8000 SLES-15-010360 rule by rumch-se · Pull Request #6929 · ComplianceAsCode/content · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

SLES-15-010360 rule #6929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 31, 2021
Merged

SLES-15-010360 rule #6929

merged 2 commits into from
May 31, 2021

Conversation

rumch-se
Copy link
Contributor

Description:

  • SLES-15-010360

Rationale:

@openscap-ci
Copy link
Collaborator

Can one of the admins verify this patch?

1 similar comment
@openscap-ci
Copy link
Collaborator

Can one of the admins verify this patch?

@openshift-ci-robot
Copy link
Collaborator

Hi @rumch-se. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the needs-ok-to-test Used by openshift-ci bot. label Apr 30, 2021
@vojtapolasek vojtapolasek self-assigned this Apr 30, 2021
vojtapolasek
vojtapolasek requested changes Apr 30, 2021
View reviewed changes
Copy link
Collaborator
@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, thank you very much for the contribution. Please see review comments.

@vojtapolasek
Copy link
Collaborator

/ok-to-test

@openshift-ci-robot openshift-ci-robot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels May 4, 2021
@vojtapolasek
Copy link
Collaborator

@openscap-ci test this please

@vojtapolasek vojtapolasek added this to the 0.1.56 milestone May 6, 2021
@jan-cerny
Copy link
Collaborator

@openscap-ci test this please

@openscap-ci
Copy link
Collaborator
openscap-ci commented May 7, 2021
edited
Loading

Changes identified:
Rules:
 dir_system_commands_root_owned
Profiles:
 stig on sle15

Show details

Rule dir_system_commands_root_owned:
 Ansible remediation newly added.
 Bash remediation is newly added.
 OVAL check is newly added.
Profile stig on sle15:
 Rule dir_system_commands_root_owned added to stig profile.

Recommended tests to execute:
 build_product sle15
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-sle15-ds.xml dir_system_commands_root_owned
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-sle15-ds.xml dir_system_commands_root_owned
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle15-ds.xml stig

@vojtapolasek
Copy link
Collaborator

/retest

@vojtapolasek vojtapolasek modified the milestones: 0.1.56, 0.1.57 May 11, 2021
@vojtapolasek
Copy link
Collaborator

Please rebase, thank you.

@rumch-se @vojtapolasek
SLES-15-010360 rule with integrated changes
bbbbb63 
Update shared.yml
Update shared.xml
Update linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
Co-authored-by: vojtapolasek <krecoun@gmail.com>
Update linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
Co-authored-by: vojtapolasek <krecoun@gmail.com>
Update linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
Co-authored-by: vojtapolasek <krecoun@gmail.com>
Update linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
Co-authored-by: vojtapolasek <krecoun@gmail.com>
Update linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
Co-authored-by: vojtapolasek <krecoun@gmail.com>
Update rule.yml
Added proposed blank lines
Update shared.sh
Changes in the code according to the recommendations
Update correct_owner.pass.sh
Update incorrect_owner.fail.sh
Update rule.yml
Proposed correction done
Update linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml
Co-authored-by: vojtapolasek <krecoun@gmail.com>
@vojtapolasek
Copy link
Collaborator

@openscap-ci ok to test

@vojtapolasek
Copy link
Collaborator

@openscap-ci test this please

1 similar comment
@ggbecker
Copy link
Member

@openscap-ci test this please

@ggbecker
Copy link
8000 Member

it appears there is something wrong with the OVAL validation, see the output from the build:

oval:ssg-object_system_commands_dirs_ownership:obj:1 - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
oval:ssg-object_system_commands_dirs_ownership:obj:1 - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
oval:ssg-object_system_commands_dirs_ownership:obj:1 - the recurse behavior MUST not be used when a pattern match is used with a path entity.

@vojtapolasek
Copy link
Collaborator

Hello @rumch-se it seems that OVAL specification does not allow to use pattern match with "path". It seems that you will have to rewrite it into multiple tests. But I believe you could use Jinja macros for that, for example like it is used here:
https://github.com/ComplianceAsCode/content/blob/master/shared/templates/pam_options/oval.template#L11

@rumch-se
Update shared.xml
d216eea 
Changed the file shared.xml
@rumch-se
Copy link
Contributor Author

@vojtapolasek - I have updated the file shared.xml

@openshift-ci
Copy link
openshift-ci bot commented May 27, 2021

@rumch-se: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-ocp4-cis-node d216eea link /test e2e-aws-ocp4-cis-node
ci/prow/e2e-aws-rhcos4-e8 d216eea link /test e2e-aws-rhcos4-e8
ci/prow/e2e-aws-rhcos4-moderate d216eea link /test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-ocp4-cis d216eea link /test e2e-aws-ocp4-cis

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@vojtapolasek
Copy link
Collaborator

Thank you for the changes. Merging.

@vojtapolasek vojtapolasek merged commit f9b87bc into ComplianceAsCode:master May 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels
ok-to-test Used by openshift-ci bot.
Projects
None yet
Milestone
0.1.57
Development

Successfully merging this pull request may close these issues.
6 participants
@rumch-se @openscap-ci @openshift-ci-robot @vojtapolasek @jan-cerny @ggbecker
0