Change rule platforms - Part 3: Individual rules in the "services" group #12507
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The rules that enable or disable systemd services should be applicable also in bootable containers because once a bootable container is booted it can run systemd services. Therefore we will extend the applicability of the rule to bootable containers by assigning it the system_with_kernel platform which is a broader platform than machine.
When a bootable container is booted it can run sssd and connect to ldap. Therefore we will extend the applicability of the rule to bootable containers by assigning it the system_with_kernel platform which is a broader platform than machine.
The reason that is mentioned in the comment is outdated. The checks in the OVAL don't use on an OVAL systemdunitdependency check. They use mostly textfilecontent check. Therefore we don't need to mark them with the machine platform.
jan-cerny
added
CPE-AL
jan-cerny
changed the title
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
Code Climate has analyzed commit 26aa2c9 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.0% (0.0% change). View more on Code Climate. |
Mab879
approved these changes
Oct 17, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Many rules currently marked with the
machineplatform should be applicable also to bootable containers. The reason is that often these rules check configuration that should be applied if the bootable container is deployed and booted on a real system. The applicability of these rules needs to be extended by marking them with thesystem_with_kernelplatform instead.We change the platforms carefully, we don't perform a blind mass platform replacement because not every rule that is currently marked as
machineshould be applicable to bootable containers, for example partition rules should be evaluated as "not applicable" when scanning a bootable container.For more details, please read commit messages of all commits.
Review hints
For normal (non-bootable) containers, run a scan and verify that the rules affected by this change are still evaluated as notapplicable as they were before this change. For example:
sudo oscap-podman centos:stream9 xccdf eval --profile stig --report /tmp/report.html build/ssg-cs9-ds.xml