Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V1r2 #37

Merged
merged 60 commits into from
May 21, 2024
Merged

V1r2 #37

merged 60 commits into from
May 21, 2024

Conversation

wdower
Copy link
Contributor

@wdower wdower commented Apr 4, 2024

Initializing profile repo at v1r2.

@wdower
257777
1a75d90 
Signed-off-by: wdower <will@dower.dev>
@wdower
adding 257779, adding inspec.yml from rhel8 to get started
cb659e6 
Signed-off-by: wdower <will@dower.dev>
@wdower
adding in RHEL8 content to those RHEL9 controls where it applies (del…
6e4e0ed 
…ta not run yet)

Signed-off-by: wdower <will@dower.dev>
@wdower
running delta to update RHEL8 controls with RHEL9 metadata
820c0c1 
Signed-off-by: wdower <will@dower.dev>
@wdower wdower self-assigned this Apr 4, 2024
@wdower
fixing the hardened controls
a41c52b 
Signed-off-by: wdower <will@dower.dev>
@wdower
merging in pipeline upgrades
d6f103b 
Signed-off-by: wdower <will@dower.dev>
wdower and others added 19 commits April 10, 2024 22:41
@wdower
linitng
1ef3a67 
Signed-off-by: wdower <will@dower.dev>
@wdower
adding local config files to gitignore
3c48338 
Signed-off-by: wdower <will@dower.dev>
@wdower
adding -y to disa kitchenfile
e617a1e 
Signed-off-by: wdower <will@dower.dev>
@wdower
adding local cinc-auditor install for convenience in testing
44a83ec 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
SV-257783
cf37fb1 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
filling in tests up through 257789
5558755 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
adding status tracker
4eb506d 
Signed-off-by: wdower <will@dower.dev>
@wdower
gitignore update
b1d729c 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
up through 257850
20d0a7a 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
up through 257896
cab734b 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
typo -- descibe --> describe
f2cfc88 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
refactoring the mode checks to all use one big hash input for ease of…
f7fd697 
… use (can add keys to the hash for other file mode checks later

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
crontab ownership checks
a7d9ab7 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
up through 25977 -- fixed up the kernel ipv4 and ipv6 controls to ONL…
c1d9e31 
…Y have the 'is_router' caveat if that caveat is explicitly described in the check text

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
up through 257991
60d50de 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
up through 258032
bdf7e37 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
up through 258094
7c8584e 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
lint
847d11e 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@aaronlippold
pinning parser version until next release
6ac711c 
Signed-off-by: Aaron Lippold <lippold@gmail.com>
@wdower
v1r2
f339df8 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower wdower requested a review from Amndeep7 May 6, 2024 17:15
Amndeep7
Amndeep7 requested changes May 6, 2024
View reviewed changes
.github/workflows/lint-profile.yml Show resolved Hide resolved
.github/workflows/verify-container.yml Outdated Show resolved Hide resolved
.github/workflows/verify-container.yml Outdated Show resolved Hide resolved
.gitignore Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
controls/SV-257800.rb Show resolved Hide resolved
controls/SV-257800.rb Outdated Show resolved Hide resolved
controls/SV-257803.rb Outdated Show resolved Hide resolved
controls/SV-257803.rb Show resolved Hide resolved
controls/SV-257809.rb Outdated Show resolved Hide resolved
Amndeep7
Amndeep7 requested changes May 7, 2024
View reviewed changes
controls/SV-257811.rb Outdated Show resolved Hide resolved
controls/SV-257811.rb Outdated Show resolved Hide resolved
.github/workflows/verify-container.yml Show resolved Hide resolved
Amndeep7
Amndeep7 requested changes May 7, 2024
View reviewed changes
controls/SV-257814.rb Show resolved Hide resolved
controls/SV-257816.rb Outdated Show resolved Hide resolved
controls/SV-257817.rb Outdated Show resolved Hide resolved
controls/SV-257817.rb Outdated Show resolved Hide resolved
controls/SV-257818.rb Outdated Show resolved Hide resolved
controls/SV-257843.rb Outdated Show resolved Hide resolved
controls/SV-257844.rb Show resolved Hide resolved
controls/SV-257847.rb Show resolved Hide resolved
controls/SV-257848.rb Outdated Show resolved Hide resolved
controls/SV-257850.rb Show resolved Hide resolved
wdower added 7 commits May 7, 2024 19:00
@wdower
cleanup -- re-added push pipeline triggers, removed 'WIP' from README…
84e2121 
…, bumped upload-artifact version, removed unneeded pipeline step

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
removing errant references to rhel8
7fb702d 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
fixing grubby controls to use the right check command
64d3f70 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
updating 257800
de5e71e 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
fixing wrong input in 257803 and rhel8 version check in 257782
4ea22b3 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
removing unneeded input from inspec.yml and fixing wrong control code…
4a1b5d1 
… in 257937

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
fixing filenames with commit hashes in the actions workflows to avoid…
9e3a470 
… name conflicts

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Amndeep7
Amndeep7 requested changes May 15, 2024
View reviewed changes
controls/SV-257867.rb Show resolved Hide resolved
controls/SV-257867.rb Show resolved Hide resolved
controls/SV-257869.rb Outdated Show resolved Hide resolved
controls/SV-257869.rb Show resolved Hide resolved
controls/SV-257879.rb Outdated Show resolved Hide resolved
controls/SV-257882.rb Show resolved Hide resolved
controls/SV-257887.rb Outdated Show resolved Hide resolved
inspec.yml Outdated Show resolved Hide resolved
inspec.yml Show resolved Hide resolved
controls/SV-257889.rb Show resolved Hide resolved
wdower and others added 3 commits May 15, 2024 15:12
@wdower
making all controls that handle kernel settings consistent in approac…
8d4f02a 
…h, adding some caveat inputs for network settings that need to be enabled

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
removing outdated version checks from rhel8
42ba91a 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower @Amndeep7
Update controls/SV-257843.rb
c12b2a7 
Co-authored-by: Amndeep Singh Mann <me@asm.works>
Amndeep7
Amndeep7 requested changes May 15, 2024
View reviewed changes
controls/SV-257803.rb
}

parameter = 'kernel.core_pattern'
value = 1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
value = 1
value = "|/bin/false"

controls/SV-257843.rb Outdated Show resolved Hide resolved
controls/SV-257843.rb Outdated Show resolved Hide resolved
controls/SV-257890.rb
!virtualization.system.eql?('docker')
}

exempt_home_users = input('exempt_home_users')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

input naming is inconsistent - sometimes 'exempt' vs 'exemptions' and having that keyword at the beginning or end of the name (beginning here, others have it at the end)

controls/SV-257890.rb Outdated Show resolved Hide resolved
controls/SV-257894.rb
@@ -23,4 +23,14 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257895.rb
@@ -23,4 +23,14 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257896.rb
@@ -23,4 +23,14 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257897.rb
@@ -23,4 +23,14 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257898.rb
@@ -23,4 +23,10 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

Amndeep7
Amndeep7 requested changes May 16, 2024
View reviewed changes
controls/SV-257899.rb
@@ -23,4 +23,10 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257899.rb

describe file('/etc/group') do
it { should exist }
its('group') { should cmp 'root' }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't we use the grouped_into function here?

this comment applies to all the controls that are having us (as opposed to presumably the resource) directly do string comparison to check the group

Suggested change
its('group') { should cmp 'root' }
it { should be_grouped_into 'root' }

controls/SV-257900.rb
@@ -23,4 +23,10 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257901.rb
@@ -23,4 +23,10 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257902.rb
@@ -23,4 +23,10 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257924.rb

audit_tools = ['/sbin/auditctl', '/sbin/aureport', '/sbin/ausearch', '/sbin/autrace', '/sbin/auditd', '/sbin/rsyslogd', '/sbin/augenrules']

failing_tools = audit_tools.reject { |at| file(at).owned_by?('root') }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

huh, I think I like reject better than the filter NOTs that have been happening elsewhere. maybe this could be added as another todo item on the consistency fixes issue?

controls/SV-257925.rb

audit_tools = ['/sbin/auditctl', '/sbin/aureport', '/sbin/ausearch', '/sbin/autrace', '/sbin/auditd', '/sbin/rsyslogd', '/sbin/augenrules']

failing_tools = audit_tools.reject { |at| file(at).group == 'root' }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should probably still be using the grouped_into func instead of doing a straight string comparison

Suggested change
failing_tools = audit_tools.reject { |at| file(at).group == 'root' }
failing_tools = audit_tools.reject { |at| file(at).grouped_into? 'root' }

controls/SV-257926.rb
@@ -29,4 +29,15 @@
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host', 'container'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag 'host', 'container'
tag 'host'
tag 'container'

controls/SV-257926.rb Show resolved Hide resolved
controls/SV-257928.rb Show resolved Hide resolved
wdower and others added 11 commits May 17, 2024 15:25
@wdower
linting 257843
79a23c7 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
more cleanup
fbe7c1a 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower @Amndeep7
Update inspec.yml
d8f9237 
Co-authored-by: Amndeep Singh Mann <me@asm.works>
@wdower
more cleanup
cdb588d 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
typo'd vars in 257869
03522bf 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
removing short sha from the filename everywhere except the push to He…
b81e946 
…imdall for an easier time hooking it up with kitchen

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
typo'd '}' in disa workflow
30e420d 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
adding caveat to catch case where NetworkManager not installed for 25…
9194018 
…7949

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
fixing service param checks in 257818
d2079fc 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
fixing missing var in 257869
7bf0290 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower
fixing ubi9 pipeline to use the actual ubi9 threshold files
f0b1d95 
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
@wdower wdower merged commit b3e65d8 into main May 21, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Amndeep7 Amndeep7 Amndeep7 requested changes

@aaronlippold aaronlippold Awaiting requested review from aaronlippold

@jrmetzger jrmetzger Awaiting requested review from jrmetzger

@em-c-rod em-c-rod Awaiting requested review from em-c-rod

Assignees

@wdower wdower

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wdower @Amndeep7 @aaronlippold