{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":434595942,"defaultBranch":"master","name":"content","ownerLogin":"rhmdnd","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2021-12-03T12:54:37.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/94937504?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1724096796.0","currentOid":""},"activityList":{"items":[{"before":"ab3a185d05783e18438f96533f347757be23feed","after":"0ad4684a389f275a4b3148e22144bb5c83684a85","ref":"refs/heads/master","pushedAt":"2024-08-21T19:49:03.000Z","pushType":"push","commitsCount":9,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12315 from rhmdnd/fix-manual-spo-remediation\n\nFix manual remediation for SPO rule","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2474079455\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12315\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12315/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12315\">ComplianceAsCode#12315</a> from rhmdnd/fix-manual-spo-…"}},{"before":"72743aa58b3c01d7a000a8027b3b01e9c477593d","after":"7d1a1c7d67f2f6e3d60dd8e4cc324b555aa48384","ref":"refs/heads/fix-manual-spo-remediation","pushedAt":"2024-08-21T13:44:57.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"yuumasato","name":"Watson Yuuma Sato","path":"/yuumasato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/7460169?s=80&v=4"},"commit":{"message":"Fix remediation subscription name","shortMessageHtmlLink":"Fix remediation subscription name"}},{"before":"a9231d7b2a8475c5bebccd46774041ed67a7ba1c","after":"72743aa58b3c01d7a000a8027b3b01e9c477593d","ref":"refs/heads/fix-manual-spo-remediation","pushedAt":"2024-08-21T07:07:16.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"yuumasato","name":"Watson Yuuma Sato","path":"/yuumasato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/7460169?s=80&v=4"},"commit":{"message":"Fix spo-install metadata indentation","shortMessageHtmlLink":"Fix spo-install metadata indentation"}},{"before":"213450e99348b5aeca440a1aca200edf2006a562","after":"a9231d7b2a8475c5bebccd46774041ed67a7ba1c","ref":"refs/heads/fix-manual-spo-remediation","pushedAt":"2024-08-20T19:31:16.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Fix manual remediation for SPO rule\n\nWe have a manual remediation for installing SPO, but it was failing\nin our e2e suite with the following error:\n\n  fork/exec /go/src/github.com/ComplianceAsCode/content/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh: permission denied\n\nThis commit updates the script so that it's executable and doesn't fail\nwhen applied.","shortMessageHtmlLink":"Fix manual remediation for SPO rule"}},{"before":"aa881c3d0d589eb8e726bed948eb572b0ed84636","after":"ab3a185d05783e18438f96533f347757be23feed","ref":"refs/heads/master","pushedAt":"2024-08-20T19:31:03.000Z","pushType":"push","commitsCount":16,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12317 from yuumasato/add_e2e_spo-install.yaml\n\nAdd forgotten e2e manual remediation","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2475804301\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12317\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12317/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12317\">ComplianceAsCode#12317</a> from yuumasato/add_e2e_spo-…"}},{"before":"d484bc73bb255884ff80bd746925861063b376d6","after":"aa881c3d0d589eb8e726bed948eb572b0ed84636","ref":"refs/heads/master","pushedAt":"2024-08-20T14:04:07.000Z","pushType":"push","commitsCount":37,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12298 from ericeberry/master\n\nUbuntu 22.04 STIG V2R1 changes","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2464019646\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12298\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12298/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12298\">ComplianceAsCode#12298</a> from ericeberry/master"}},{"before":null,"after":"213450e99348b5aeca440a1aca200edf2006a562","ref":"refs/heads/fix-manual-spo-remediation","pushedAt":"2024-08-19T19:46:36.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Fix manual remediation for SPO rule\n\nWe have a manual remediation for installing SPO, but it was failing\nin our e2e suite with the following error:\n\n  fork/exec /go/src/github.com/ComplianceAsCode/content/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh: permission denied\n\nThis commit updates the script so that it's executable and doesn't fail\nwhen applied.","shortMessageHtmlLink":"Fix manual remediation for SPO rule"}},{"before":"d468c126903179ca171c88b2223187bb6259365a","after":"d484bc73bb255884ff80bd746925861063b376d6","ref":"refs/heads/master","pushedAt":"2024-08-19T19:42:07.000Z","pushType":"push","commitsCount":34,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12312 from yuumasato/fix_chronyd_remote_server_dir_path_regex\n\nFix chronyd remote server filepath dir regex","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2472998947\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12312\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12312/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12312\">ComplianceAsCode#12312</a> from yuumasato/fix_chronyd_…"}},{"before":"3f447d3999368c82c52624c7482c62df337a32cc","after":"3c24d289a2eb4df9476542197623b65c72d40232","ref":"refs/heads/CMP-2196-update-ingress-operator-ciphers","pushedAt":"2024-08-14T22:19:48.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Add kubelet tls ingresscontroller rule to CIS benchmarks\n\nThis rule was originally written for CIS benchmarks, but somewhere along\nthe way it was refactored out. This could have been due to a re-indexing\nof the controls from the benchmark.\n\nThis commit adds the rule back into the CIS profiles so that it's run\nwith all supports CIS benchmarks.\n\nWe should be able to prevent against regressions by including it to the\ne2e rule assertion files.","shortMessageHtmlLink":"Add kubelet tls ingresscontroller rule to CIS benchmarks"}},{"before":"990d4d5871abf7ddd530f98c9adb3681a0705c91","after":"d468c126903179ca171c88b2223187bb6259365a","ref":"refs/heads/master","pushedAt":"2024-08-14T22:19:30.000Z","pushType":"push","commitsCount":43,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12270 from jan-cerny/RHEL-45018\n\nExtend mount_option_nodev_nonroot_local_partitions","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2450384412\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12270\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12270/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12270\">ComplianceAsCode#12270</a> from jan-cerny/RHEL-45018"}},{"before":"2bda2e0443b653d54e5f4fc7a8a1dd75879e9f25","after":"ca60c1aeffc4ef6e32e4af220c882f09c31449ae","ref":"refs/heads/add-ocp-4.17-assertion-files","pushedAt":"2024-08-14T13:30:33.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Update rule assertion for CNI config permissions\n\nThese rules were failing in the past because the networking operator\ncreated the file with permissions of 644. That's been tightened, so this\nrule is passing by default for 4.17:\n\n  openshift/cluster-network-operator#2106","shortMessageHtmlLink":"Update rule assertion for CNI config permissions"}},{"before":"b4b4b7b2b2d5136e49cc65c4e6248225945e6ec1","after":"2bda2e0443b653d54e5f4fc7a8a1dd75879e9f25","ref":"refs/heads/add-ocp-4.17-assertion-files","pushedAt":"2024-08-14T12:52:59.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Update rule assertion for CNI config permissions\n\nThese rules were failing in the past because the networking operator\ncreated the file with permissions of 644. That's been tightened, so this\nrule is passing by default for 4.17:\n\n  openshift/cluster-network-operator#2106","shortMessageHtmlLink":"Update rule assertion for CNI config permissions"}},{"before":"b370c112963524f31254e298a731df61cb232677","after":"3f447d3999368c82c52624c7482c62df337a32cc","ref":"refs/heads/CMP-2196-update-ingress-operator-ciphers","pushedAt":"2024-08-13T13:13:49.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Add kubelet tls ingresscontroller rule to CIS benchmarks\n\nThis rule was originally written for CIS benchmarks, but somewhere along\nthe way it was refactored out. This could have been due to a re-indexing\nof the controls from the benchmark.\n\nThis commit adds the rule back into the CIS profiles so that it's run\nwith all supports CIS benchmarks.\n\nWe should be able to prevent against regressions by including it to the\ne2e rule assertion files.","shortMessageHtmlLink":"Add kubelet tls ingresscontroller rule to CIS benchmarks"}},{"before":"94ae023c015b050e5e2e9af3d971bd043783db77","after":"990d4d5871abf7ddd530f98c9adb3681a0705c91","ref":"refs/heads/master","pushedAt":"2024-08-12T20:55:19.000Z","pushType":"push","commitsCount":9,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12290 from Xeicker/create_ol10\n\nCreate OL10 product","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2458802008\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12290\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12290/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12290\">ComplianceAsCode#12290</a> from Xeicker/create_ol10"}},{"before":null,"after":"d29e5a88cbdfe6cbe6b8a49760a9a90209b689c6","ref":"refs/heads/OCPBUGS-38314-fix-permission-ocil-wording","pushedAt":"2024-08-12T13:47:38.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"OCPBUGS-38314: Update OCIL permissions to be consistent with check\n\nA previous commit updated the checks for\nfile_permissions_kube_controller_manager to use 0600 while updating the\nCIS profile to align with version 1.4.0:\n\n  https://github.com/ComplianceAsCode/content/commit/26bce1c1611b20b5b7c8958f00b8bc8f7707257e#diff-d306ac1866706221acd21ee7acf9f5bfabf5edd1e710dba121fa67a9de7ddfe3\n\nHowever, the OCIL macros weren't updated, which means they were still\nusing the 644 permissions in rendered versions of the rule, which caused\nconfusion for readers.\n\nThis commit updates the OCIL by changing the inputs of the macros so\nthey're consistent with the permissions the check is looking for.","shortMessageHtmlLink":"OCPBUGS-38314: Update OCIL permissions to be consistent with check"}},{"before":"ce7a8e0a4d2e95dc661060265d6c0265f8bdea19","after":"94ae023c015b050e5e2e9af3d971bd043783db77","ref":"refs/heads/master","pushedAt":"2024-08-10T05:14:07.000Z","pushType":"push","commitsCount":65,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12251 from vojtapolasek/sshd_lineinfile_variables\n\nAdd support for XCCDF variables into sshd_lineinfile template","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2441962156\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12251\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12251/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12251\">ComplianceAsCode#12251</a> from vojtapolasek/sshd_line…"}},{"before":"218674648c644d18ddc8cc22fa2e670c567f2d0c","after":"b370c112963524f31254e298a731df61cb232677","ref":"refs/heads/CMP-2196-update-ingress-operator-ciphers","pushedAt":"2024-08-09T17:10:30.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Add kubelet tls ingresscontroller rule to CIS benchmarks\n\nThis rule was originally written for CIS benchmarks, but somewhere along\nthe way it was refactored out. This could have been due to a re-indexing\nof the controls from the benchmark.\n\nThis commit adds the rule back into the CIS profiles so that it's run\nwith all supports CIS benchmarks.\n\nWe should be able to prevent against regressions by including it to the\ne2e rule assertion files.","shortMessageHtmlLink":"Add kubelet tls ingresscontroller rule to CIS benchmarks"}},{"before":null,"after":"cf14fc82c824bfc07a7a0084c02e445733775929","ref":"refs/heads/pci-dss-requirement-12","pushedAt":"2024-08-07T21:45:35.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"OpenShift: Update PCI-DSS Requirement 12.10\n\nThis requirement focuses on how personnel are trained, respond to\nincidents, and update incident response plans. While OpenShift enables\nthese requirements through logging, alerts, and notification system\nintegration, the processes for educating and developing incident\nresponse plans is left as an exercise for the entity processing card\nholder data.","shortMessageHtmlLink":"OpenShift: Update PCI-DSS Requirement 12.10"}},{"before":"f14e0832e9a38b39eac1895ce773724a2afb4778","after":"ce7a8e0a4d2e95dc661060265d6c0265f8bdea19","ref":"refs/heads/master","pushedAt":"2024-08-07T21:07:34.000Z","pushType":"push","commitsCount":13,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12274 from ComplianceAsCode/dependabot/github_actions/mikepenz/release-changelog-builder-action-5\n\nBump mikepenz/release-changelog-builder-action from 5.0.0.pre.rc01 to 5","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2452124398\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12274\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12274/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12274\">ComplianceAsCode#12274</a> from ComplianceAsCode/depen…"}},{"before":"44e7084258e023838831ec57994df860cacd2d81","after":"b4b4b7b2b2d5136e49cc65c4e6248225945e6ec1","ref":"refs/heads/add-ocp-4.17-assertion-files","pushedAt":"2024-08-05T20:01:39.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Update usb guard rules for RHCOS4 moderate CI\n\nThese rules are passing on 4.17, so let's update them so we assert\npassing status in subsuquent runs.","shortMessageHtmlLink":"Update usb guard rules for RHCOS4 moderate CI"}},{"before":null,"after":"44e7084258e023838831ec57994df860cacd2d81","ref":"refs/heads/add-ocp-4.17-assertion-files","pushedAt":"2024-08-05T16:55:11.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Add OCP and RHCOS assertion files for 4.17\n\nThis will make it so we can get clean periodic CI runs using the latest\nversion of OCP.","shortMessageHtmlLink":"Add OCP and RHCOS assertion files for 4.17"}},{"before":"24b82a95cf6dd4d4ab00c6209399c94aa960e8bc","after":"f14e0832e9a38b39eac1895ce773724a2afb4778","ref":"refs/heads/master","pushedAt":"2024-08-05T16:22:49.000Z","pushType":"push","commitsCount":58,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12217 from sluetze/fix-instructions-output\n\nfix xccdf_value substitution with dotnotation","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2427562944\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12217\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12217/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12217\">ComplianceAsCode#12217</a> from sluetze/fix-instructio…"}},{"before":"3b73daa501bc6b7c7b25bee8434684c160d833d8","after":"669664218b4b81cf9f26a20d6e23899176954c30","ref":"refs/heads/fix-ca-manual-remediation","pushedAt":"2024-07-31T13:38:43.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Generate a temp certificate for OCP4 Trusted CA remediation\n\nLately, we've been experiencing issues with manual remediations timing\nout during functional testing. This manifests in the following error:\n\n   === RUN   TestE2e/Apply_manual_remediations\n    <snip>\n    helpers.go:1225: Running manual remediation '/tmp/content-3345141771/applications/openshift/networking/default_ingress_ca_replaced/tests/ocp4/e2e-remediation.sh'\n    helpers.go:1225: Running manual remediation '/tmp/content-3345141771/applications/openshift/general/file_integrity_notification_enabled/tests/ocp4/e2e-remediation.sh'\n    helpers.go:1231: Command '/tmp/content-3345141771/applications/openshift/authentication/idp_is_configured/tests/ocp4/e2e-remediation.sh' timed out\n\nIn this particular case, it looks like the remediation to add an\nIdentity Provider to the cluster failed, but this is actually an\nunintended side-effect of another change that updated the\nidp_is_configured remediation to use a more robust technique for\ndetermining if the cluster applied the remediation successfully:\n\n  https://github.com/ComplianceAsCode/content/pull/12120\n  https://github.com/ComplianceAsCode/content/pull/12184\n\nBecause we updated the remediation to use `oc adm\nwait-for-stable-cluster`, we're effectively checking all cluster\noperators to ensure they're healthy.\n\nThis started causing timeouts because a separate, unrelated remediation\nwas also getting applied in our testing that updated the default CA, but\ndidn't include a ConfigMap that contained the CA bundle. As a result,\none of the operators didn't come up because it was looking for a\nConfigMap that didn't exist. The `oc adm wait-for-stable-cluster`\ncommand was hanging on a legitimate issue in a separate remediation.\n\nThis commit attempts to fix that issue by updating the trusted CA\nremediation by creating a configmap for the expected certificate bundle.","shortMessageHtmlLink":"Generate a temp certificate for OCP4 Trusted CA remediation"}},{"before":"7049b4f398ff67a22fe9aced12359b8d87329414","after":"61a3a48023d8e3629dd987c612fc773252ee2e37","ref":"refs/heads/update-cis-1.2.31","pushedAt":"2024-07-30T22:43:40.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Update status for CIS 1.2.31\n\nWe implemented support for checking aesgcm encryption ciphers in\nhttps://github.com/ComplianceAsCode/content/pull/10974 but never removed\nthe comment or updated the status in the control file. This commit\nupdates the status since it's now automated to include both ciphers.","shortMessageHtmlLink":"Update status for CIS 1.2.31"}},{"before":"d9086f6c3f5d1392e1116486d5a5208c8cba7f8d","after":"24b82a95cf6dd4d4ab00c6209399c94aa960e8bc","ref":"refs/heads/master","pushedAt":"2024-07-30T22:43:24.000Z","pushType":"push","commitsCount":77,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Merge pull request #12240 from marcusburghardt/release_helper_dates\n\nAlign release date calculation with documentation","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2437430919\" data-permission-text=\"Title is private\" data-url=\"https://github.com/ComplianceAsCode/content/issues/12240\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/ComplianceAsCode/content/pull/12240/hovercard\" href=\"https://github.com/ComplianceAsCode/content/pull/12240\">ComplianceAsCode#12240</a> from marcusburghardt/releas…"}},{"before":"d9290cfb960ddcdba96864bb8487149e76f57455","after":"3b73daa501bc6b7c7b25bee8434684c160d833d8","ref":"refs/heads/fix-ca-manual-remediation","pushedAt":"2024-07-30T22:11:49.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Generate a temp certificate for OCP4 Trusted CA remediation\n\nLately, we've been experiencing issues with manual remediations timing\nout during functional testing. This manifests in the following error:\n\n   === RUN   TestE2e/Apply_manual_remediations\n    <snip>\n    helpers.go:1225: Running manual remediation '/tmp/content-3345141771/applications/openshift/networking/default_ingress_ca_replaced/tests/ocp4/e2e-remediation.sh'\n    helpers.go:1225: Running manual remediation '/tmp/content-3345141771/applications/openshift/general/file_integrity_notification_enabled/tests/ocp4/e2e-remediation.sh'\n    helpers.go:1231: Command '/tmp/content-3345141771/applications/openshift/authentication/idp_is_configured/tests/ocp4/e2e-remediation.sh' timed out\n\nIn this particular case, it looks like the remediation to add an\nIdentity Provider to the cluster failed, but this is actually an\nunintended side-effect of another change that updated the\nidp_is_configured remediation to use a more robust technique for\ndetermining if the cluster applied the remediation successfully:\n\n  https://github.com/ComplianceAsCode/content/pull/12120\n  https://github.com/ComplianceAsCode/content/pull/12184\n\nBecause we updated the remediation to use `oc adm\nwait-for-stable-cluster`, we're effectively checking all cluster\noperators to ensure they're healthy.\n\nThis started causing timeouts because a separate, unrelated remediation\nwas also getting applied in our testing that updated the default CA, but\ndidn't include a ConfigMap that contained the CA bundle. As a result,\none of the operators didn't come up because it was looking for a\nConfigMap that didn't exist. The `oc adm wait-for-stable-cluster`\ncommand was hanging on a legitimate issue in a separate remediation.\n\nThis commit attempts to fix that issue by updating the trusted CA\nremediation by creating a configmap for the expected certificate bundle.","shortMessageHtmlLink":"Generate a temp certificate for OCP4 Trusted CA remediation"}},{"before":"e7a5e8996d55ea0f5ffc76dfc9828b3e94f30282","after":"d9290cfb960ddcdba96864bb8487149e76f57455","ref":"refs/heads/fix-ca-manual-remediation","pushedAt":"2024-07-26T21:50:33.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Generate a temp certificate for OCP4 Trusted CA remediation\n\nLately, we've been experiencing issues with manual remediations timing\nout during functional testing. This manifests in the following error:\n\n   === RUN   TestE2e/Apply_manual_remediations\n    <snip>\n    helpers.go:1225: Running manual remediation '/tmp/content-3345141771/applications/openshift/networking/default_ingress_ca_replaced/tests/ocp4/e2e-remediation.sh'\n    helpers.go:1225: Running manual remediation '/tmp/content-3345141771/applications/openshift/general/file_integrity_notification_enabled/tests/ocp4/e2e-remediation.sh'\n    helpers.go:1231: Command '/tmp/content-3345141771/applications/openshift/authentication/idp_is_configured/tests/ocp4/e2e-remediation.sh' timed out\n\nIn this particular case, it looks like the remediation to add an\nIdentity Provider to the cluster failed, but this is actually an\nunintended side-effect of another change that updated the\nidp_is_configured remediation to use a more robust technique for\ndetermining if the cluster applied the remediation successfully:\n\n  https://github.com/ComplianceAsCode/content/pull/12120\n  https://github.com/ComplianceAsCode/content/pull/12184\n\nBecause we updated the remediation to use `oc adm\nwait-for-stable-cluster`, we're effectively checking all cluster\noperators to ensure they're healthy.\n\nThis started causing timeouts because a separate, unrelated remediation\nwas also getting applied in our testing that updated the default CA, but\ndidn't include a ConfigMap that contained the CA bundle. As a result,\none of the operators didn't come up because it was looking for a\nConfigMap that didn't exist. The `oc adm wait-for-stable-cluster`\ncommand was hanging on a legitimate issue in a separate remediation.\n\nThis commit attempts to fix that issue by updating the trusted CA\nremediation by generating a certificate for testing purposes.","shortMessageHtmlLink":"Generate a temp certificate for OCP4 Trusted CA remediation"}},{"before":"79db34709356ebec37079f647d18c3a9bff4cde1","after":"218674648c644d18ddc8cc22fa2e670c567f2d0c","ref":"refs/heads/CMP-2196-update-ingress-operator-ciphers","pushedAt":"2024-07-26T21:19:21.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Add kubelet tls ingresscontroller rule to CIS benchmarks\n\nThis rule was originally written for CIS benchmarks, but somewhere along\nthe way it was refactored out. This could have been due to a re-indexing\nof the controls from the benchmark.\n\nThis commit adds the rule back into the CIS profiles so that it's run\nwith all supports CIS benchmarks.\n\nWe should be able to prevent against regressions by including it to the\ne2e rule assertion files.","shortMessageHtmlLink":"Add kubelet tls ingresscontroller rule to CIS benchmarks"}},{"before":"dc7c6baedfb896c468939b8db3ec787bc80a5ca8","after":"79db34709356ebec37079f647d18c3a9bff4cde1","ref":"refs/heads/CMP-2196-update-ingress-operator-ciphers","pushedAt":"2024-07-26T21:05:50.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Update ciphers in ingress controller remediation\n\nSince we're updating the recommended OCIL, we can also update the\nremediation shipped with the content so that it matches. This will allow\nusers to apply a remediation that updates their TLS ciphers so their\neither Recommended or Secure.\n\nThis commit has a dependency on a permission change to the operator\ncluster role so that it can actually apply the remediation at runtime:\n\n  https://github.com/ComplianceAsCode/compliance-operator/pull/558","shortMessageHtmlLink":"Update ciphers in ingress controller remediation"}},{"before":"5ac861147f16b4c5b614fe0b97034bc346521875","after":"dc7c6baedfb896c468939b8db3ec787bc80a5ca8","ref":"refs/heads/CMP-2196-update-ingress-operator-ciphers","pushedAt":"2024-07-26T18:34:12.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"rhmdnd","name":"Lance Bragstad","path":"/rhmdnd","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/94937504?s=80&v=4"},"commit":{"message":"Update TLS ciphers for ingress controller rule\n\nThe following ciphers are all supported with TLS v1.3, but we weren't\nchecking for them in the OpenShift ingress controller configuration:\n\n  - TLS_AES_128_GCM_SHA256\n  - TLS_AES_256_GCM_SHA384\n  - TLS_CHACHA20_POLY1305_SHA256\n\nThis commit updates the regular expression in the rule to check for\nthose ciphers so the check doesn't fail if OpenShift is using them.\n\nIt also add some formatting to the rule so it's consistent with other\nTLS-related rules, like for the API server.\n\nThe following ciphers were listed in the \"old\" profile, or insecure, which should\nonly be used as a last resort for server TLS configuration:\n\n  - AES128-GCM-SHA256\n  - AES256-GCM-SHA384\n  - DHE-RSA-AES128-GCM-SHA256\n  - DHE-RSA-AES256-GCM-SHA384\n\nThis commit removes them from the ingress controller rule so that it\nfails if a cluster is using these ciphers.\n\nReferences:\n  - https://wiki.mozilla.org/Security/Server_Side_TLS\n  - https://docs.openssl.org/1.1.1/man1/ciphers/","shortMessageHtmlLink":"Update TLS ciphers for ingress controller rule"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEoJSfZAA","startCursor":null,"endCursor":null}},"title":"Activity · rhmdnd/content"}