Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

accounts_passwords_pam_tally2_deny_root fix #11676

Merged
merged 2 commits into from
Mar 18, 2024
Merged

accounts_passwords_pam_tally2_deny_root fix #11676

merged 2 commits into from
Mar 18, 2024

Conversation

teacup-on-rockingchair
Copy link
Contributor

Description:

  • The rule accounts_passwords_pam_tally2_deny_root was failing oval check eventhough remediation was applied correctly

Rationale:

  • The regex in the OVAL needed simplification

@teacup-on-rockingchair
accounts_passwords_pam_tally2_deny_root fix
839ad4b 
The rule accounts_passwords_pam_tally2_deny_root was failing oval check eventhough remediation was applied correctly

The regex in the OVAL needed simplification
@teacup-on-rockingchair teacup-on-rockingchair added OVAL OVAL update. Related to the systems assessments. SLES SUSE Linux Enterprise Server product related. labels Mar 12, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 12, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11676
This image was built from commit: a489a0e

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11676

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11676 make deploy-local

@jan-cerny
Copy link
Collaborator

@teacup-on-rockingchair the test scenarios on SLE15 are still failing. Can you take a look into it?

ERROR - Script pam_tally2_deny_missing.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root'.

@teacup-on-rockingchair teacup-on-rockingchair marked this pull request as draft March 13, 2024 05:24
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Mar 13, 2024
@teacup-on-rockingchair
Fix OVAL check and remediations to work also with the deny=NUMBER set…
a489a0e 
…ting

The deny=NUMBER  option is needed so even_deny_root to work ok
Added additional regex test in OVAL for simplicity and maintainability, not merged into same regex
Fixed remediations to add the deny=NUMBER clause
@codeclimate CodeClimate
Copy link

codeclimate bot commented Mar 15, 2024

Code Climate has analyzed commit a489a0e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

@teacup-on-rockingchair teacup-on-rockingchair marked this pull request as ready for review March 15, 2024 05:42
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Mar 15, 2024
@jan-cerny jan-cerny self-assigned this Mar 18, 2024
jan-cerny
jan-cerny approved these changes Mar 18, 2024
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have seen that the Automatus test scenarios are now passing on SLE15. The fail of Automatus on remaining test job is expected because the rule changed in this PR isn't a part of RHEL 8 or RHEL 9 products.

@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny jan-cerny added this to the 0.1.73 milestone Mar 18, 2024
@jan-cerny jan-cerny added Ansible Ansible remediation update. Bash Bash remediation update. labels Mar 18, 2024
@jan-cerny jan-cerny merged commit b84d30a into ComplianceAsCode:master Mar 18, 2024
41 of 44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
Ansible Ansible remediation update. Bash Bash remediation update. OVAL OVAL update. Related to the systems assessments. SLES SUSE Linux Enterprise Server product related.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.
2 participants
@teacup-on-rockingchair @jan-cerny