Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CIS RHEL9 control file to v2.0.0 #12067

Merged
merged 61 commits into from
Jun 26, 2024
Merged

Update CIS RHEL9 control file to v2.0.0 #12067

merged 61 commits into from
Jun 26, 2024

Conversation

marcusburghardt
Copy link
Member

Description:

This PR update the controls based on CIS RHEL9 v2.0.0.

A new version of CIS RHEL9 policy is in Accepted state and is expected to move to published state in 2024-06-20.
Until the policy is moved to published state I will keep this PR in Draft. But it is already good for review.

Rationale:

Keep CIS RHEL9 profiles updated.

Review Hints:

Best way to review is going commit by commit chronologically. The commits are ordering according to the order the requirements are presented in the policy.

References:
https://workbench.cisecurity.org/benchmarks/18210

@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1.1 Configure Filesystem Kernel Modules
fd73d84
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1.2.1 Configure /tmp
2bde1a1
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1.2.2 Configure /dev/shm
58a830e
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1.2.3 Configure /home
8b56a08
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1.2.4 Configure /var
b583f31
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1.2.5 Configure /var/tmp
a9aadf3
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1.2.6 Configure /var/log
6ea5e04
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1.2.7 Configure /var/log/audit
00314f7
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.1 Cleanup
2e318fe
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.2.1 Configure Package Repositories
5a45d41
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.2.2 Configure Package Updates
51d5ad2
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.3.1 Configure SELinux
7593450
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.4 Configure Bootloader
56f9f31
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.5 Configure Additional Process Hardening
2f75821
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.6 Configure system wide crypto policy
96ceda9
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.7 Configure Command Line Warning Banners
e7958a2
@marcusburghardt
CIS RHEL9 v2.0.0 - 1.8 Configure GNOME Display Manager
05e8b26
@marcusburghardt
CIS RHEL9 v2.0.0 - 1 - Initial Setup - Cleanup
606ef8d
@marcusburghardt
CIS RHEL9 v2.0.0 - 2.1 Configure Server Services
7faea81
@marcusburghardt
CIS RHEL9 v2.0.0 - 2.2 Configure Client Services
1a77e1d
@marcusburghardt
CIS RHEL9 v2.0.0 - 2.3 Configure Time Synchronization
a5dc7d1
@marcusburghardt
CIS RHEL9 v2.0.0 - 2.4.1 Configure cron
bece9c0 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
CIS RHEL9 v2.0.0 - 2.4.2 Configure at
2f6b328 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
CIS RHEL9 v2.0.0 - 2 - Services - Cleanup
692578b 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
CIS RHEL9 v2.0.0 - 3.1 Configure Network Devices
6d27cdc 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
CIS RHEL9 v2.0.0 - 3.2 Configure Network Kernel Modules
d176b4f 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
CIS RHEL9 v2.0.0 - 3.3 Configure Network Kernel Parameters
3c0d43d 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
CIS RHEL9 v2.0.0 - 4.1 Configure a firewall utility
6b57fbb 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
CIS RHEL9 v2.0.0 - 4.2 Configure FirewallD
2feb1e3 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
CIS RHEL9 v2.0.0 - 4.3 Configure NFTables
a1a70dc 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt marcusburghardt added RHEL9 Red Hat Enterprise Linux 9 product related. CIS CIS Benchmark related. labels Jun 14, 2024
@marcusburghardt marcusburghardt added this to the 0.1.74 milestone Jun 14, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jun 14, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 14, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 14, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12067
This image was built from commit: fc85059

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12067

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12067 make deploy-local

@marcusburghardt
Update CIS profiles descriptions for RHEL9
ea4e438 
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt marcusburghardt marked this pull request as ready for review June 18, 2024 13:15
@marcusburghardt marcusburghardt requested a review from a team as a code owner June 18, 2024 13:15
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jun 18, 2024
@Mab879 Mab879 self-assigned this Jun 18, 2024
@marcusburghardt marcusburghardt mentioned this pull request Jun 18, 2024
Merged
Mab879
Mab879 requested changes Jun 18, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

All rules in Section 6.2.3 should be under related_rules. Section 6.2 is a pick one section, like the firewall section.

@marcusburghardt
CIS RHEL9 v2.0.0 - Adjust conflicting requirements
897a643 
There are conflicting requirements regarding journald and rsyslog.
JournalD is the default preference for RHEL 9.

Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
Update references for profile stability tests
122b7f9 
CIS RHEL 9 v2.0.0

Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Mab879
Mab879 approved these changes Jun 20, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Mab879
Mab879 requested changes Jun 24, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take look the testing farm failures, they look valid enough to investigate.

@marcusburghardt
Ensure rules in rhel9 datastream
fc85059 
Ensure rules no longer used in RHEL 9 profiles are kept in the
Datastream to avoid breaking eventual tailoring files.
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jun 26, 2024

Code Climate has analyzed commit fc85059 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@marcusburghardt
Copy link
Member Author

Please take look the testing farm failures, they look valid enough to investigate.

Thanks for reviewing @Mab879 . The failures should be fixed now.

Mab879
Mab879 approved these changes Jun 26, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the effort on this PR.

LGTM.

@Mab879 Mab879 merged commit f0a0c51 into ComplianceAsCode:master Jun 26, 2024
92 of 93 checks passed
@marcusburghardt marcusburghardt deleted the cis_rhel9_200 branch June 27, 2024 07:22
@mildas mildas mentioned this pull request Jun 27, 2024
Closed
@marcusburghardt marcusburghardt added the Highlight This PR/Issue should make it to the featured changelog. label Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
CIS CIS Benchmark related. Highlight This PR/Issue should make it to the featured changelog. RHEL9 Red Hat Enterprise Linux 9 product related.
Projects
None yet
Milestone
0.1.74
Development

Successfully merging this pull request may close these issues.
2 participants
@marcusburghardt @Mab879