bring up to date#1
Merged
Eric-Domeier merged 967 commits intoEric-Domeier:masterfrom Dec 14, 2025
Merged
Conversation
Renaming test for accounts_root_gid_zero
Enhance the SSHD runtime configuration checking by updating the path for the compliance operator's runtime effective config file to a temp file. Modify the OVAL macros to conditionally adjust the criteria operator based on the runtime check status, ensuring accurate compliance checks.
…ck_deny_root rule
… template Enable sle16 support for the template
…nd common-account for sle
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@08c6903...93cb6ef) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Thanks to @Mab879 for noting 🙇
…ions/actions/checkout-5.0.1 Bump actions/checkout from 5.0.0 to 5.0.1
This is a new parameter, that defaults to false. Update the test data so that it's included in product stability.
Replaced pkg_resources with a custom RequirementParser. It implements just enough of pkg_resources.Requirement to work for our project. Fixes: #13902
…riodic_check Fix aide periodic check remediation for sle15/sle16
…content_rule_set_loopback_traffic #14093 - script for checking iptable rules
This change aligns the RHEL 8, 9 and 10 CIS profiles with respective CIS Benchmarks. We add rule file_at_allow_exists to RHEL CIS profiles and we change the expected permissions according to CIS. Resolves: https://issues.redhat.com/browse/OPENSCAP-6086
The rule has_nonlocal_mta currently checks for services listening only on port 25, but the policy checks also for ports 465 and 587. The content was already updated for other distro to include this extra criteria, so we simply enable that part of the code to RHEL. This change aligns our CIS profiles with latest CIS Benchmarks on RHEL 8, 9 and 10. Resolves: https://issues.redhat.com/browse/OPENSCAP-6083
automate controls regarding maxseq in RHEL 8 and 9 CIS
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
…iguration check to a fixed "AND" instead of conditionally based on the runtime check status. This change simplifies the logic and ensures consistent behavior in compliance checks.
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.11 to 8.0.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@22a9089...98357b1) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
It seems that ospp reference is not autogenerated from the control file.
…nabled Add accounts_password_pam_unix_enabled to RHEL 10 CIS
Fix `mount_option_boot_efi_nosuid` test scenarios
If we specify these branches, only pull requests coming from these sources that will trigger the atex testing workflow. Since we need to trigger for every branch.
The branches are not supposed to be there since we want to run this job on pull requests that will come from any branch from any fork of the project.
update audit_rules_networkconfig_modification for Debian
…ions/JamesIves/github-pages-deploy-action-4.7.6 Bump JamesIves/github-pages-deploy-action from 4.7.4 to 4.7.6
…ions/peter-evans/create-pull-request-8.0.0 Bump peter-evans/create-pull-request from 7.0.11 to 8.0.0
Remove the branches from the compare-ds workflow_run target
…itten. rsyslog_files_groupownership rsyslog_files_ownership rsyslog_files_permissions Most likely this is what caused the change: https://gitlab.com/redhat/centos-stream/rpms/rsyslog/-/merge_requests/49/diffs
CIS Benchmarks for all RHEL versions (8, 9, 10) permit using both sha512 and yescrypt algorithms for password hashing. However, users shouldn't mix them to use both at once. Users should choose one of them and use it consistently. Therefore, our rules need to specify a single specific algortihm. Users can switch to the other one in their profiles by changing the value of the `var_password_hashing_algorithm_pam` variable in tailoring files. We will add a warning to these rules to explain users this situation. Resolves: https://issues.redhat.com/browse/OPENSCAP-6100
…ion. A line in the rsyslog conf file as such #kern.* action(type="omfile" file="/dev/console") Would get in the way of the remediation and be considered a valid log file, with this modification such files are excluded.
Cover cases where File can be part of some other longer word, so the regex consider File as a whole word, also make it case insensitive.
Our ansible remediation that includes the line /var/log/cron add the line with only one space, and the previous regex was not matching the line with one space only. This update will catch also the case where the line has only one space between the first and second parameters. For example: "cron.* /var/log/cron".
In the rsyslog configuration it's also possible to use a single space between parameters and our ansible remediation for rsyslog_cron_logging does that. https://github.com/ComplianceAsCode/content/blob/2185de1165a2af8daab63acaa6d73503dc89fbc0/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/ansible/shared.yml#L23
Add ATEX testing to the upstream CI workflows
Add a warning about hashing algorithms
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...8e8c483) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Use Sequoia in RHEL 10 instead of GPG
…ions/actions/checkout-6.0.1 Bump actions/checkout from 6.0.0 to 6.0.1
Fix rsyslog rules due to change in how the configuration files are written
Eric-Domeier
pushed a commit
that referenced
this pull request
Jan 18, 2026
Added more updates for rsyslog, sssd, etc...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes # Issue number here (e.g. Updating sysctl XCCDF naming ComplianceAsCode/content#26) or remove this line if no issue exists.
Review Hints:
Review hints here. Replace this text. Don't use the italics format!
Use this optional section to give any relevant information which could help the reviewer to more quickly and assertively understand and test the changes.
Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc.