Fixes for kernel_config_security rules

[a-skr]

Description:

• Fixes for issues Error in kernel_config_security_writable_hook rule. #11254 and Error in kernel_config_security_dmesg_restrict #11255

[openshift-ci]

Hi @a-skr. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict'.
--- xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict
+++ xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict
@@ -9,8 +9,7 @@
     To check the configuration value for CONFIG_SECURITY_DMESG_RESTRICT, run the following command:
     grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config-*
     
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
+    For each kernel installed, a line with value "y" should be returned.
 
 [warning]:
 There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict' differs.
--- oval:ssg-kernel_config_security_dmesg_restrict:def:1
+++ oval:ssg-kernel_config_security_dmesg_restrict:def:1
@@ -2,4 +2,3 @@
 criteria AND
 criterion oval:ssg-test_kernel_config_security_dmesg_restrict:tst:1
 criterion oval:ssg-test_all_kernels_config_security_dmesg_restrict_compliant:tst:1
-criterion oval:ssg-test_kernel_config_security_dmesg_restrict_absence:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict' differs.
--- ocil:ssg-kernel_config_security_dmesg_restrict_ocil:questionnaire:1
+++ ocil:ssg-kernel_config_security_dmesg_restrict_ocil:questionnaire:1
@@ -1,8 +1,7 @@
 To determine the config value the kernel was built with, run the following command:
     $ grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config.*
     
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
+    For each kernel installed, a line with value "y" should be returned.
     
       Is it the case that the kernel was not built with the required value?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks'.
--- xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks
+++ xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks
@@ -9,7 +9,8 @@
     To check the configuration value for CONFIG_SECURITY_WRITABLE_HOOKS, run the following command:
     grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config-*
     
-    For each kernel installed, a line with value "y" should be returned.
+    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+    lines should be returned.
 
 [warning]:
 There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks' differs.
--- oval:ssg-kernel_config_security_writable_hooks:def:1
+++ oval:ssg-kernel_config_security_writable_hooks:def:1
@@ -2,3 +2,4 @@
 criteria AND
 criterion oval:ssg-test_kernel_config_security_writable_hooks:tst:1
 criterion oval:ssg-test_all_kernels_config_security_writable_hooks_compliant:tst:1
+criterion oval:ssg-test_kernel_config_security_writable_hooks_absence:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks' differs.
--- ocil:ssg-kernel_config_security_writable_hooks_ocil:questionnaire:1
+++ ocil:ssg-kernel_config_security_writable_hooks_ocil:questionnaire:1
@@ -1,7 +1,8 @@
 To determine the config value the kernel was built with, run the following command:
     $ grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config.*
     
-    For each kernel installed, a line with value "y" should be returned.
+    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+    lines should be returned.
     
       Is it the case that the kernel was not built with the required value?
       

[jan-cerny]

Please change also other occurrences of the value in the rule.yml files (description, ocil), the rule.yml files need to be internally consistent.

[a-skr]

Please find the commits amended with requested changes.

[codeclimate]

Code Climate has analyzed commit e83193f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.8%.

View more on Code Climate.

[jan-cerny]

The fail of Ansible lint job is caused by update of the worker to F39 and isn't caused by the changes in this PR.