-
Notifications
You must be signed in to change notification settings - Fork 794
E8 ocp revisions #6587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
E8 ocp revisions #6587
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
495afe3
Remove unnecessary rules from RHCOS e8 profile
shaneboulden 940a8c1
Add additional RBAC/SCC controls to OCP e8 profile
shaneboulden 54d91b9
Use NOSHA1 crypto policy for e8/rhcos
shaneboulden 89b46f4
Update ASD crypto guidelines refs
shaneboulden File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only one question: Why was the crypto policy changed from future to default and then default minus sha1?
btw also the link about the rules no longer works
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jhrozek for taking a look at this, I've updated the refs.
The ASD crypto guidelines only allow for SHA-2. When we first created the e8 profile for RHEL, the only available policy that prevented SHA-1 being used was 'future'. #5024
The 'NO-SHA1' policy module was subsequently added, and the e8 profile was revised. 9aa23b0
RHCOS followed a similar pattern - 'NO-SHA1' wasn't available initially, and 'future' was used instead. Now that 'default+NO-SHA1' is available, it's a better fit.
'default' was an oversight - it should have been 'future' -> 'default:NO-SHA1'. I initially pushed this, and then rebased over the top.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the detailed reply and fixing the reference.