Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational #12824

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational #12824

wants to merge 2 commits into from
+8 −4

Conversation

vojtapolasek
Copy link
Collaborator

Description:

  • make the rule not scored and informational in both rhel9 stig and stig_gui profiles
  • update profile stability files

Rationale:

I think is is a ballanced approach. DISA allows exceptions to the rule, if operationally required and documented. At the same time, users can make the rule scored and enforced with proper tailoring.

Review Hints:

  • perform a scan with both stig and stig_gui profile on rhel9 and check results
  • the rule should be marked as informational and remediation should not be applied

@vojtapolasek vojtapolasek added bugfix Fixes to reported bugs. RHEL9 Red Hat Enterprise Linux 9 product related. Update Profile Issues or pull requests related to Profiles updates. STIG STIG Benchmark related. labels Jan 14, 2025
@vojtapolasek vojtapolasek added this to the 0.1.76 milestone Jan 14, 2025
@vojtapolasek vojtapolasek requested a review from a team as a code owner January 14, 2025 13:16
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 self-assigned this Jan 14, 2025
@Mab879
Copy link
Member

Mab879 commented Jan 14, 2025

@vojtapolasek please rebase to fix the required CI tests.

@vojtapolasek
rhel9 stig: make rule syscl_user_max_user_namespaces not scored and i…
11197be 
…nformational

The rule can conflict with some services which use Systemd PrivateUsers feature, such as irqbalance.
Therefore, we do not enforce the rule and it is kept there as informational only.
@vojtapolasek
rhel9 stig_gui: add rule back, it stays informational and does no harm
21ef5b3
@vojtapolasek vojtapolasek force-pushed the stig_make_user_namespaces_not_scored branch from 8bcd3d4 to 21ef5b3 Compare January 15, 2025 07:55
@vojtapolasek
Copy link
Collaborator Author

@Mab879 done.

@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 15, 2025

Code Climate has analyzed commit 21ef5b3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.8% (0.0% change).

View more on Code Climate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Mab879 Mab879

Labels
bugfix Fixes to reported bugs. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
2 participants
@vojtapolasek @Mab879