule on OL 8 because the rule exists also in RHEL 8.
-
Add kerberos_disable_no_keytab to OL 9
This rule is selected by OL 9 OSPP profile but it doesn't have the prodtype.
-
Add sysctl_kernel_exec_shield to OL 9
This rule is selected by the E8 profile for OL 9 but it doesn't have OL 9 in the prodtype
-
firefox_preferences-dod_root_certificate is a group the correct rule ID is firefox_preferences-dod_root_certificate_installed
-
-
The rules changed by this commit are used by the OpenEmbedded standard profile but don't have the product ID in the prodtype key.
-
Add accounts_users_own_home_directories to Ubuntu 22.04
The rule accounts_users_own_home_directories is a part of the Ubuntu 22.04 Standard profile, but the rule doesn't have this product in its prodtype.
-
First, rename the function `resolve_selections_with_rules` to `apply_filter` to better express the purpose of this function. Second, move the call of `apply_filter` to a correct place. Previously, the function was checking if a rule ID is a rule that exists and is applicable to the currently built product. It removed the selections that selected the rules that don't exist. However, this operation shadowed a check in `resolve` that served to raise an exception if a rule isn't available. This exception could never be raised because at the moment of the check guarding the exception the selections already contained only existing rules. This flaw is fixed by moving the `apply_filter` call after the exception and removing the duplicate check.
-
Fail build if controls contain invalid rule IDs
We will raise an exception and terminate the build if a control selects a rule that doesn't exist. To do that, we need to get a list of all existing rules in the project. Unfortunately, we can't reuse a list of the rules available in the currently built product because control files can contain all rules from all benchmarks from all products. Control files are product agnostic and benchmark agnostic.
-
Add a simple unit test that verifies if the `Control.load()` method raises an exception if a control selects an invalid rule ID.
-
