Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include accounts_set_post_pw_existing rule in CIS RHEL #10269

Merged
merged 5 commits into from
Feb 28, 2023
Merged

Include accounts_set_post_pw_existing rule in CIS RHEL #10269

merged 5 commits into from
Feb 28, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

The accounts_set_post_pw_existing rule completes the 5.5.1.4 requirement for RHEL7 and the 5.6.1.4 requirement for RHEL8 and RHEL9.

Rationale:

Better CIS coverage for RHEL.

@marcusburghardt
Enable accounts_set_post_pw_existing rule for RHEL
68b05f1 
This rule is applicable for RHEL products and also satisfy some CIS
requirements for RHEL7, RHEL8 and RHEL9.
@marcusburghardt
Increase robustness of OVAL check
cf45dcf 
It was included a new test case to cover systems where there is no user
with a password defined. In this case, the remediation is not necessary.
It was also included a filter in the shadow_object to exclude entries
without a valid password. Finally, the file was aligned to the project
Style Guide.
@marcusburghardt
Update remediation to ignore users without password
52f6063 
Aligned to the OVAL check, users without a valid password defined in
/etc/shadow should be ignored by the remediation in order to avoid
disruption of non-interactive accounts. The remediation header was also
updated to multi_platform_all.
@marcusburghardt
Improve test scenatio scripts
d499672 
The scripts were reviewed and aligned to the OVAL and remediation.
New relevant scenarios were included to cover partially compliant
systems and also systems without user passwords.
@marcusburghardt
Update CIS requirement for RHEL products
00f50be 
The 5.5.1.4 requirement for RHEL7 and the 5.6.1.4 requirement for RHEL8
and RHEL9 are complete with the accounts_set_post_pw_existing rule.
@marcusburghardt marcusburghardt added RHEL Red Hat Enterprise Linux product related. CIS CIS Benchmark related. labels Feb 28, 2023
@marcusburghardt marcusburghardt added this to the 0.1.67 milestone Feb 28, 2023
@marcusburghardt marcusburghardt requested a review from a team as a code owner February 28, 2023 13:27
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 self-assigned this Feb 28, 2023
@codeclimate
Copy link

codeclimate bot commented Feb 28, 2023

Code Climate has analyzed commit 00f50be and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.7% (0.0% change).

View more on Code Climate.

@openshift-ci
Copy link

openshift-ci bot commented Feb 28, 2023

@marcusburghardt: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-e8 00f50be link true /test e2e-aws-rhcos4-e8

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@Mab879 Mab879 merged commit ef44c91 into ComplianceAsCode:master Feb 28, 2023
@marcusburghardt marcusburghardt deleted the cis_rhel_pass_inactivity branch March 1, 2023 09:02
@marcusburghardt marcusburghardt added Update Rule Issues or pull requests related to Rules updates. Update Profile Issues or pull requests related to Profiles updates. labels Mar 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
CIS CIS Benchmark related. RHEL Red Hat Enterprise Linux product related. Update Profile Issues or pull requests related to Profiles updates. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.67
Development

Successfully merging this pull request may close these issues.

5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
2 participants
@marcusburghardt @Mab879