Conversation
If remediating into dropin file, the execstart= (resetting the previous execstart definition) must precede the new definition.
…srv, /home to 512
…_selinux Add audit monitoring for SELinux policy changes in /var/lib/selinux
Remove Qlty from gating
…ks_part_sizes rhel kickstarts: decrease some partition sizes
…tition add rhel8 cce to it
Signed-off-by: Alan Moore <alan.moore@canonical.com>
Signed-off-by: Alan Moore <alan.moore@canonical.com>
…_option_nodev_local_parts_vfat mount_option_nodev_nonroot_local_partitions: ignore vfat partitions
…home_dirs_on_separate_partition Add rule accounts_user_interactive_home_directory_on_separate_partition
Co-authored-by: Matthew Burket <m@tthewburket.com>
…rver cryptopolicy
handled by special STIG subpolicy
Remove the package was causing issues in installs
…dabot/github_actions/mikepenz/release-changelog-builder-action-6.1.1 Bump mikepenz/release-changelog-builder-action from 6.1.0 to 6.1.1
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 47.0.4 to 47.0.5. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@7dee1b0...22103cc) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 47.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…dabot/github_actions/tj-actions/changed-files-47.0.5 Bump tj-actions/changed-files from 47.0.4 to 47.0.5
…22-611060 Remove nullok from common-auth on Ubuntu
…_rhel_cis Move to service_dnsmasq_disabled for CIS in RHEL
Adjust RHEL 8 and RHEL 9 kickstarts to fit in 20 GB
We have discovered that after hardening a RHEL 9 system with CIS profile people can't install any RPM packages using dnf. Originally, we thought that the problem was caused by the recent PR ComplianceAsCode#14316 but it isn't caused by that because the problem is reproducible also with the latest released version 0.1.79. The actual reason is that the profile requires GPG checks everywhere but the GPG key isn't installed because the CIS profile doesn't contain rule `ensure_redhat_gpgkey_installed` that would install the GPG key. The rule is listed in the CIS RHEL9 control file but the requirement is manual. This is a bad user experience. In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. But, add the rule `ensure_redhat_gpgkey_installed` to the profile because the requirement 1.2.1.2 adds `ensure_gpgcheck_never_disabled` which requires GPG key checking. If the Red Hat GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. Therefore, we will add the rule `ensure_redhat_gpgkey_installed` to RHEL 9 CIS.
Add rule ensure_redhat_gpgkey_installed to RHEL 8 CIS and RHEL 10 CIS profiles. Similar to previous commit
Adjust BSI and PCI DSS kickstarts
On RHEL 8, the GRUB configuration for UEFI is normally located at `/boot/efi/EFI/redhat`. However, in RHEL 8 cloud images (eg. AWS) the `/boot/efi/EFI/redhat/` contains a stub pointing to `/boot/grub2/` and the actual configuration is located at the `/boot/grub2/` directory. Example stub in `/boot/efi/EFI/redhat/grub.cfg`: ``` search --no-floppy --set prefix --file /boot/grub2/grub.cfg set prefix=($prefix)/boot/grub2 configfile $prefix/grub.cfg ``` In this commit, we extend the check to account for this special configuration of the cloud images. Fixes: ComplianceAsCode#13211
Remove `invalid_username.fail.sh` that configures an invalid GRUB user name. The reason is that starting from ComplianceAsCode#8438 the rule `grub2_uefi_password` no longer checks user names, it only checks passwords now, no an invalid user name can't make the rule fail.
Fix DISA alignment for configure_libreswan_crypto_policy
These rules configure hardware BIOS settings that vary by manufacturer and model. While we cannot provide specific step-by-step instructions that apply to all hardware, we now provide guidance directing users to consult their hardware vendor documentation. This resolves test failures in CMP-3815 where these MANUAL rules were missing instructions: - bios_disable_usb_boot - wireless_disable_in_bios These base rules generate the product-specific variants: - rhcos4-high-master-bios-disable-usb-boot - rhcos4-high-master-wireless-disable-in-bios - rhcos4-high-worker-bios-disable-usb-boot - rhcos4-high-worker-wireless-disable-in-bios Related: ComplianceAsCode/compliance-operator#1051
add variable to network providers and add cilium per default
…add-bios-instructions CMP-3815: Add OCIL instructions for BIOS configuration rules
…/sle_package_tftp-server_removed Add tftp package definition for sle platforms
Add ensure_redhat_gpgkey_installed to RHEL CIS
…h-overrides-product-vars Parameterize SSH-related file paths via product properties (preserve current defaults)
Support RHEL 8 cloud images in GRUB 2 rules
…/fix_sle16_pam_options Fix sle16 pam options
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes # Issue number here (e.g. Updating sysctl XCCDF naming ComplianceAsCode/content#26) or remove this line if no issue exists.
Review Hints:
Review hints here. Replace this text. Don't use the italics format!
Use this optional section to give any relevant information which could help the reviewer to more quickly and assertively understand and test the changes.
Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc.