Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-32794: Add back rules that were once shipped in RHCOS4 #11887

Merged
merged 1 commit into from Apr 26, 2024
Merged

OCPBUGS-32794: Add back rules that were once shipped in RHCOS4 #11887

merged 1 commit into from Apr 26, 2024

Conversation

yuumasato
Copy link
Member

Description:

  • Add to default.profile rules that were once shipped in RHCOS4 Benchmark.
    • These rules don't have a prodtype and were not added to RHCOS4's default.profile

Rationale:

  • These rules might be used in TailoredProfiles.

Review Hints:

  • Build and check that the rules are included in the data stream.

@yuumasato yuumasato added OpenShift OpenShift product related. CoreOS CoreOS product related. labels Apr 25, 2024
@yuumasato yuumasato added this to the 0.1.73 milestone Apr 25, 2024
@yuumasato yuumasato changed the title RHCOS4 : Add back rules that were once shipped OCPBUGS-32794: Add back rules that were once shipped in RHCOS4 Apr 25, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 25, 2024
edited

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11887
This image was built from commit: e2f1116

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11887

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11887 make deploy-local

@rhmdnd
Copy link
Collaborator

rhmdnd commented Apr 25, 2024

/test

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 25, 2024

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test 4.13-e2e-aws-ocp4-cis
  • /test 4.13-e2e-aws-ocp4-cis-node
  • /test 4.13-e2e-aws-ocp4-e8
  • /test 4.13-e2e-aws-ocp4-high
  • /test 4.13-e2e-aws-ocp4-high-node
  • /test 4.13-e2e-aws-ocp4-moderate
  • /test 4.13-e2e-aws-ocp4-moderate-node
  • /test 4.13-e2e-aws-ocp4-pci-dss
  • /test 4.13-e2e-aws-ocp4-pci-dss-node
  • /test 4.13-e2e-aws-ocp4-stig
  • /test 4.13-e2e-aws-ocp4-stig-node
  • /test 4.13-e2e-aws-rhcos4-e8
  • /test 4.13-e2e-aws-rhcos4-high
  • /test 4.13-e2e-aws-rhcos4-moderate
  • /test 4.13-e2e-aws-rhcos4-stig
  • /test 4.13-images
  • /test 4.14-images
  • /test 4.15-e2e-aws-ocp4-cis
  • /test 4.15-e2e-aws-ocp4-cis-node
  • /test 4.15-e2e-aws-ocp4-e8
  • /test 4.15-e2e-aws-ocp4-high
  • /test 4.15-e2e-aws-ocp4-high-node
  • /test 4.15-e2e-aws-ocp4-moderate
  • /test 4.15-e2e-aws-ocp4-moderate-node
  • /test 4.15-e2e-aws-ocp4-pci-dss
  • /test 4.15-e2e-aws-ocp4-pci-dss-node
  • /test 4.15-e2e-aws-ocp4-stig
  • /test 4.15-e2e-aws-ocp4-stig-node
  • /test 4.15-e2e-aws-rhcos4-e8
  • /test 4.15-e2e-aws-rhcos4-high
  • /test 4.15-e2e-aws-rhcos4-moderate
  • /test 4.15-e2e-aws-rhcos4-stig
  • /test 4.15-images
  • /test 4.16-e2e-aws-ocp4-cis
  • /test 4.16-e2e-aws-ocp4-cis-node
  • /test 4.16-e2e-aws-ocp4-e8
  • /test 4.16-e2e-aws-ocp4-high
  • /test 4.16-e2e-aws-ocp4-high-node
  • /test 4.16-e2e-aws-ocp4-moderate
  • /test 4.16-e2e-aws-ocp4-moderate-node
  • /test 4.16-e2e-aws-ocp4-pci-dss
  • /test 4.16-e2e-aws-ocp4-pci-dss-node
  • /test 4.16-e2e-aws-ocp4-stig
  • /test 4.16-e2e-aws-ocp4-stig-node
  • /test 4.16-e2e-aws-rhcos4-e8
  • /test 4.16-e2e-aws-rhcos4-high
  • /test 4.16-e2e-aws-rhcos4-moderate
  • /test 4.16-e2e-aws-rhcos4-stig
  • /test 4.16-images
  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-4.13-images
  • pull-ci-ComplianceAsCode-content-master-4.14-images
  • pull-ci-ComplianceAsCode-content-master-4.15-images
  • pull-ci-ComplianceAsCode-content-master-4.16-images
  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rhmdnd
Copy link
Collaborator

rhmdnd commented Apr 25, 2024

/test e2e-aws-rhcos4-stig

@rhmdnd
Copy link
Collaborator

rhmdnd commented Apr 25, 2024

STIG failures here should be getting addressed in #11790

rhmdnd
rhmdnd approved these changes Apr 25, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@yuumasato yuumasato force-pushed the OCPBUGS-32794-maintain-rule-selection branch from df276b7 to c242b67 Compare April 26, 2024 08:10
@yuumasato
Copy link
Member Author

Rebased to re-kick some testing farm tests

@xiaojiey
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Apr 26, 2024
@xiaojiey
Copy link
Collaborator

@yuumasato One question, is rule rhcos4-file-permissions-sudo dropped on purpose? Thanks.
Verified with 4.16.0-0.nightly-2024-04-23-032717 + ghcr.io/complianceascode/k8scontent:11887:

% oc get rules --no-headers | grep upstream | wc -l
    1065
% oc get rules --no-headers | grep -Ev upstream | wc -l
    1060
% oc get rules --no-headers | grep upstream | awk '{print $1}' | sed 's/upstream-//g' | sort > upstream_rules
% oc get rules --no-headers | grep -Ev upstream | awk '{print $1}' | sort > downstream_rules
% diff upstream_rules downstream_rules 
3d2
< ocp4-acs-sensor-exists
345d343
< rhcos4-accounts-maximum-age-login-defs
718a717
> rhcos4-file-permissions-sudo
902d900
< rhcos4-partition-for-tmp
980d977
< rhcos4-sshd-set-keepalive
996,997d992
< rhcos4-sudo-remove-no-authenticate
< rhcos4-sudo-remove-nopasswd

@yuumasato
Add back rules once shipped in RHCOS4 Benchmark
e2f1116 
These rules don't have a prodtype, and they were not added to RHCOS4's
default.profile.
@yuumasato yuumasato force-pushed the OCPBUGS-32794-maintain-rule-selection branch from c242b67 to e2f1116 Compare April 26, 2024 09:20
@yuumasato
Copy link
Member Author

@xiaojiey Nice catch, the rule should be there.
I have updated the PR.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 26, 2024

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-stig df276b7 link true /test e2e-aws-rhcos4-stig
ci/prow/4.13-images e2f1116 link true /test 4.13-images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Apr 26, 2024
edited

Pre-merge verification pass with 4.16.0-0.nightly-2024-04-23-032717 + ghcr.io/complianceascode/k8scontent:11887

% oc get rules --no-headers | grep upstream | awk '{print $1}' | sed 's/upstream-//g' | sort > upstream_rules
% oc get rules --no-headers | grep -Ev upstream | awk '{print $1}' | sort > downstream_rules                 
% diff upstream_rules downstream_rules 
3d2
< ocp4-acs-sensor-exists
345d343
< rhcos4-accounts-maximum-age-login-defs
903d900
< rhcos4-partition-for-tmp
981d977
< rhcos4-sshd-set-keepalive
997,998d992
< rhcos4-sudo-remove-no-authenticate
< rhcos4-sudo-remove-nopasswd
% cat upstream_rules | wc -l
    1066
% cat downstream_rules| wc -l
    1060

@xiaojiey
Copy link
Collaborator

/lgtm

@codeclimate CodeClimate
Copy link

codeclimate bot commented Apr 26, 2024

Code Climate has analyzed commit e2f1116 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@yuumasato yuumasato merged commit 3982af5 into ComplianceAsCode:master Apr 26, 2024
112 of 113 checks passed
@yuumasato yuumasato deleted the OCPBUGS-32794-maintain-rule-selection branch April 26, 2024 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd approved these changes

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@BhargaviGudi BhargaviGudi Awaiting requested review from BhargaviGudi

Assignees

@rhmdnd rhmdnd

Labels
CoreOS CoreOS product related. do-not-merge/hold Used by openshift-ci-robot bot. OpenShift OpenShift product related.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@yuumasato @rhmdnd @xiaojiey