Skip to content

Fix PR review comments for Amazon Linux 2023 STIG profile#6

Open
Jpierre-01 wants to merge 859 commits into
Eric-Domeier:remove-merge-commitfrom
Jpierre-01:fix-pr-review-comments
Open

Fix PR review comments for Amazon Linux 2023 STIG profile#6
Jpierre-01 wants to merge 859 commits into
Eric-Domeier:remove-merge-commitfrom
Jpierre-01:fix-pr-review-comments

Conversation

@Jpierre-01

Copy link
Copy Markdown

This PR addresses review comments from ComplianceAsCode/content PR ComplianceAsCode#14246.

Changes Made

Critical Fixes (3 items)

  1. Removed XSLT transforms directory - products/al2023/transforms/ removed as XSLT is no longer used in the project (per jan-cerny review, Feb 9)
  2. Fixed duplicate al2023 entry - Removed duplicate "al2023" in shared/templates/audit_rules_privileged_commands/oval.template (per jan-cerny review, Feb 9)
  3. Added missing newline - Added newline at end of products/al2023/CMakeLists.txt (per jan-cerny review, Dec 17)
  4. Rebased against upstream master - Resolved merge conflicts and brought branch up to date with ComplianceAsCode/content master (834 commits behind, now current)

Review Comments Already Addressed

These issues were already fixed in previous commits:

  • ✅ tar package in Dockerfile (already present)
  • ✅ STIG profile version V1R1 (already correct)
  • ✅ Remove empty standard.profile (already removed)
  • ✅ rsyslog-openssl handling for AL2023 (already implemented)
  • ✅ sssd installation rules (package_sssd_installed already present)
  • ✅ journal upload rules (service_systemd-journal-upload_enabled already present)

Testing

  • ✅ YAML syntax validated for all AL2023 profiles and controls
  • ✅ Merge conflicts resolved during rebase (3 conflicts in system_with_kernel.xml and rsyslog rule)
  • ✅ All files compile without syntax errors

Merge Conflicts Resolved

During rebase, resolved conflicts in:

  1. shared/applicability/oval/system_with_kernel.xml - Merged fedora/rhel kernel-core detection
  2. linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml - Merged AL2023 rsyslog-openssl support

CI Status Expectations

With these fixes:

  • ✅ XSLT removal should resolve build issues
  • ✅ Rebase should resolve merge conflict warnings
  • ⚠️ YAML Lint CI may still need investigation (syntax is valid, may be style-related)

Out of Scope

These items remain for future work:

  • 131 checks not remediated (requires extensive testing on AL2023 instances)
  • srg_support.xml content verification (Eric noted in PR description)

Next Steps

Once merged to remove-merge-commit, Eric can:

  1. Update main PR Add Amazon Linux 2023 DISA STIG Profile ComplianceAsCode/content#14246 to upstream ComplianceAsCode/content
  2. CI will re-run with fixed code
  3. Address remaining YAML lint issues if they persist

Related: ComplianceAsCode#14246
Fixes: Review comments from jan-cerny
Author: Jpierre-01 (Joey Pierre)

vojtapolasek and others added 30 commits April 21, 2026 10:19
The failure_reason field is specific to the CEL checking engine.
The ansible_authselect_force_reselect and bash_authselect_force_reselect
macros were using unquoted command substitution which triggered SC2046
shellcheck warnings about word splitting.

The issue was that "authselect current --raw" returns a profile with
features as separate words (e.g., "sssd with-faillock with-fingerprint"),
and intentional word splitting is required for authselect to properly
parse the profile name and features as separate arguments.

Fixed by using proper word splitting patterns:
- Bash: Use read -ra to safely split into array, then expand with "@"
- Ansible: Split into two tasks - capture output, then expand variable

This resolves shellcheck SC2046 warnings while maintaining correct
functionality for profiles with multiple features.

Fixes: ComplianceAsCode#14600
Add a new Claude Skill `create-product` that will facilitate
creating new product in the project.
Fix authselect remediation with multiple features
…ct_skill

Create Claude Skill for creating new products
CMP-4040, CMP-4041: Add support for CEL based rules and profiles
…metadata

account_password_pam_faillock_password_auth: strip test metadata
…stfix_hipaa_reference

add hipaa reference to rule package_postfix_installed
…scenarios_skills

Add Claude Skill for creating Automatus test scenarios
Some `rsyslog` rules required exactly one space between
the configuration option and value. That is too strict,
having more spaces is valid and accepted by `rsyslog`.
The rules have been fixed so that more spaces are passing the
checks. Also, test scenarios that cover the fixed issue have been introduced.

These rules have been fixed:
- rsyslog_encrypt_offload_actionsendstreamdriverauthmode
- rsyslog_encrypt_offload_actionsendstreamdrivermode
- rsyslog_encrypt_offload_defaultnetstreamdriver

Fixes: ComplianceAsCode#14554
The original Contest upstream-parallel plan had `/static-checks`,
but that was never executed because I forgot to add a third Packit
job last time (adding them only for oscap/ansible remediation).

Instead of having a job specifically for `/static-checks`, I extended
the additional testing to include more plans, and grouped them all
under `/other`, adding a new Packit job for the category.

Signed-off-by: Jiri Jaburek <comps@nomail.dom>
adjustment

moved change into its own rule

added rule title to ansible file

added rule to components

removed bindcmdaddress
Enable more Packit-based Contest testing
Some Ansible Playbooks are terminating prematurely on some Ansible
Tasks where the `when` statement assumes that a systemd service
is installed. In normal mode, the installation is performed by
other tasks, but in check mode, the installation isn't executed
and the service isn't installed at the moment of checking the
service state. This manifests in the test
`/scanning/host-os/ansible-check/check-mode`.

Addressing:
```
Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld
trusted Zone Restricts IPv4 Loopback Traffic ({"msg": "The conditional
check 'ansible_facts.services['firewalld.service'].state == 'running''
failed. The error was: error while evaluating conditional
(ansible_facts.services['firewalld.service'].state == 'running'): 'dict
object' has no attribute 'firewalld.service'. 'dict object' has no
attribute 'firewalld.service'\n\nThe error appears to be in
'/usr/share/scap-security-guide/ansible/centos8-playbook-pci-dss.yml':
line 10070, column 7, but may\nbe elsewhere in the file depending on the
exact syntax problem.\n\nThe offending line appears to be:\n\n\n    -
name: Configure Firewalld to Restrict Loopback Traffic - Ensure
firewalld trusted\n      ^ here\n"})
```
…k_fix

Prevent Ansible Playbook termination in check mode
Currently, CIS profiles select rule
`accounts_passwords_pam_faillock_deny_root` which checks for presence of
the `even_deny_root` option in the `pam_faillock.so` configuration.

But, the requirement 5.3.3.1.3 in RHEL 9 CIS Benchmark v2.0.0 allows
either using `even_deny_root` or setting `root_unlock_time` to 60 or
greater. This is the case also for other latest CIS Benchmarks.
Therefore, at this moment the users that use the `root_unlock_time`
option don't pass the scan even though this configuration complies with
the CIS Benchmark.

New rule
`accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time` has
been created. This rule allows both aforementioned options and therefore
is better aligned with CIS Benchmark requirements.

The new rule has replaced rule
`accounts_passwords_pam_faillock_deny_root` in CIS profiles on all RHELs
and on Fedora. Automatus test scenarios have been added.

Fixes: ComplianceAsCode#14528
Allow both even_deny_root and root_unlock_time
Allow whitespace in rsyslog configuration files
…hrony-wait-fix

CMP-3618 added chrony-wait fix
dependabot Bot and others added 30 commits June 3, 2026 20:52
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...df4cb1c)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
…dabot/github_actions/actions/checkout-6.0.3

Bump actions/checkout from 6.0.2 to 6.0.3
Fix DOM XSS vulnerabilities in control-detail.html
Adding Debian 13 CIS controls to the benchmark
Co-authored-by: Jan Černý <jcerny@redhat.com>
…newline

- Remove products/al2023/transforms/ directory (XSLT no longer used in project)
- Fix duplicate al2023 entry in audit_rules_privileged_commands/oval.template
- Add missing newline at end of products/al2023/CMakeLists.txt

Addresses review comments from jan-cerny on PR ComplianceAsCode#14246
- Added stig_al2023 option to sshd_approved_macs variable definition
- Uses DEFAULT MACs value (hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com)
- Added refine-value directive in AL2023 STIG profile to use stig_al2023 selector
- Fixes SSH MACs OSCAP check that was expecting DEFAULT value when no refine-value specified
- Aligns with testing results where OSCAP checks openssh.config for MACs value
Amazon Linux 2023 requires architecture flags (-F arch=b64) for privileged
command audit rules to avoid performance warnings and ensure OSCAP compliance.

This change adds al2023 to the product list alongside fedora and rhel10 for:
- Bash remediation templates
- Ansible remediation templates
- OVAL check templates
- Kubernetes templates
- Test scripts

Without this fix, AL2023 systems get audit rules without arch flags, causing
augenrules to emit 'perm used without an arch is slower' warnings and
potential OSCAP compliance failures.

Resolves STIG control: audit_rules_privileged_commands
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.