Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added a new rule accounts_password_set_warn_age_existing #10006

Merged
merged 5 commits into from
Mar 3, 2023
Merged

Added a new rule accounts_password_set_warn_age_existing #10006

merged 5 commits into from
Mar 3, 2023

Conversation

rumch-se
Copy link
Contributor

Description:

  • _A new SLE 12/15 rule _

Rationale:

  • The rule covers CIS requirement 5.4.1.4 Ensure password expiration warning days is 7 or more (Automated). It can be extended to cover similar requirement for other vendors

@rumch-se rumch-se requested a review from a team as a code owner December 21, 2022 17:09
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Dec 21, 2022
@openshift-ci
Copy link

openshift-ci bot commented Dec 21, 2022

Hi @rumch-se. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Dec 21, 2022
@github-actions
Copy link

github-actions bot commented Dec 21, 2022
edited
Loading

Start a new ephemeral environment with changes proposed in this pull request:

sle12 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@rumch-se rumch-se force-pushed the accounts_password_set_warn_age_existing branch from 47c5977 to 2a16324 Compare December 22, 2022 10:27
@openshift-merge-robot openshift-merge-robot added needs-rebase Used by openshift-ci bot. and removed needs-rebase Used by openshift-ci bot. labels Dec 22, 2022
@Mab879 Mab879 added this to the 0.1.66 milestone Jan 4, 2023
@Mab879 Mab879 added SLES SUSE Linux Enterprise Server product related. New Rule Issues or pull requests related to new Rules. labels Jan 6, 2023
@rumch-se rumch-se force-pushed the accounts_password_set_warn_age_existing branch from 2a16324 to 75ccb1b Compare January 11, 2023 11:01
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Jan 11, 2023
@jan-cerny jan-cerny assigned jan-cerny and unassigned jan-cerny Jan 12, 2023
@vojtapolasek vojtapolasek modified the milestones: 0.1.66, 0.1.67 Jan 24, 2023
@marcusburghardt marcusburghardt self-assigned this Jan 26, 2023
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Jan 26, 2023
marcusburghardt
marcusburghardt requested changes Jan 31, 2023
View reviewed changes
...s/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml Outdated Show resolved Hide resolved
...s/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml Show resolved Hide resolved
...-restrictions/password_expiration/accounts_password_set_warn_age_existing/ansible/shared.yml Outdated Show resolved Hide resolved
...-restrictions/password_expiration/accounts_password_set_warn_age_existing/ansible/shared.yml Show resolved Hide resolved
...nts-restrictions/password_expiration/accounts_password_set_warn_age_existing/oval/shared.xml Outdated Show resolved Hide resolved
...word_expiration/accounts_password_set_warn_age_existing/tests/incorrect_pas_warn_age.fail.sh Outdated Show resolved Hide resolved
...s/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml Outdated Show resolved Hide resolved
...-restrictions/password_expiration/accounts_password_set_warn_age_existing/ansible/shared.yml Outdated Show resolved Hide resolved
...s/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml Outdated Show resolved Hide resolved
...ssword_expiration/accounts_password_set_warn_age_existing/tests/correct_pas_warn_age.pass.sh Outdated Show resolved Hide resolved
@marcusburghardt
Copy link
Member

Besides the comments, also rebase and resolve the conflict, please.

@rumch-se rumch-se force-pushed the accounts_password_set_warn_age_existing branch from 75ccb1b to d9061bd Compare February 6, 2023 12:20
@rumch-se rumch-se force-pushed the accounts_password_set_warn_age_existing branch from d9061bd to 04cdada Compare February 6, 2023 12:32
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Feb 6, 2023
@rumch-se
Copy link
Contributor Author

rumch-se commented Feb 6, 2023

Hello @marcusburghardt

Thank you for your feedback.
I have made all proposed corrections
Have a nice day
Rumen

marcusburghardt
marcusburghardt reviewed Feb 7, 2023
View reviewed changes
...s/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml
ocil: |-
Verify that {{{ full_name }}} has configured the warning that a password will be expiring for each user account
is number of days or greater, according to the days specified with the variable
var_accounts_password_warn_age_login_defs, with the following command:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also here, I believe the previous text was better. It was only necessary to change 7 by {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here was not updated in the last commit.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rumch-se , did you note this comment from my first review? We already know the value of var_accounts_password_warn_age_login_defs at this point. So, we can inform the value itself instead of mentioning the variable name literally. If the user is reading this, he has to stop the flow and go to another place to consult the variable value. I believe this experience is improved by promptly providing the necessary information. This is also valid for the description.

@rumch-se
Copy link
Contributor Author

Hello @marcusburghardt

The proposed changes were done.
Have a nice day
Rumen

marcusburghardt
marcusburghardt requested changes Feb 27, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are still some small details pending from the last review.

...s/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml
ocil: |-
Verify that {{{ full_name }}} has configured the warning that a password will be expiring for each user account
is number of days or greater, according to the days specified with the variable
var_accounts_password_warn_age_login_defs, with the following command:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here was not updated in the last commit.

...s/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml Outdated Show resolved Hide resolved
@rumch-se
Copy link
Contributor Author

Hello @marcusburghardt

I hope that now the last commit is correct 3342b9b

Have a nice day
Rumen

@rumch-se
Copy link
Contributor Author

Hello @marcusburghardt
With the last change in the .html guide we have
++
Configure non-compliant accounts, and give users time to come up with a secure password, warning them in advance about the expiration of their current password. The variable var_accounts_password_warn_age_login_defs=7, defines how many days the user's password will remain valid, and he/she will receive a warning notification about. The next command set ups this for not-compliant user's account:

$ sudo chage --warndays $var_accounts_password_warn_age_login_defs USER
++
Have a nice day
Rumen

@marcusburghardt
Copy link
Member

{{{ xccdf_value

Hi @rumch-se , this approach of explicitly informing the variable name in the rule description and other sections is not wrong, but is not a practice in the project. I would recommend to keep this rule aligned to the project practices. It would also make the description shorter and easier to read, IMO.

Please, take a look in some examples of rules which uses a variable to dynamically render the description and other sections:

@rumch-se
Copy link
Contributor Author

rumch-se commented Mar 2, 2023

Hello @marcusburghardt
I made the description part shorter. I used as an example the rule password_warn_age_login_defs
Have a nice day
Rumen

@codeclimate
Copy link

codeclimate bot commented Mar 2, 2023

Code Climate has analyzed commit b02737e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.7% (2.2% change).

View more on Code Climate.

marcusburghardt
marcusburghardt approved these changes Mar 3, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the rule @rumch-se .

@marcusburghardt
Copy link
Member

Automatus CS8 and CS9 are failing because the rule is restricted to sle products in its prodtype parameter.

@marcusburghardt
Copy link
Member

Overriding CODEOWNERS since a SUSE approver is not currently available.

@marcusburghardt marcusburghardt merged commit b27dc40 into ComplianceAsCode:master Mar 3, 2023
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
needs-ok-to-test Used by openshift-ci bot. New Rule Issues or pull requests related to new Rules. SLES SUSE Linux Enterprise Server product related.
Projects
None yet
Milestone
0.1.67
Development

Successfully merging this pull request may close these issues.
6 participants
@rumch-se @marcusburghardt @Mab879 @vojtapolasek @jan-cerny @openshift-merge-robot