Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new rules for ANSSI BP28 R22 #6483

Merged
merged 12 commits into from
Dec 17, 2020
Merged

Add new rules for ANSSI BP28 R22 #6483

merged 12 commits into from
Dec 17, 2020

Conversation

jan-cerny
Copy link
Collaborator

These rules check network related sysctl settings. The R22 requires multiple settings, for some of them we already have rules in our project but for others we have to created new rules.

  • sysctl_net_ipv6_conf_all_accept_ra_defrtr
  • sysctl_net_ipv6_conf_all_accept_ra_pinfo
  • sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
  • sysctl_net_ipv6_conf_all_autoconf
  • sysctl_net_ipv6_conf_all_max_addresses
  • sysctl_net_ipv6_conf_all_router_solicitations
  • sysctl_net_ipv6_conf_default_accept_ra_defrtr
  • sysctl_net_ipv6_conf_default_accept_ra_pinfo
  • sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
  • sysctl_net_ipv6_conf_default_autoconf
  • sysctl_net_ipv6_conf_default_max_addresses
  • sysctl_net_ipv6_conf_default_router_solicitations
  • sysctl_net_ipv4_ip_local_port_range
  • sysctl_net_ipv4_tcp_rfc1337

The PR also extends the sysctl template with new parameters which was needed for rule sysctl_net_ipv4_ip_local_port_range so for this rule it adds also test scenarios.

@openscap-ci
Copy link
Collaborator

openscap-ci commented Dec 15, 2020
edited
Loading

Changes identified:
Others:
 Changes in Python files.

Show details

Others:
 Python abstract syntax tree change found in shared/templates/sysctl/template.py.

Recommended tests to execute:
 (cd build && cmake ../ && ctest -j4)

@jan-cerny
Add rule sysctl_net_ipv4_tcp_rfc1337
d03587f
@jan-cerny
Add more parameters to sysctl template
c06f54b 
To check sysctl value net.ipv4.ip_local_port_range we need to
modify the template. This value consists of two integers. The OpenSCAP
probe and also sysctl command returns these 2 integers separated by a
tab. OVAL doesn't have a tuple data type so we represent the value as a
string. The string contains the 2 values separated by a space. But
to match the sysctl item, we should rather use a regular expression.
We still need the space-separated version for the remediation, though.
Therefore we can extend the template to allow specify pattern match
operation and to allow a regular expression value.
@jan-cerny
Add rule sysctl_net_ipv4_ip_local_port_range
282c4c1
@jan-cerny
Add rules for IPv6 router solicitations
ebf62e9
@jan-cerny
Add rules for accept_ra_rtr_pref
c5a9a41
@jan-cerny
Add rules for accept_ra_pinfo
b46baf0
@jan-cerny
Add rules for accept_ra_defrtr
fecc153
@jan-cerny
Add rules for net.ipv6.conf.all/default.autoconf
5ae2656
@jan-cerny
Add rules for net.ipv6.conf.all/default.max_addresses
69d8fd1
@jan-cerny
Test new parameters of sysctl template
9fe76b4
@jan-cerny
Copy link
Collaborator Author

@openscap-ci test this please

jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this pull request Dec 16, 2020
@jan-cerny
Add rules for R22
9a92de7 
These rules are added by
ComplianceAsCode#6483
@jan-cerny jan-cerny mentioned this pull request Dec 16, 2020
Merged
yuumasato
yuumasato reviewed Dec 16, 2020
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a few typos.

...rk/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations_value.var Outdated Show resolved Hide resolved
...rk/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations_value.var Outdated Show resolved Hide resolved
...network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/tests/comment.fail.sh Outdated Show resolved Hide resolved
@pep8speaks
Copy link

pep8speaks commented Dec 17, 2020
edited
Loading

Hello @jan-cerny! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻

Comment last updated at 2020-12-17 08:56:12 UTC

@yuumasato yuumasato added this to the 0.1.54 milestone Dec 17, 2020
@openshift-merge-robot
Copy link
Collaborator

@jan-cerny: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-ocp4-cis eaec5c3 link /test e2e-aws-ocp4-cis

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@yuumasato
Copy link
Member

@openscap-ci test this please

@yuumasato
Copy link
Member

Issues with ci/prow/e2e-aws-ocp4-cis seem unrelated to this PR.

@yuumasato yuumasato merged commit 9fea974 into ComplianceAsCode:master Dec 17, 2020
@yuumasato yuumasato self-assigned this Dec 17, 2020
ggbecker pushed a commit to jan-cerny/scap-security-guide that referenced this pull request Dec 17, 2020
@jan-cerny @ggbecker
Add rules for R22
5567d6c 
These rules are added by
ComplianceAsCode#6483
ggbecker pushed a commit to jan-cerny/scap-security-guide that referenced this pull request Dec 18, 2020
@jan-cerny @ggbecker
Add rules for R22
ff99257 
These rules are added by
ComplianceAsCode#6483
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

Assignees

@yuumasato yuumasato

Labels
None yet
Projects
None yet
Milestone
0.1.54
Development

Successfully merging this pull request may close these issues.
5 participants
@jan-cerny @openscap-ci @pep8speaks @openshift-merge-robot @yuumasato