Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Align RHEL 7 CIS control file with CIS v4.0.0 - Section 6 #11452

Merged
merged 30 commits into from
Jan 25, 2024
Merged

Align RHEL 7 CIS control file with CIS v4.0.0 - Section 6 #11452

merged 30 commits into from
Jan 25, 2024

Conversation

jan-cerny
Copy link
Collaborator

Description:

In this PR, we change the control file, change references, add existing rules. But, we don't add new rules, and we don't modify other content.

Rationale:

Align RHEL 7 CIS control file with CIS v4.0.0

@jan-cerny jan-cerny added RHEL7 Red Hat Enterprise Linux 7 product related. CIS CIS Benchmark related. labels Jan 17, 2024
@jan-cerny jan-cerny added this to the 0.1.72 milestone Jan 17, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 17, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 17, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@jan-cerny jan-cerny marked this pull request as ready for review January 17, 2024 10:44
@jan-cerny jan-cerny requested a review from a team as a code owner January 17, 2024 10:44
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 17, 2024
@jan-cerny
Copy link
Collaborator Author

/packit retest-failed

1 similar comment
@jan-cerny
Copy link
Collaborator Author

/packit retest-failed

@vojtapolasek vojtapolasek self-assigned this Jan 17, 2024
vojtapolasek
vojtapolasek requested changes Jan 18, 2024
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello and thank you for the update. Looks quite good, but please see my comments.

controls/cis_rhel7.yml Outdated
- file_groupowner_backup_etc_group
- file_owner_backup_etc_group
- file_permissions_backup_etc_group
status: partial
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why partial status when we don't have the rule at all?

controls/cis_rhel7.yml Outdated Show resolved Hide resolved
controls/cis_rhel7.yml Show resolved Hide resolved
controls/cis_rhel7.yml Show resolved Hide resolved
controls/cis_rhel7.yml Show resolved Hide resolved
controls/cis_rhel7.yml Outdated Show resolved Hide resolved
controls/cis_rhel7.yml Outdated Show resolved Hide resolved
controls/cis_rhel7.yml Show resolved Hide resolved
@jan-cerny
Copy link
Collaborator Author

The CI fail on Rawhide is caused by aio-libs/multidict#926 and isn't related to the pull request.

@jan-cerny
Copy link
Collaborator Author

I have rebased this PR on the top of the latest upstream master branch.

@jan-cerny
Copy link
Collaborator Author

/packit retest-failed

@jan-cerny
Align CIS 6.2.4
dbfc182
@jan-cerny
Align CIS 6.2.5
972555b
@jan-cerny
Align CIS 6.2.6
09d4044
@jan-cerny
Align CIS 6.2.7
0a56df0
@jan-cerny
Align CIS 6.2.8
04c27e0
@jan-cerny
Align CIS 6.2.9
6023c3b
@jan-cerny
Align CIS 6.2.10
c8ad047
@jan-cerny
Align CIS 6.2.11
e49d35a
@jan-cerny
Remove leftover sections
16a0bcc
@jan-cerny
Update control status
ee63f13
@jan-cerny
Update control status
e8092a9
@jan-cerny
Add dir_perms_world_writable_sticky_bits to 6.1.11
056017a
@jan-cerny
Update control status
de8d6f3
@jan-cerny
Update control status
9a250c2
@jan-cerny
Update control status
45b53fd
@jan-cerny
Change RHEL 7 CIS 6.2.11
62bd1f1 
Use accounts_users_netrc_file_permissions instead of no_netrc_files
to better align with the CIS Benchmark.
@jan-cerny
Improve CIS 6.2.11
d1bae2b 
The rule accounts_user_dot_no_world_writable_programs is not aligned
with the policy requirement, it checks permissions of files executed by
the dot files. Also, we should clarify the situation about remediation
of .forward and .rhost files.
@jan-cerny
Add /etc/shells rules to CIS control 6.1.9
a2c8a2c
@jan-cerny
Copy link
Collaborator Author

I have rebased this PR on the top of the latest upstream master branch. I have add rules related to /etc/shells to the control 6.1.9.

@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 24, 2024

Code Climate has analyzed commit a2c8a2c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Collaborator Author

/packit retest-failed

@vojtapolasek
Copy link
Collaborator

Hello @jan-cerny and thank you for updates to this PR. I think the PR is ready to be merged, let's just wait for CI.

@jan-cerny
Copy link
Collaborator Author

/packit retest-failed

@vojtapolasek
Copy link
Collaborator

The failing build on RAwhide is not caused by this PR, it caused by problem in Rawhide. This PR does not touch rules related to k8s so I am merging it.

@vojtapolasek vojtapolasek merged commit 1cab60c into ComplianceAsCode:master Jan 25, 2024
41 of 43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels
CIS CIS Benchmark related. RHEL7 Red Hat Enterprise Linux 7 product related.
Projects
None yet
Milestone
0.1.72
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @vojtapolasek