Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ANSSI BP28 profiles in rhel10 product #12351

Merged
merged 7 commits into from
Sep 17, 2024
Merged

Update ANSSI BP28 profiles in rhel10 product #12351

merged 7 commits into from
Sep 17, 2024

Conversation

vojtapolasek
Copy link
Collaborator

@vojtapolasek vojtapolasek commented Aug 29, 2024
edited
Loading

Description:

  • revise list of excluded rules; remove some exclusions and add comments
  • make some modifications to the content (I can propose them as separate PR if needed). The reason is so that the content can be tested without much noise.
    • remove dedicated ssh group owning private ssh keys because RHEL 10 no longer uses it
    • the aide.conf directive for database location has changed, I changed it in the content as well

Rationale:

  • add content to rhel10 product

Review Hints:

./build_product rhel10
cd tests
./ds_unselect_rules.sh  ../build/ssg-rhel10-ds.xml  unselect_rules_list 
python automatus.py profile --libvirt <your_qemu_conection> <your_vm_name> --datastream /tmp/ssg-rhel10-ds.xml anssi_bp28_high

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 29, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Aug 29, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@vojtapolasek vojtapolasek changed the title create ANSSI BP28 profiles in rhel10 product WIP: create ANSSI BP28 profiles in rhel10 product Aug 29, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@vojtapolasek
Copy link
Collaborator Author

@Mab879 @marcusburghardt as you worked with some profile in rhel10 product recently... could you voice your opinion on rules which I made no longer excluded from the ANSSI profile? It was not clear to me why they were actually excluded. Thank you.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 29, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12351
This image was built from commit: ebb1265

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12351

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12351 make deploy-local

Mab879
Mab879 reviewed Aug 29, 2024
View reviewed changes
products/rhel10/profiles/anssi_bp28_enhanced.profile Outdated Show resolved Hide resolved
products/rhel10/profiles/anssi_bp28_high.profile Outdated Show resolved Hide resolved
products/rhel10/profiles/anssi_bp28_intermediary.profile Outdated Show resolved Hide resolved
products/rhel10/profiles/anssi_bp28_minimal.profile Outdated Show resolved Hide resolved
products/rhel10/profiles/anssi_bp28_high.profile Outdated Show resolved Hide resolved
@vojtapolasek
Copy link
Collaborator Author

Hello @Mab879 and thank you. Issues you highlighted were caused by copying over files from RHEL 9. I fixed that.

marcusburghardt
marcusburghardt requested changes Aug 30, 2024
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RHEL10 is using yescrypt by default instead of SHA512. Could you update the variables, please?

products/rhel10/profiles/anssi_bp28_enhanced.profile Outdated Show resolved Hide resolved
products/rhel10/profiles/anssi_bp28_enhanced.profile Outdated Show resolved Hide resolved
products/rhel10/profiles/anssi_bp28_enhanced.profile Outdated Show resolved Hide resolved
@marcusburghardt marcusburghardt added ANSSI ANSSI Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Aug 30, 2024
@marcusburghardt marcusburghardt added this to the 0.1.75 milestone Aug 30, 2024
@vojtapolasek vojtapolasek added the Update Profile Issues or pull requests related to Profiles updates. label Aug 30, 2024
@marcusburghardt
Copy link
Member

marcusburghardt commented Sep 3, 2024
edited
Loading

@Mab879 @marcusburghardt as you worked with some profile in rhel10 product recently... could you voice your opinion on rules which I made no longer excluded from the ANSSI profile? It was not clear to me why they were actually excluded. Thank you.

It was also not clear to me the reason some the rules were excluded. But your updates make sense to me. You only need to ensure these rules have CCEs for RHEL 10.

@marcusburghardt marcusburghardt self-assigned this Sep 3, 2024
@marcusburghardt marcusburghardt mentioned this pull request Sep 6, 2024
Open
4 tasks
@vojtapolasek vojtapolasek marked this pull request as ready for review September 9, 2024 14:49
@vojtapolasek vojtapolasek requested a review from a team as a code owner September 9, 2024 14:49
@vojtapolasek vojtapolasek changed the title WIP: create ANSSI BP28 profiles in rhel10 product Update ANSSI BP28 profiles in rhel10 product Sep 9, 2024
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 9, 2024
@marcusburghardt
Copy link
Member

@Mab879 @marcusburghardt as you worked with some profile in rhel10 product recently... could you voice your opinion on rules which I made no longer excluded from the ANSSI profile? It was not clear to me why they were actually excluded. Thank you.

It was also not clear to me the reason some the rules were excluded. But your updates make sense to me. You only need to ensure these rules have CCEs for RHEL 10.

@vojtapolasek the CCEs errors are still present.

@vojtapolasek
Copy link
Collaborator Author

@marcusburghardt I added missing CCEs.Hello @Mab879 and thank you. Issues you highlighted were caused by copying over files from RHEL 9. I fixed that.

@vojtapolasek
modify Aide config directive for RHEL 10
c40958f 
the old directive still works, buti it will be deprecated in the future
@vojtapolasek
perform modifications specific to rhel10 product
622651d 
revise list of unselected rules
add comments to better explain why a rule is excluded
@vojtapolasek
rhel10: remove special dedicated group owning ssh keys
721536a 
it is root in RHEL 10
@vojtapolasek
remove override of password hashing algorithm
bd62960
@vojtapolasek
ad missing cces to rules
b57dc24
@vojtapolasek
remove rule accounts_password_pam_retry from rhel10 profiles
d2576be 
The Ansible remediation does not work as expected.
marcusburghardt
marcusburghardt requested changes Sep 12, 2024
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My local tests worked fine testing the profile and remediating with Ansible. However, when remediating with Bash the automatus test finishes with error. I isolated the problem and it is related to the service_sssd_enabled rule. I saw some issues with this rule and intend to fix them soon. But for now, could you also remove this rule from the RHEL 10 Draft profiles, please?

@marcusburghardt marcusburghardt mentioned this pull request Sep 13, 2024
Draft
@marcusburghardt
Copy link
Member

service_sssd_enabled

@vojtapolasek , I would recommend to remove the following rules from RHEL 10 profiles for now so we can merge this PR:

  • sssd_enable_pam_services
  • sssd_ldap_configure_tls_reqcert
  • sssd_ldap_start_tls

I am working on these rules in #12378 but it will still take some time to organize all these SSSD related rules.

@codeclimate CodeClimate
Copy link

codeclimate bot commented Sep 17, 2024

Code Climate has analyzed commit ebb1265 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

marcusburghardt
marcusburghardt approved these changes Sep 17, 2024
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @vojtapolasek . Thanks

@marcusburghardt marcusburghardt merged commit 5b1ef7c into ComplianceAsCode:master Sep 17, 2024
99 of 100 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 left review comments

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
ANSSI ANSSI Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
3 participants
@vojtapolasek @marcusburghardt @Mab879