Fix PR review comments for Amazon Linux 2023 STIG profile#6
Open
Jpierre-01 wants to merge 859 commits into
Open
Fix PR review comments for Amazon Linux 2023 STIG profile#6Jpierre-01 wants to merge 859 commits into
Jpierre-01 wants to merge 859 commits into
Conversation
The failure_reason field is specific to the CEL checking engine.
The ansible_authselect_force_reselect and bash_authselect_force_reselect macros were using unquoted command substitution which triggered SC2046 shellcheck warnings about word splitting. The issue was that "authselect current --raw" returns a profile with features as separate words (e.g., "sssd with-faillock with-fingerprint"), and intentional word splitting is required for authselect to properly parse the profile name and features as separate arguments. Fixed by using proper word splitting patterns: - Bash: Use read -ra to safely split into array, then expand with "@" - Ansible: Split into two tasks - capture output, then expand variable This resolves shellcheck SC2046 warnings while maintaining correct functionality for profiles with multiple features. Fixes: ComplianceAsCode#14600
Add a new Claude Skill `create-product` that will facilitate creating new product in the project.
Fix MCP server name
Fix authselect remediation with multiple features
…tter Improve Claude Skills front matter
…ct_skill Create Claude Skill for creating new products
CMP-4040, CMP-4041: Add support for CEL based rules and profiles
…a from test scenario
…metadata account_password_pam_faillock_password_auth: strip test metadata
…stfix_hipaa_reference add hipaa reference to rule package_postfix_installed
…scenarios_skills Add Claude Skill for creating Automatus test scenarios
Fix renovate.json syntax
Some `rsyslog` rules required exactly one space between the configuration option and value. That is too strict, having more spaces is valid and accepted by `rsyslog`. The rules have been fixed so that more spaces are passing the checks. Also, test scenarios that cover the fixed issue have been introduced. These rules have been fixed: - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - rsyslog_encrypt_offload_actionsendstreamdrivermode - rsyslog_encrypt_offload_defaultnetstreamdriver Fixes: ComplianceAsCode#14554
The original Contest upstream-parallel plan had `/static-checks`, but that was never executed because I forgot to add a third Packit job last time (adding them only for oscap/ansible remediation). Instead of having a job specifically for `/static-checks`, I extended the additional testing to include more plans, and grouped them all under `/other`, adding a new Packit job for the category. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
adjustment moved change into its own rule added rule title to ansible file added rule to components removed bindcmdaddress
Enable more Packit-based Contest testing
Some Ansible Playbooks are terminating prematurely on some Ansible
Tasks where the `when` statement assumes that a systemd service
is installed. In normal mode, the installation is performed by
other tasks, but in check mode, the installation isn't executed
and the service isn't installed at the moment of checking the
service state. This manifests in the test
`/scanning/host-os/ansible-check/check-mode`.
Addressing:
```
Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld
trusted Zone Restricts IPv4 Loopback Traffic ({"msg": "The conditional
check 'ansible_facts.services['firewalld.service'].state == 'running''
failed. The error was: error while evaluating conditional
(ansible_facts.services['firewalld.service'].state == 'running'): 'dict
object' has no attribute 'firewalld.service'. 'dict object' has no
attribute 'firewalld.service'\n\nThe error appears to be in
'/usr/share/scap-security-guide/ansible/centos8-playbook-pci-dss.yml':
line 10070, column 7, but may\nbe elsewhere in the file depending on the
exact syntax problem.\n\nThe offending line appears to be:\n\n\n -
name: Configure Firewalld to Restrict Loopback Traffic - Ensure
firewalld trusted\n ^ here\n"})
```
…k_fix Prevent Ansible Playbook termination in check mode
Currently, CIS profiles select rule `accounts_passwords_pam_faillock_deny_root` which checks for presence of the `even_deny_root` option in the `pam_faillock.so` configuration. But, the requirement 5.3.3.1.3 in RHEL 9 CIS Benchmark v2.0.0 allows either using `even_deny_root` or setting `root_unlock_time` to 60 or greater. This is the case also for other latest CIS Benchmarks. Therefore, at this moment the users that use the `root_unlock_time` option don't pass the scan even though this configuration complies with the CIS Benchmark. New rule `accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time` has been created. This rule allows both aforementioned options and therefore is better aligned with CIS Benchmark requirements. The new rule has replaced rule `accounts_passwords_pam_faillock_deny_root` in CIS profiles on all RHELs and on Fedora. Automatus test scenarios have been added. Fixes: ComplianceAsCode#14528
Allow both even_deny_root and root_unlock_time
Allow whitespace in rsyslog configuration files
…hrony-wait-fix CMP-3618 added chrony-wait fix
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…dabot/github_actions/actions/checkout-6.0.3 Bump actions/checkout from 6.0.2 to 6.0.3
Fix DOM XSS vulnerabilities in control-detail.html
Fix rsyslog CI issues
Adding Debian 13 CIS controls to the benchmark
…ew and validation of each control.
Co-authored-by: Jan Černý <jcerny@redhat.com>
…newline - Remove products/al2023/transforms/ directory (XSLT no longer used in project) - Fix duplicate al2023 entry in audit_rules_privileged_commands/oval.template - Add missing newline at end of products/al2023/CMakeLists.txt Addresses review comments from jan-cerny on PR ComplianceAsCode#14246
…f complete_ocil_entry_package
- Added stig_al2023 option to sshd_approved_macs variable definition - Uses DEFAULT MACs value (hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com) - Added refine-value directive in AL2023 STIG profile to use stig_al2023 selector - Fixes SSH MACs OSCAP check that was expecting DEFAULT value when no refine-value specified - Aligns with testing results where OSCAP checks openssh.config for MACs value
Amazon Linux 2023 requires architecture flags (-F arch=b64) for privileged command audit rules to avoid performance warnings and ensure OSCAP compliance. This change adds al2023 to the product list alongside fedora and rhel10 for: - Bash remediation templates - Ansible remediation templates - OVAL check templates - Kubernetes templates - Test scripts Without this fix, AL2023 systems get audit rules without arch flags, causing augenrules to emit 'perm used without an arch is slower' warnings and potential OSCAP compliance failures. Resolves STIG control: audit_rules_privileged_commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses review comments from ComplianceAsCode/content PR ComplianceAsCode#14246.
Changes Made
Critical Fixes (3 items)
products/al2023/transforms/removed as XSLT is no longer used in the project (per jan-cerny review, Feb 9)shared/templates/audit_rules_privileged_commands/oval.template(per jan-cerny review, Feb 9)products/al2023/CMakeLists.txt(per jan-cerny review, Dec 17)Review Comments Already Addressed
These issues were already fixed in previous commits:
Testing
Merge Conflicts Resolved
During rebase, resolved conflicts in:
shared/applicability/oval/system_with_kernel.xml- Merged fedora/rhel kernel-core detectionlinux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml- Merged AL2023 rsyslog-openssl supportCI Status Expectations
With these fixes:
Out of Scope
These items remain for future work:
Next Steps
Once merged to
remove-merge-commit, Eric can:Related: ComplianceAsCode#14246
Fixes: Review comments from jan-cerny
Author: Jpierre-01 (Joey Pierre)