-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLE Service timesyncd configured rule #10670
SLE Service timesyncd configured rule #10670
Conversation
linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
Outdated
Show resolved
Hide resolved
@teacup-on-rockingchair The CI fails look valid. You should add your new rule ID at least to |
ad98bb7
to
8221f8e
Compare
linux_os/guide/services/ntp/service_timesyncd_configured/bash/shared.sh
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/bash/shared.sh
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/bash/shared.sh
Outdated
Show resolved
Hide resolved
@teacup-on-rockingchair you have some shellcheck warnings in the OpenSUSE CI job. The fail on Fedora Rawhide is caused by OpenSCAP/openscap#1995 and isn't related to the contents of this PR. |
de112bd
to
7938a44
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Automatus fail is expected because the rule is marked by a prodtype key as SLES only and therefore isn't part of RHEL content.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests
folder is inside bash
folder. I assume it was a mistake. Could you move it to the rule root folder, please?
linux_os/guide/services/ntp/service_timesyncd_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/ansible/shared.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/bash/shared.sh
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/bash/shared.sh
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/bash/shared.sh
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/tests/dropin_config.pass.sh
Outdated
Show resolved
Hide resolved
...ide/services/ntp/service_timesyncd_root_distance_configured/tests/no_distance_config.fail.sh
Outdated
Show resolved
Hide resolved
...guide/services/ntp/service_timesyncd_root_distance_configured/tests/timesyncd_config.pass.sh
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
<definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
{{{ oval_metadata("Ensure that timesyncd RootDistanceMaxSec is configured") }}} | ||
<criteria comment="Timesyncd servers are configured" operator="AND"> | ||
<extend_definition comment="service timesyncd enabled" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it is necessary to care about service state in this rule. It should be only about parameters values, regardless of the service being enabled or disabled. Could you consider removing it completely in this rule, please? Keeping the rule as simple as possible to ensure the proper values should be ideal. Service state should be managed by other rules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have two more generic concerns in this area, and would be happy to get your opinion:
- if the rule is checked on its own and fails or reports false positive since the service is not enabled
- or in the case we run all the rules but for some reason, say alphabetic order of execution, this rule reports OK, while there is problem with service enabled, so this rule will report wrongly pass
Another theoretical question, going even further out of context :). not about the rules but remediations. Say we have rule about service enabling and such for service configuration. Both initially failed, so a ansible or bash script is prepared containing remediation for at least those two rules. When that script is executed and say the service enabling is performed first, then configuration, often it is the case that the follow-up check will report pass, but actually the system is not in correct state, since the configuration is not applied, because the service was not restarted for example. What do you think is the best way to approach this scenario?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have two more generic concerns in this area, and would be happy to get your opinion:
- if the rule is checked on its own and fails or reports false positive since the service is not enabled
I don't see this situation as a false positive. In general it is better to have more specific and as granular as possible rules. If the rule is checking a configuration value, it will only pass if the configuration value is compliant. Another rule will check if the service is enabled and will only pass if the service is indeed enabled. It is even simpler to maintain the rule description, OVAL and remediation when we have simpler and specific rules. In a context of a profile, where both rules in this example are present, the report will clearly and specifically show what is missing or compliant. That is the idea of a profile, where many rules together creates a context and may complement each other to satisfy a requirement. O don't think it would make so much sense to include only one of these rules in a profile. On the other hand, if we have rules doing more than necessary it could be confusing to realize the reason it is failing.
- or in the case we run all the rules but for some reason, say alphabetic order of execution, this rule reports OK, while there is problem with service enabled, so this rule will report wrongly pass
There are many cases like this. For example, when a rule is only applicable if a package is present, if the package is not initially installed, the check will report not applicable
but then the package is installed by another requirement. In a second round the not applicable
requirement may became a fail
or pass
. If it became fail
, the remediation would be necessary. See OpenSCAP/openscap#1880 for other similar cases. Currently, the simplest solution in this case is to run the scan/remediation once more. Maybe it is not the ideal experience but it is not unreasonable too. Also, it would be a relatively complex case to be solved on the scanner side.
Another theoretical question, going even further out of context :). not about the rules but remediations. Say we have rule about service enabling and such for service configuration.
service enabling and service configuration should report not applicable
if the service package is not present.
Otherwise, both should be checked and, if necessary, remediated.
Both initially failed, so a ansible or bash script is prepared containing remediation for at least those two rules. When that script is executed and say the service enabling is performed first, then configuration, often it is the case that the follow-up check will report pass, but actually the system is not in correct state, since the configuration is not applied, because the service was not restarted for example. What do you think is the best way to approach this scenario?
If a service needs to be restarted after configuration changes, it would make sense to ensure the service restart or reload in the respective remediation.
linux_os/guide/services/ntp/service_timesyncd_root_distance_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ntp/service_timesyncd_root_distance_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
@teacup-on-rockingchair , there are some pending suggestions about platform and it should be good to be merged. Could you take a look, please? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it the future would be interesting to implement a variable for service_timesyncd_root_distance_configured
if the policies become to ask any specific value. But for now it is doesn't look the case. Thanks for the rules.
@teacup-on-rockingchair , could you resolve the conflict, please? |
Thanks to @jan-cerny for the note
…le/shared.yml Co-authored-by: Marcus Burghardt <[email protected]>
…shared.sh Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/tests/no_distance_config.fail.sh Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/tests/timesyncd_config.pass.sh Co-authored-by: Marcus Burghardt <[email protected]>
…/dropin_config.pass.sh Co-authored-by: Marcus Burghardt <[email protected]>
Thanks to @marcusburghart 🙇
…shared.xml Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/oval/shared.xml Co-authored-by: Marcus Burghardt <[email protected]>
…/empty_config.fail.sh Co-authored-by: Marcus Burghardt <[email protected]>
…/no_fallback.fail.sh Co-authored-by: Marcus Burghardt <[email protected]>
…/timesyncd_config.pass.sh Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/ansible/shared.yml Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/bash/shared.sh Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/oval/shared.xml Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/oval/shared.xml Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/tests/dropin_config.pass.sh Co-authored-by: Marcus Burghardt <[email protected]>
…nfigured/tests/empty_config.fail.sh Co-authored-by: Marcus Burghardt <[email protected]>
416069c
to
a409ccb
Compare
Code Climate has analyzed commit a409ccb and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.2% (0.0% change). View more on Code Climate. |
@jan-cerny, @marcusburghardt can you please overwrite the rule for suse-maintainers, since I am the only member of the group and cannot approve my own PRs |
/packit retest-failed |
2 similar comments
/packit retest-failed |
/packit retest-failed |
/packit build |
Overriding CODEOWNERS as @teacup-on-rockingchair can't approve his own PR. |
Description:
Rationale: