Skip to content

Implement rpm_verify_crypto_policies #13469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vojtapolasek merged 5 commits into from
May 22, 2025
Merged

Implement rpm_verify_crypto_policies #13469

vojtapolasek merged 5 commits into from
May 22, 2025

Conversation

@mrkanon
Copy link
Contributor

@mrkanon mrkanon commented May 15, 2025

Description:

  • Add new rule rpm_verify_crypto_policies
  • Select rule for OL09-00-000244
  • Add test for rpm_verify_crypto_policies

Rationale:

Align OL9 STIG profile with DISA STIG OL9 V1R1

mrkanon added 3 commits May 15, 2025 16:47
@mrkanon
Implement rpm_verify_crypto_policies
1f90189 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@mrkanon
Select rule for OL09-00-000244
e569023 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@mrkanon
Add tests for rpm_verify_crypto_policies
9a1e359 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label May 15, 2025
@openshift-ci
Copy link

openshift-ci bot commented May 15, 2025

Hi @mrkanon. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@github-actions
Copy link

github-actions bot commented May 15, 2025

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

Mab879
Mab879 requested changes May 16, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI failure is valid.

@mrkanon
Add rpm_verify_crypto_policies to components
c32855d 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@github-actions
Copy link

github-actions bot commented May 16, 2025

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

Mab879
Mab879 requested changes May 19, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly changes based on the style guide.

.../integrity/software-integrity/rpm_verification/rpm_verify_crypto_policies/ansible/shared.yml Outdated
# complexity = high
# disruption = medium

- name: "Read files with incorrect hash"
Copy link
Member

@Mab879 Mab879 May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: "Read files with incorrect hash"
- name: "{{{ rule_title }}} - Read files with incorrect hash"

.../integrity/software-integrity/rpm_verification/rpm_verify_crypto_policies/ansible/shared.yml Outdated
# disruption = medium

- name: "Read files with incorrect hash"
command: rpm -V crypto-policies
Copy link
Member

@Mab879 Mab879 May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
command: rpm -V crypto-policies
ansible.builtin.command: rpm -V crypto-policies

.../integrity/software-integrity/rpm_verification/rpm_verify_crypto_policies/ansible/shared.yml Outdated
check_mode: False

- name: "Reinstall packages of files with incorrect hash"
command: "{{{ pkg_manager }}} reinstall -y crypto-policies"
Copy link
Member

@Mab879 Mab879 May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
command: "{{{ pkg_manager }}} reinstall -y crypto-policies"
ansible.builtin.command: "{{{ pkg_manager }}} reinstall -y crypto-policies"

...m/software/integrity/software-integrity/rpm_verification/rpm_verify_crypto_policies/rule.yml
@@ -0,0 +1,38 @@
documentation_complete: true

Copy link
Member

@Mab879 Mab879 May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

The double space is from us removing prodtype it is not needed.

...ware/integrity/software-integrity/rpm_verification/rpm_verify_crypto_policies/bash/shared.sh Outdated
@@ -0,0 +1,7 @@
# platform =multi_platform_ol
Copy link
Member

@Mab879 Mab879 May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# platform =multi_platform_ol
# platform = multi_platform_ol

.../integrity/software-integrity/rpm_verification/rpm_verify_crypto_policies/ansible/shared.yml Outdated
failed_when: files_with_incorrect_hash.rc > 1
check_mode: False

- name: "Reinstall packages of files with incorrect hash"
Copy link
Member

@Mab879 Mab879 May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add rule_title here as well.

@Mab879 Mab879 self-assigned this May 19, 2025
@mrkanon
Update the rule to comply with the style guide
a533d0f 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@github-actions
Copy link

github-actions bot commented May 19, 2025

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@qlty-cloud-legacy
Copy link

qlty-cloud-legacy bot commented May 20, 2025

Code Climate has analyzed commit a533d0f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 added this to the 0.1.78 milestone May 21, 2025
Mab879
Mab879 approved these changes May 21, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

@Xeicker can you please look at this as well?

@Mab879 Mab879 added Oracle Linux Oracle Linux product related. New Rule Issues or pull requests related to new Rules. STIG STIG Benchmark related. labels May 21, 2025
Xeicker
Xeicker approved these changes May 21, 2025
View reviewed changes
Copy link
Contributor

@Xeicker Xeicker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mrkanon
Copy link
Contributor Author

mrkanon commented May 21, 2025

@Mab879

Is it possible to be part of v0.1.77?
if that is possible, what is the process to do that?

@vojtapolasek
Copy link
Collaborator

vojtapolasek commented May 22, 2025

Hello @mrkanon , unfortunatelly this rule will not make it into the stabilization branch. As written in our documentation, stabilization branch should only receive fixes to issues which are discovered during extensive testing performed during the stabilization phase.
https://github.com/ComplianceAsCode/content/blob/master/docs/manual/developer/10_stabilization_phase.md
Nevertheless, I am happy to merge this PR against master.
Thank you for understanding.

@vojtapolasek vojtapolasek merged commit 46ab916 into ComplianceAsCode:master May 22, 2025
91 of 98 checks passed
@mrkanon mrkanon deleted the OL09-00-000244 branch May 22, 2025 16:47
@mrkanon mrkanon mentioned this pull request May 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

+1 more reviewer

@Xeicker Xeicker Xeicker approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Mab879 Mab879

Labels

needs-ok-to-test Used by openshift-ci bot. New Rule Issues or pull requests related to new Rules. Oracle Linux Oracle Linux product related. STIG STIG Benchmark related.

Projects

None yet

Milestone

0.1.78

Development

Successfully merging this pull request may close these issues.

4 participants

@mrkanon @vojtapolasek @Mab879 @Xeicker