Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SRG-OS-000114-GPOS-00059 for RHEL 9 STIG #8505

Merged
merged 15 commits into from
May 2, 2022
Merged

Update SRG-OS-000114-GPOS-00059 for RHEL 9 STIG #8505

merged 15 commits into from
May 2, 2022

Conversation

jan-cerny
Copy link
Collaborator

Description:

adds fix texts, Ansible remediations, fixes OCIL

Rationale:

RHEL 9 STIG

@github-actions
Copy link

github-actions bot commented Apr 7, 2022

Start a new ephemeral environment with changes proposed in this pull request:

Open in Gitpod

@github-actions
Copy link

github-actions bot commented Apr 7, 2022

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OCIL for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled' differs:
--- old datastream
+++ new datastream
@@ -20,5 +20,5 @@
 LoadState=masked
 
 UnitFileState=masked
- Is it the case that ?
+ Is it the case that the autofs service is not disabled?
 
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid'.
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub'.
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hub'.

@Mab879 Mab879 self-assigned this Apr 7, 2022
@Mab879 Mab879 added RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates. labels Apr 7, 2022
@Mab879 Mab879 added this to the 0.1.62 milestone Apr 7, 2022
Mab879
Mab879 reviewed Apr 7, 2022
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few comments. If you can provide a source for device IDs that would be helpful.

linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml Outdated Show resolved Hide resolved
...guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml Outdated Show resolved Hide resolved
@Mab879
Copy link
Member

Mab879 commented Apr 11, 2022

/retest

2 similar comments
@jan-cerny
Copy link
Collaborator Author

/retest

@jan-cerny
Copy link
Collaborator Author

/retest

@openshift-ci openshift-ci bot added the needs-rebase Used by openshift-ci bot. label Apr 15, 2022
@openshift-ci openshift-ci bot removed the needs-rebase Used by openshift-ci bot. label Apr 19, 2022
@jan-cerny
Copy link
Collaborator Author

I have rebased this pull request on the top of the currrent master branch and I have replaced fix by fixtext and resolved conflict with moving Jinja macro to a different file.

@jan-cerny
Copy link
Collaborator Author

/retest

Mab879
Mab879 requested changes Apr 19, 2022
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor change requested.

Thanks for the PR.

linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml Outdated Show resolved Hide resolved
Mab879
Mab879 previously approved these changes Apr 20, 2022
View reviewed changes
@Mab879
Copy link
Member

Mab879 commented Apr 20, 2022

/retest

@Mab879 Mab879 dismissed their stale review April 20, 2022 17:46

Merge conflict

@Mab879
Copy link
Member

Mab879 commented Apr 20, 2022

@jan-cerny Can you take look a the merge conflict?

@jan-cerny
Copy link
Collaborator Author

/retest

@jan-cerny
Copy link
Collaborator Author

Hi, it's now rebased again.

@Mab879
Copy link
Member

Mab879 commented Apr 22, 2022

/retest

1 similar comment
@Mab879
Copy link
Member

Mab879 commented Apr 25, 2022

/retest

@Mab879
Copy link
Member

Mab879 commented Apr 25, 2022

So those OpenShift CI errors are giving me some pause before I merged them.

@rhmdnd or @Vincent056 I think these failures might be valid, can you please confirm?

@jan-cerny
Copy link
Collaborator Author

I have resolved the conflict and I have rebased on the top of the latest upstream branch.

@Mab879
Copy link
Member

Mab879 commented Apr 29, 2022

/retest

@Vincent056
Copy link
Contributor

Since #8564 has just merged, the test should pass once this PR rebase.

@jan-cerny
Assign a RHEL9 CPE to rule usbguard_allow_hid
2c5c891
@jan-cerny
Add Ansible to usbguard_allow_hid
018ad93
@jan-cerny
Add fix to usbguard_allow_hid
85fff91
@jan-cerny
Add Ansible to usbguard_allow_hid_and_hub
6e26a28
@jan-cerny
Add fix to usbguard_allow_hid_and_hub
b1f0423
@jan-cerny
Add Ansible to usbguard_allow_hub
b34b775
@jan-cerny
Add fix to usbguard_allow_hub
ba8df20
@jan-cerny
Add fix to kernel_module_usb-storage_disabled
63f1f66
@jan-cerny
Add OCIL clause in service_autofs_disabled
2cdaeab
@jan-cerny
Add fix to service_autofs_disabled
4577d4b
@jan-cerny
Add fix to dconf_gnome_disable_automount_open
b911adb
@jan-cerny
Add fix for dconf_gnome_disable_autorun
97b4ece
@jan-cerny
Extend rationale
bb5d87f
@jan-cerny
Complete dconf_ini_file_fix macro
7195d04 
It wasn't aligned with the bash remediations because it doesn't contain
the step to add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock whereas the bash
remediation adds the lock. An exception is rule
gnome_gdm_disable_automatic_login. Therefore I changed the
dconf_ini_file_fix macro so that it looks similar to fix text in the
dconf_gnome_disable_automount_open rule, use it in every dconf settings
and replace its use in fix in the rule gnome_gdm_disable_automatic_login
with a different fix text.
@jan-cerny
Replace operating system by full name
a90a794
@jan-cerny
Copy link
Collaborator Author

I have rebased on the top of the latest upstream branch.

@Mab879
Copy link
Member

Mab879 commented May 2, 2022

/retest

@Mab879
Copy link
Member

Mab879 commented May 2, 2022

Waving SSGTS, the tests pass locally.

@Mab879 Mab879 merged commit f184c6c into ComplianceAsCode:master May 2, 2022
@marcusburghardt marcusburghardt added the STIG STIG Benchmark related. label Jun 23, 2022
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.62
Development

Successfully merging this pull request may close these issues.
4 participants
@jan-cerny @Mab879 @Vincent056 @marcusburghardt