Update the profile STIG for OL9 #12021
Conversation
Make the stig.profile use this control file Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
|
Hi @mrkanon. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_installed_OS_is_FIPS_certified' differs.
--- oval:ssg-installed_OS_is_FIPS_certified:def:1
+++ oval:ssg-installed_OS_is_FIPS_certified:def:1
@@ -4,6 +4,7 @@
extend_definition oval:ssg-installed_OS_is_rhcos4:def:1
extend_definition oval:ssg-installed_OS_is_ol7:def:1
extend_definition oval:ssg-installed_OS_is_ol8:def:1
+extend_definition oval:ssg-installed_OS_is_ol9:def:1
extend_definition oval:ssg-installed_OS_is_sle12:def:1
extend_definition oval:ssg-installed_OS_is_sle15:def:1
extend_definition oval:ssg-installed_OS_is_ubuntu1604:def:1 |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
| @@ -4,7 +4,7 @@ | |||
| <criteria operator="OR"> | |||
| <criterion comment="Check offline_credentials_expiration in /etc/sssd/sssd.conf" | |||
| test_ref="test_sssd_offline_cred_expiration" /> | |||
| {{% if product in ["ol8", "rhel8"] %}} | |||
| {{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} | |||
There was a problem hiding this comment.
Could someone of @ComplianceAsCode/red-hatters validate this is also applicable to rhel9
It seems like it should be from here: https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-12-01/finding/V-258133
marcusburghardt
added
Oracle Linux
marcusburghardt
added
RHEL
package_ypserv_removed, The package is not available in OL9 chronyd_specify_remote_server, This has a similar functionality to chronyd_server_directive sshd_disable_compression, For OpenSSH sshd 7.4 and newer 'Compression yes' should not trigger any warnings sshd_use_priv_separation, The parameter is not available in OL9 kerberos_disable_no_keytab, This requirement is not applicable. Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
Add the conditional for OL9 and RHEL9 Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
dconf_gdm_dir in product.yml var_accounts_tmout in stig_ol9.yml var_sudo_timestamp_timeout in stig_ol9.yml section stig_ol9 in stig.profile Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
|
@Xeicker the author sent a force-push after the approval. We have to review the whole PR again before merging it. @mrkanon whenever possible, avoid overwriting existing commits after a review. It is fine to create an additional commit with the new changes. It also makes the review process easier. |
|
Code Climate has analyzed commit 5f7d160 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
@marcusburghardt @Xeicker The changes in the push-force were to clean up the commit history since in the Adjust variables in product OL9 commit some lines with unresolved conflicts were published which were resolved in the Final commit of fix build problems, some have also been eliminated final spaces. |
|
@marcusburghardt Hi, sure I'll check it complete. |
|
The errors are not in the scope of this MR so I'll merge it The errors are: & |
Description:
STIG profiles for OL9 are updated based on preliminary DISA requirements
Rationale:
This is a draft set variables and rules within the profile to better align with DISA STIG draft for OL9