Remove specific metadata in shared Bash remediations #7254
Conversation
It seems to me that it was not intentional. |
|
I did the same with Ansible, and that will be it. |
fba10e0 to
63c44e5
Compare
| @@ -1,4 +1,4 @@ | |||
| # platform = multi_platform_sle | |||
There was a problem hiding this comment.
This is originally only for SLE. Do you want to include it also in rhel?
There was a problem hiding this comment.
This is definitely a problem. The rule.yml uses package installed template. This should either be reverted or the file should be split into two: sle12.yml and sle15.yml
There was a problem hiding this comment.
Now actually documented in #7291
| . /usr/share/scap-security-guide/remediation_functions | ||
| declare var_accounts_minimum_age_login_defs |
There was a problem hiding this comment.
I don't think this is needed anymore.
| . /usr/share/scap-security-guide/remediation_functions | ||
| declare var_accounts_password_warn_age_login_defs |
There was a problem hiding this comment.
I don't think this is needed anymore.
| @@ -1,4 +1,4 @@ | |||
| # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux | |||
| # platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux | |||
There was a problem hiding this comment.
Why not multi_platform_all here?
There was a problem hiding this comment.
Good point, the rule has an opt-in prodtype, so there is no reason to be too careful here.
| @@ -1,4 +1,4 @@ | |||
| # platform = multi_platform_sle | |||
| # platform = multi_platform_all | |||
There was a problem hiding this comment.
This is originally for SLE only... is that OK?
...missions/files/permissions_within_important_dirs/dir_permissions_library_dirs/bash/shared.sh
Show resolved
Hide resolved
| @@ -1,4 +1,4 @@ | |||
| # platform = multi_platform_sle | |||
| # platform = multi_platform_all | |||
There was a problem hiding this comment.
Also this one originally SLE only?
| @@ -1,4 +1,4 @@ | |||
| # platform = multi_platform_sle | |||
| # platform = multi_platform_all | |||
There was a problem hiding this comment.
Also this is SLE only
linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh
Show resolved
Hide resolved
...counts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh
Show resolved
Hide resolved
|
I can't answer the Ansible applicability questions before I take off for my PTO, so if you don't want to seek the answers by yourselves, then please split the PR and use only the first commit. |
63c44e5 to
5a88638
Compare
When a rule has exactly one shared.sh file, then cases when remediation shouldn't be performed are extremely rare, and they should be handled by means of the more flexible jinja macros.
5a88638 to
1958119
Compare
|
I have split the more controversial Ansible remediations to another PR. |
Remove specific metadata in shared Bash remediations (cherry picked from commit 6446ebb)
This PR improves the problematic situation with remediations for different products and the respective metadata.
When a rule has exactly one
shared.shfile, then cases when remediation shouldn't be performed are extremely rare, and even then they should be handled by means of the more flexible jinja macros.accounts_password_warn_age_login_defsandaccounts_minimum_age_login_defsgot their remediations that were specialized for no good reason unified.Question: Is there any reason that e.g. https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule_forward/rule.yml had RHEV-only remediation? The history doesn't indicate it at all. (answered below - there is no reason).
Fixes: #7246
This PR has been separated from its Ansible counterpart, as Ansible remediations in the project are more tricky regarding product-specificity.