-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Made the rule sshd_rekey_limit parametrized. #5772
Conversation
linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
Outdated
Show resolved
Hide resolved
Introduce the rekey_limit_size and rekey_limit_time XCCDF values to make the rule more flexible.
42dad11
to
85efae4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The remediation code is a wild jungle, is anybody here who knows what buttons to push to make it work? The solution is probably to edit https://github.com/ComplianceAsCode/content/blob/master/ssg/build_remediations.py#L671, but I don't want to mash another hack into a nested-nested-nested if block.
You are on the spot.
I remember looking at this code ages ago and wondering why does the fixparts
are 2 stepped.
Never got to change it and see how the code works. And without proper tests in place, I'd be reluctant to change it.
What happens is that the parser does not recognize two function names one after the other.
A workaround is to add a new line between the populate calls. (Worked for me locally)
linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
Outdated
Show resolved
Hide resolved
Thanks a lot @yuumasato, your answer was exactly what I dreamt of. I have introduced macros that make sure that there are blank lines. |
test this please |
Changes identified: Recommended tests to execute: |
Introduce the rekey_limit_size and rekey_limit_time XCCDF values to make the rule more flexible.
There is one problem: The rule uses two XCCDF values, and I think that this is not supported at least for Bash remediations. The remediation code is a wild jungle, is anybody here who knows what buttons to push to make it work? The solution is probably to edit https://github.com/ComplianceAsCode/content/blob/master/ssg/build_remediations.py#L671, but I don't want to mash another hack into a nested-nested-nested if block.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1813066