Skip to content

[Ubuntu] Extra tests for #13668 #13681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mab879 merged 8 commits into from
Jul 11, 2025
Merged

[Ubuntu] Extra tests for #13668 #13681

Mab879 merged 8 commits into from
Jul 11, 2025

Conversation

@alanmcanonical
Copy link
Contributor

@alanmcanonical alanmcanonical commented Jul 9, 2025
edited
Loading

Description:

  • Add tests for gid < 1000
  • Only checks files with user execution permission
  • Remove unnecessary useradd
  • Never follow symbolic in tests
  • Execute find in any "possible" directory
  • Enable user execute perm which won't affect non-Ubuntu platforms tests but will invalidate tests if on Ubuntu platform

Rationale:

  • The check content of STIG rule UBTU-24-300013 is: $ find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \-type f -perm -u=x -exec stat --format="%n %G" {} + | \awk '$2 != "root" && $2 != "daemon" && $2 != "adm" && $2 != "shadow" && $2 != "mail" && $2 != "crontab" && $2 != "_ssh"' which only include -perm -u=x
  • Only STIG Ubuntu 24.04 in Ubuntu use this rule, so it's safe to add this stig-only -perm -u=x change to ubuntu.xml
  • Complete [Ubuntu] Regard all gid <= gid_min as system account and whitelist them for system command files #13668

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jul 9, 2025
@openshift-ci
Copy link

openshift-ci bot commented Jul 9, 2025

Hi @alanmcanonical. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@alanmcanonical alanmcanonical force-pushed the exclude_sys_acc_2 branch 2 times, most recently from 6670629 to 8e13a9f Compare July 9, 2025 10:03
@dodys dodys added this to the 0.1.78 milestone Jul 9, 2025
@dodys dodys added the Ubuntu Ubuntu product related. label Jul 9, 2025
@Mab879 Mab879 self-assigned this Jul 9, 2025
@Mab879
Copy link
Member

Mab879 commented Jul 9, 2025

So the tests are not passing on RHEL. I'm getting the same errors as in the Automatus CI jobs.

@Mab879
Copy link
Member

Mab879 commented Jul 9, 2025

Looks like #13675 is also touching these tests.

@alanmcanonical
Copy link
Contributor Author

alanmcanonical commented Jul 9, 2025

I can wait until 13675 is merged then rebased on top with fix for rhel's failed ci

@qlty-cloud-legacy
Copy link

qlty-cloud-legacy bot commented Jul 11, 2025

Code Climate has analyzed commit e77e20d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.7% (0.0% change).

View more on Code Climate.

@alanmcanonical
Copy link
Contributor Author

alanmcanonical commented Jul 11, 2025

The ansible failing of UBI8 is not related

            "module_stderr": "OpenSSH_8.9p1 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files\r\ndebug1: /etc/ssh/ssh_config line 21: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 9526\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to localhost closed.\r\n",
            "module_stdout": "Traceback (most recent call last):\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752234978.5737178-9519-136548592213244/AnsiballZ_setup.py\", line 107, in <module>\r\n    _ansiballz_main()\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752234978.5737178-9519-136548592213244/AnsiballZ_setup.py\", line 99, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752234978.5737178-9519-136548592213244/AnsiballZ_setup.py\", line 44, in invoke_module\r\n    from ansible.module_utils import basic\r\n  File \"<frozen importlib._bootstrap>\", line 971, in _find_and_load\r\n  File \"<frozen importlib._bootstrap>\", line 951, in _find_and_load_unlocked\r\n  File \"<frozen importlib._bootstrap>\", line 894, in _find_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1157, in find_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1131, in _get_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1112, in _legacy_get_spec\r\n  File \"<frozen importlib._bootstrap>\", line 441, in spec_from_loader\r\n  File \"<frozen importlib._bootstrap_external>\", line 544, in spec_from_file_location\r\n  File \"/tmp/ansible_ansible.legacy.setup_payload_t1v4jdwv/ansible_ansible.legacy.setup_payload.zip/ansible/module_utils/basic.py\", line 5\r\nSyntaxError: future feature annotations is not defined\r\n",
            "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",

Mab879
Mab879 approved these changes Jul 11, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatus tests pass locally.

@Mab879 Mab879 merged commit 1842115 into ComplianceAsCode:master Jul 11, 2025
119 of 123 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mpurg mpurg mpurg requested changes

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

Assignees

@Mab879 Mab879

Labels

needs-ok-to-test Used by openshift-ci bot. Ubuntu Ubuntu product related.

Projects

None yet

Milestone

0.1.78

Development

Successfully merging this pull request may close these issues.

4 participants

@alanmcanonical @Mab879 @mpurg @dodys