Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dconf_gnome_disable_automount to RHEL STIG profile. #5961

Merged
merged 8 commits into from
Nov 4, 2020
Merged

Add dconf_gnome_disable_automount to RHEL STIG profile. #5961

merged 8 commits into from
Nov 4, 2020

Conversation

ggbecker
Copy link
Member

@ggbecker ggbecker commented Jul 29, 2020
edited
Loading

Description:

  • Select rule to STIG profile
  • Update references section
  • Add RHEL8 cce
  • Enable remediation for Fedora
  • Change severity to medium as defined by DISA STIG

Rationale:

Update1: Rule has been broken down into three rules, each of them checks for a specific parameter in gnome dconf configuration.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 29, 2020
@openshift-ci-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@ggbecker ggbecker added this to the 0.1.52 milestone Jul 29, 2020
@ggbecker ggbecker force-pushed the add-stig-RHEL-07-020111 branch 3 times, most recently from 3fe4298 to 61ecbe4 Compare July 29, 2020 13:06
@ggbecker ggbecker marked this pull request as ready for review July 29, 2020 13:36
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 29, 2020
@vojtapolasek vojtapolasek self-assigned this Jul 30, 2020
@vojtapolasek
Copy link
Collaborator

I am trying to run tests for this rule with upstream test suite and VM and the rule errors out as "not applicable". I see there is
platform: machine
Is that needed? Is this the reason why the test reports "not applicable"?

@ggbecker
Copy link
Member Author

ggbecker commented Jul 30, 2020
edited
Loading

I am trying to run tests for this rule with upstream test suite and VM and the rule errors out as "not applicable". I see there is
platform: machine
Is that needed? Is this the reason why the test reports "not applicable"?

My initial guess is that you need to have dconf installed in your testing VM.

@redhatrises
Copy link
Contributor

This rule needs to be broken into at least 3 separate rules.

@vojtapolasek
Copy link
Collaborator

This rule needs to be broken into at least 3 separate rules.

What is your reasoning? Would it make sense to have in a profile for example only two of these three config variables configured?

@redhatrises
Copy link
Contributor

This rule needs to be broken into at least 3 separate rules.

What is your reasoning? Would it make sense to have in a profile for example only two of these three config variables configured?

Yes. It would. It also produces better security content.

@ggbecker
Copy link
Member Author

ggbecker commented Aug 4, 2020

This rule needs to be broken into at least 3 separate rules.

What is your reasoning? Would it make sense to have in a profile for example only two of these three config variables configured?

Yes. It would. It also produces better security content.

Ok, I'll add this to my backlog and will get back to it soon.

@JAORMX
Copy link
Contributor

JAORMX commented Aug 5, 2020

/retest

@ggbecker
Copy link
Member Author

ggbecker commented Aug 6, 2020

This rule needs to be broken into at least 3 separate rules.

What is your reasoning? Would it make sense to have in a profile for example only two of these three config variables configured?

Yes. It would. It also produces better security content.

Ok, I'll add this to my backlog and will get back to it soon.

@redhatrises rule has been broken down into three rules. Can you verify them?

@ggbecker ggbecker requested a review from redhatrises August 10, 2020 07:57
@openshift-ci-robot openshift-ci-robot added the needs-rebase Used by openshift-ci bot. label Aug 11, 2020
@ggbecker ggbecker force-pushed the add-stig-RHEL-07-020111 branch from 8e72e47 to 11a3928 Compare August 11, 2020 11:45
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Used by openshift-ci bot. label Aug 11, 2020
@ggbecker
Copy link
Member Author

@redhatrises can you check this one?

@ggbecker ggbecker force-pushed the add-stig-RHEL-07-020111 branch from 108413b to e7fa2ab Compare August 18, 2020 15:05
@ggbecker ggbecker requested review from redhatrises and vojtapolasek and removed request for redhatrises September 1, 2020 12:58
@redhatrises
Copy link
Contributor

Looks good except for the duplicate STIGIDs. We should remove them, and ask for new ones.

@ggbecker
Copy link
Member Author

ggbecker commented Sep 7, 2020

Looks good except for the duplicate STIGIDs. We should remove them, and ask for new ones.

I assume that it can take a while until they (DISA) split the rules and assign new STIG ids to them. So, do we want to wait for that? And how do we initiate this request to DISA?

vojtapolasek
vojtapolasek requested changes Sep 10, 2020
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very good, just small fixes needed, please see comments.

@vojtapolasek
Copy link
Collaborator

Oh, while running SST test suite, unfortunately none of ansible remediations seem to pass the test. Bash is ok.

@ggbecker
Copy link
Member Author

Oh, while running SST test suite, unfortunately none of ansible remediations seem to pass the test. Bash is ok.

I'll eventually get back to this pull request when I have time.

@vojtapolasek vojtapolasek modified the milestones: 0.1.52, 0.1.53 Sep 18, 2020
@ggbecker ggbecker force-pushed the add-stig-RHEL-07-020111 branch from e7fa2ab to 144e295 Compare September 21, 2020 15:08
@mildas

This comment has been minimized.

Sign in to view
@ggbecker
Copy link
Member Author

ggbecker commented Sep 21, 2020
edited
Loading

Oh, while running SST test suite, unfortunately none of ansible remediations seem to pass the test. Bash is ok.

I have addressed all the requests and fixed the ansible remediation (it was missing no_extra_spaces: yes). The OVAL regex doesn't expect any space between the = separator.

The only thing left now is the duplicated STIG ids. But I'm not sure how to proceed. @redhatrises Do you how to ask DISA for new STIG ids? Should we merge this pull request as it is and open a new one to assign new STIG ids when they become available?

@openshift-ci-robot
Copy link
Collaborator

@ggbecker: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-rhcos4-e8 144e295 link /test e2e-aws-rhcos4-e8

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@redhatrises
Copy link
Contributor

Looks good except for the duplicate STIGIDs. We should remove them, and ask for new ones.

I assume that it can take a while until they (DISA) split the rules and assign new STIG ids to them. So, do we want to wait for that? And how do we initiate this request to DISA?

Yes, we do want to wait for that. There should be no duplicate STIG IDs.

@ggbecker
Copy link
Member Author

Looks good except for the duplicate STIGIDs. We should remove them, and ask for new ones.

I assume that it can take a while until they (DISA) split the rules and assign new STIG ids to them. So, do we want to wait for that? And how do we initiate this request to DISA?

Yes, we do want to wait for that. There should be no duplicate STIG IDs.

Ok, also I remember seeing duplicated STIG ids in the project. I will try to find all of them and publish in a new issue.

@redhatrises
Copy link
Contributor

/retest

@ggbecker ggbecker force-pushed the add-stig-RHEL-07-020111 branch from 144e295 to ea3110c Compare November 4, 2020 08:52
@openscap-ci
Copy link
Collaborator

Changes identified:
Rules:
 dconf_gnome_disable_automount
 dconf_gnome_disable_automount_open
 dconf_gnome_disable_autorun
Profiles:
 ncp on rhel7
 stig on rhel7

Show details

Rule dconf_gnome_disable_automount:
 Node moved within OVAL check.
 Attribute value changed in OVAL check.
 Node deleted from OVAL check.
 Template usage changed in ansible remediation.
 Ansible remediation changed.
 Text changed in OVAL check.
 Deleted attribute from OVAL check.
Rule dconf_gnome_disable_automount_open:
 Ansible remediation newly added.
 OVAL check is newly added.
 Bash remediation is newly added.
Rule dconf_gnome_disable_autorun:
 Ansible remediation newly added.
 OVAL check is newly added.
 Bash remediation is newly added.
Profile ncp on rhel7:
 Rule dconf_gnome_disable_autorun, dconf_gnome_disable_automount_open added to ncp profile.
Profile stig on rhel7:
 Rule dconf_gnome_disable_automount_open, dconf_gnome_disable_automount, dconf_gnome_disable_autorun added to stig profile.

Recommended tests to execute:
 build_product rhel7
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel7-ds.xml dconf_gnome_disable_automount
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel7-ds.xml dconf_gnome_disable_automount
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel7-ds.xml dconf_gnome_disable_automount_open
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel7-ds.xml dconf_gnome_disable_automount_open
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel7-ds.xml dconf_gnome_disable_autorun
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel7-ds.xml dconf_gnome_disable_autorun
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel7-ds.xml ncp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel7-ds.xml stig

@redhatrises redhatrises merged commit 97874a3 into ComplianceAsCode:master Nov 4, 2020
@ggbecker ggbecker modified the milestones: 0.1.53, 0.1.54 Nov 10, 2020
@ggbecker ggbecker deleted the add-stig-RHEL-07-020111 branch November 10, 2020 12:46
@marcusburghardt marcusburghardt added RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related. labels Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redhatrises redhatrises redhatrises left review comments

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek

Assignees

@vojtapolasek vojtapolasek

Labels
RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.54
Development

Successfully merging this pull request may close these issues.
8 participants
@ggbecker @openshift-ci-robot @vojtapolasek @redhatrises @JAORMX @mildas @openscap-ci @marcusburghardt