Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sle15 cis #5807

Merged
merged 23 commits into from
Jun 5, 2020
Merged

Sle15 cis #5807

merged 23 commits into from
Jun 5, 2020

Conversation

eradot4027
Copy link
Contributor

Description:

-Updated CIS profile is SLE15 to reflect changes in the profile

Rationale:

For evaluating systems with an up to date profile

  • Fixes #
    None

@openshift-ci-robot openshift-ci-robot added the needs-ok-to-test Used by openshift-ci bot. label Jun 3, 2020
@openshift-ci-robot
Copy link
Collaborator

Hi @eradot4027. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@eradot4027
Copy link
Contributor Author

Commented out missing checks. Should compile now. I apologize

@mildas
Copy link
Contributor

mildas commented Jun 3, 2020

Changes identified:
Profile cis on sle15:
 Rule disable_prelink added to cis profile.
 Rule kernel_module_freevxfs_disabled, selinux_policytype, service_tftp_disabled, configure_etc_hosts_deny, no_legacy_plus_entries_etc_group, package_mcstrans_removed, kernel_module_rds_disabled, kernel_module_tipc_disabled, sshd_allow_only_protocol2, kernel_module_hfsplus_disabled, package_libselinux_installed, no_legacy_plus_entries_etc_shadow, kernel_module_jffs2_disabled, selinux_confinement_of_daemons, kernel_module_hfs_disabled, no_legacy_plus_entries_etc_passwd, package_tcp_wrappers_installed, selinux_state, package_setroubleshoot_removed, grub2_enable_selinux removed from cis profile.

Recommended tests to execute:
 build_product sle15
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle15-ds.xml cis

@yuumasato
Copy link
Member

Changes look good to me, but I haven't verified the alignment with SLE15 CIS.
@eradot4027 do you have someone who can review that for you?

@eradot4027
Copy link
Contributor Author

I have been working on this completely by myself and referencing the CIS Workbench STIG. I can see if I can get someone else to review. Seems like most people don't use SUSE.

@yuumasato
Copy link
Member

@eradot4027 We don't need to block this PR waiting for review on the alignment.
I'm fine merging it as updates can come later if needed.

@eradot4027
Copy link
Contributor Author

I plan on using it in production so I am being meticulous as possible to ensure it is correct.

Thanks again for allowing me to contribute to your project

@yuumasato yuumasato merged commit 5bdd906 into ComplianceAsCode:master Jun 5, 2020
@yuumasato yuumasato added this to the 0.1.51 milestone Jun 5, 2020
teacup-on-rockingchair added a commit to teacup-on-rockingchair/content that referenced this pull request Dec 14, 2022
@teacup-on-rockingchair
Drop CIS reference in no_legacy_plus_entries_etc_group rule for SLE15
3cd724a 
The reference to the CIS SLE benchmark is not correct. As far as I could track in history those references were added in PR ComplianceAsCode#5807,
where the author stated that he has no access to enterprise linux benchmarks and used the distribution independant benchmark,
in which context the references are more or less valid. BTW the rhel7 reference also looks incorrect to me,
but if did not want to change it without feedback from RedHat's team member.
@teacup-on-rockingchair teacup-on-rockingchair mentioned this pull request Dec 14, 2022
Merged
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

Assignees
No one assigned
Labels
needs-ok-to-test Used by openshift-ci bot.
Projects
None yet
Milestone
0.1.51
Development

Successfully merging this pull request may close these issues.
4 participants
@eradot4027 @openshift-ci-robot @mildas @yuumasato