Fix missing content in datastreams generated by new templating system #4883
Conversation
This rule contains OVAL which is a dependency of rule smartcard_auth which is used in RHEL 6 STIG and PCI-DSS profiles.
These rules generate OVALs which are a dependency of rule `audit_rules_login_events` which is a member of multiple RHEL6 profiles.
These rules generate OVALs which are a dependency of rule `audit_rules_file_deletion_events`. The rule `audit_rules_file_deletion_events` has no prodtype, which means it's applicable to all Linuxes, which means the child rules should have the same applicability. Also fixes the comments in the OVAL for rule `audit_rules_file_deletion_events` because they're displayed in HTML report and in graph.
This rule generates OVAL checks from a template. But this OVAL check is a dependency of rule `ftp_present_banner` but the 2 rules have a different set of products in `prodtype` fields. Ensure that the child rule is applicable to all products as the parent rule.
Only the RHEL 7 and 8 CSVs contain except-for:anaconda comment, the CSVs for other products do not exclude Anaconda remediation. To get the same result using both old and new templating system, we need to change the backends list.
The OVALs generated from these rules are dependecies of OVAL in rules snmpd_not_default_password, aide_scan_notification and aide_periodic_cron_checking which are a part of WRLinux 10.19 benchmark.
|
An alternative view of this is that it updates rule metadata, so they are included in relevant benchmarks. |
| @@ -47,4 +47,5 @@ template: | |||
| type@rhel7: tmpfs | |||
| type@rhel8: tmpfs | |||
| backends: | |||
| anaconda: 'off' | |||
| anaconda@rhel7: 'off' | |||
| anaconda@rhel8: 'off' | |||
There was a problem hiding this comment.
Fedora and Oracle also had anaconda remediation for /dev/shm mount points disabled.
To get the same result using both old and new templating system,
we need to change the backends list.
But why do we want same results from old and new templating system?
In this case I think the content is better with anaconda disabled for all products.
The reason this is disabled is because /dev/shmdoesn't exist at the moment of installation, they are managed by systemd and created during first boot.
So any product using systemd should have anaconda remediation disabled.
There was a problem hiding this comment.
I couldn't find any resource documenting management of /dev/shm by systemd.
There was a problem hiding this comment.
Content equivalence between the old and new systems makes it easy to evaluate the new system's state.
Let's keep changes to minimum, so we don't have to think too much whether the new system generates incomplete content due to some bug, or whether the old content was broken, which is why it is omitted by the new system.
There was a problem hiding this comment.
Content equivalence between the old and new systems makes it easy to evaluate the new system's state.
I understand this reasoning, but I disagree with hindering generation of content with new templating system.
How about upping the CSV so that it generates the same content as the new system would?
Description:
The missing OVALs were caused mostly by a mismatch in
prodtypetag in the rule and the rule that generates the dependent content. This is solved by adding the prodtypes from the dependent rule to its dependency. However, a fix for 4 missing OVALs in OCP3 datastream will be submitted in a separate PR.There was a mistake in port of CSV data for mount options, which caused that Anaconda remediation was disabled on all platforms. But according to CSVs it should be disabled only on RHEL 7 and 8.
For more details please read the commit messages of each commit.
Rationale:
This prevents missing OVALs and Anaconda remediations in comparison of datatstreams generated by old and new templating.