Add rhcos4 Profile for BSI Grundschutz #13121
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @sluetze. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions'.
--- xccdf_org.ssgproject.content_rule_encrypt_partitions
+++ xccdf_org.ssgproject.content_rule_encrypt_partitions
@@ -226,6 +226,9 @@
[reference]:
SRG-OS-000404-GPOS-00183
+[reference]:
+SYS.1.1.A34
+
[rationale]:
The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -76,6 +76,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.1.A6
+
[rationale]:
The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'.
--- xccdf_org.ssgproject.content_rule_partition_for_var
+++ xccdf_org.ssgproject.content_rule_partition_for_var
@@ -79,6 +79,9 @@
[reference]:
R28
+[reference]:
+SYS.1.1.A6
+
[rationale]:
Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -189,6 +189,9 @@
[reference]:
R28
+[reference]:
+SYS.1.1.A6
+
[rationale]:
Placing /var/log in its own partition
enables better separation between log files
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp
@@ -16,6 +16,9 @@
[reference]:
R28
+[reference]:
+SYS.1.1.A6
+
[rationale]:
The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
@@ -6,6 +6,9 @@
To properly set the group owner of /etc/issue, run the command:
$ sudo chgrp root /etc/issue
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net
@@ -5,6 +5,9 @@
[description]:
To properly set the group owner of /etc/issue.net, run the command:
$ sudo chgrp root /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
[reference]:
1.2.8
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue
@@ -6,6 +6,9 @@
To properly set the owner of /etc/issue, run the command:
$ sudo chown root /etc/issue
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
@@ -5,6 +5,9 @@
[description]:
To properly set the owner of /etc/issue.net, run the command:
$ sudo chown root /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
[reference]:
1.2.8
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_issue
@@ -6,6 +6,9 @@
To properly set the permissions of /etc/issue, run the command:
$ sudo chmod 0644 /etc/issue
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /etc/issue.net, run the command:
$ sudo chmod 0644 /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
[reference]:
1.2.8
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_unique_name'.
--- xccdf_org.ssgproject.content_rule_account_unique_name
+++ xccdf_org.ssgproject.content_rule_account_unique_name
@@ -22,6 +22,9 @@
Req-8.1.1
[reference]:
+SYS.1.3.A2
+
+[reference]:
8.2.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_gid_passwd_group_same'.
--- xccdf_org.ssgproject.content_rule_gid_passwd_group_same
+++ xccdf_org.ssgproject.content_rule_gid_passwd_group_same
@@ -196,6 +196,9 @@
[reference]:
SRG-OS-000104-GPOS-00051
+
+[reference]:
+SYS.1.3.A2
[reference]:
8.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument
@@ -13,6 +13,9 @@
[reference]:
SRG-OS-000433-GPOS-00193
+[reference]:
+SYS.1.3.A4
+
[rationale]:
Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
+++ xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
@@ -26,6 +26,9 @@
[reference]:
R8
+[reference]:
+SYS.1.1.A34
+
[rationale]:
A system may struggle to initialize its entropy pool and end up starving. Crediting entropy
from the hardware number generators available in the system helps fill up the entropy pool.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -188,6 +188,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
@@ -185,6 +185,9 @@
[reference]:
R29
+
+[reference]:
+SYS.1.3.A14
[reference]:
2.2.6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -188,6 +188,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -184,6 +184,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -177,6 +177,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
@@ -177,6 +177,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -151,6 +151,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -150,6 +150,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. Non-root users who read the boot parameters
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -151,5 +151,8 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Only root should be able to modify important boot parameters.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -150,6 +150,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Only root should be able to modify important boot parameters. Also, non-root users who read
the boot parameters may be able to identify weaknesses in security upon boot and be able to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -143,6 +143,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Proper permissions ensure that only the root user can modify important boot
parameters.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -143,6 +143,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Proper permissions ensure that only the root user can read or modify important boot
parameters.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
@@ -19,6 +19,9 @@
[reference]:
SRG-OS-000095-GPOS-00049
+[reference]:
+SYS.1.1.A5
+
[rationale]:
Disabling FireWire protects the system against exploitation of any
flaws in its implementation.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_bluetooth_disabled'.
--- xccdf_org.ssgproject.content_rule_service_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_service_bluetooth_disabled
@@ -327,6 +327,9 @@
[reference]:
PR.PT-4
+[reference]:
+SYS.1.1.A6
+
[rationale]:
Disabling the bluetooth service prevents the system from attempting
connections to Bluetooth devices, which entails some security risk.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
@@ -309,6 +309,9 @@
[reference]:
SRG-OS-000300-GPOS-00118
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled
@@ -28,6 +28,9 @@
[reference]:
AC-18(4)
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled
@@ -28,6 +28,9 @@
[reference]:
AC-18(4)
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled
@@ -28,6 +28,9 @@
[reference]:
AC-18(4)
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled
@@ -28,6 +28,9 @@
[reference]:
AC-18(4)
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_in_bios'.
--- xccdf_org.ssgproject.content_rule_wireless_disable_in_bios
+++ xccdf_org.ssgproject.content_rule_wireless_disable_in_bios
@@ -290,6 +290,9 @@
[reference]:
PR.PT-4
+[reference]:
+SYS.1.1.A6
+
[rationale]:
Disabling wireless support in the BIOS prevents easy
activation of the wireless interface, generally requiring administrators
New content has different text for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces'.
--- xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
+++ xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
@@ -325,6 +325,9 @@
[reference]:
SRG-OS-000481-GPOS-00481
+
+[reference]:
+SYS.1.1.A6
[reference]:
1.3.3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable'.
--- xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
+++ xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
@@ -172,6 +172,9 @@
R54
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
@@ -17,6 +17,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
@@ -15,6 +15,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
@@ -167,6 +167,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells
@@ -15,6 +15,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
@@ -17,6 +17,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_group
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
@@ -167,6 +167,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shells
@@ -15,6 +15,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
@@ -19,6 +19,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
@@ -15,6 +15,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
@@ -19,6 +19,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
@@ -19,6 +19,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_group
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_group
@@ -175,6 +175,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
@@ -168,6 +168,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
@@ -175,6 +175,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
@@ -175,6 +175,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_shells
@@ -15,6 +15,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'.
--- xccdf_org.ssgproject.content_rule_service_autofs_disabled
+++ xccdf_org.ssgproject.content_rule_service_autofs_disabled
@@ -278,6 +278,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.3.A3
+
[rationale]:
Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_bios_disable_usb_boot'.
--- xccdf_org.ssgproject.content_rule_bios_disable_usb_boot
+++ xccdf_org.ssgproject.content_rule_bios_disable_usb_boot
@@ -111,6 +111,9 @@
[reference]:
PR.AC-6
+[reference]:
+SYS.1.3.A3
+
[rationale]:
Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument
@@ -136,6 +136,12 @@
[reference]:
PR.AC-6
+[reference]:
+SYS.1.1.A5
+
+[reference]:
+SYS.1.3.A3
+
[rationale]:
Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_nousb_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_nousb_argument
+++ xccdf_org.ssgproject.content_rule_grub2_nousb_argument
@@ -136,6 +136,9 @@
[reference]:
PR.AC-6
+[reference]:
+SYS.1.3.A3
+
[rationale]:
Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
@@ -249,6 +249,12 @@
SRG-APP-000141-CTR-000315
[reference]:
+SYS.1.1.A5
+
+[reference]:
+SYS.1.3.A3
+
+[reference]:
3.4.2
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space'.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
@@ -130,6 +130,9 @@
R9
[reference]:
+SYS.1.3.A4
+
+[reference]:
3.3.1.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions'.
--- xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions
+++ xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions
@@ -78,6 +78,9 @@
SRG-APP-000450-CTR-001105
[reference]:
+SYS.1.3.A4
+
+[reference]:
2.2.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument
@@ -12,6 +12,9 @@
[reference]:
SRG-APP-000243-CTR-000600
+
+[reference]:
+SYS.1.3.A4
[reference]:
CNTR-OS-000560
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument
@@ -12,6 +12,9 @@
[reference]:
SRG-APP-000243-CTR-000600
+
+[reference]:
+SYS.1.3.A4
[reference]:
CNTR-OS-000560
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_libselinux_installed'.
--- xccdf_org.ssgproject.content_rule_package_libselinux_installed
+++ xccdf_org.ssgproject.content_rule_package_libselinux_installed
@@ -6,6 +6,18 @@
The libselinux package can be installed with the following command:
$ sudo dnf install libselinux
+
+[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
[reference]:
1.2.6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux'.
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -483,6 +483,18 @@
PR.PT-4
[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
1.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons'.
--- xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
+++ xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
@@ -450,6 +450,15 @@
PR.PT-3
[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
1.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled'.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -16,6 +16,18 @@
and give the administrator the opportunity to assess the impact and necessary efforts
before setting it to "enforcing", which is strongly recommended.
+[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
+
[rationale]:
Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux
controls without a system reboot. It also avoids labeling any persistent objects such as
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype'.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -518,6 +518,15 @@
APP.4.4.A4
[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
SYS.1.6.A3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_state'.
--- xccdf_org.ssgproject.content_rule_selinux_state
+++ xccdf_org.ssgproject.content_rule_selinux_state
@@ -516,6 +516,15 @@
APP.4.4.A4
[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
SYS.1.6.A3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
@@ -171,6 +171,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
@@ -13,5 +13,8 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
@@ -13,6 +13,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_config
@@ -171,6 +171,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
@@ -13,5 +13,8 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
@@ -13,6 +13,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
@@ -172,6 +172,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
@@ -186,6 +186,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
@@ -184,6 +184,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -388,6 +388,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A8
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -428,6 +428,9 @@
[reference]:
R33
+
+[reference]:
+SYS.1.3.A8
[reference]:
2.2.6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -33,6 +33,9 @@
[reference]:
SRG-OS-000108-GPOS-00055
+[reference]:
+SYS.1.3.A8
+
[rationale]:
Without the use of multifactor authentication, the ease of access to
privileged functions is greatly increased. Multifactor authentication
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
--- xccdf_org.ssgproject.content_rule_package_audit_installed
+++ xccdf_org.ssgproject.content_rule_package_audit_installed
@@ -207,6 +207,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_auditd_enabled
+++ xccdf_org.ssgproject.content_rule_service_auditd_enabled
@@ -575,6 +575,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument
@@ -18,6 +18,9 @@
SRG-APP-000092-CTR-000165
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000170
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_audit_option'.
--- xccdf_org.ssgproject.content_rule_coreos_audit_option
+++ xccdf_org.ssgproject.content_rule_coreos_audit_option
@@ -339,6 +339,9 @@
SRG-APP-000092-CTR-000165
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000170
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events'.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -390,6 +390,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1.3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions'.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -572,6 +572,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -589,6 +589,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -589,6 +589,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -595,6 +595,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -604,6 +604,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -589,6 +589,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
@@ -12,6 +12,9 @@
[reference]:
SRG-OS-000063-GPOS-00032
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -17,6 +17,9 @@
[reference]:
SRG-OS-000063-GPOS-00032
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
@@ -334,6 +334,9 @@
[reference]:
SRG-APP-000118-CTR-000240
+
+[reference]:
+SYS.1.3.A14
[reference]:
10.3.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
@@ -15,6 +15,9 @@
[reference]:
SRG-OS-000063-GPOS-00032
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
@@ -340,6 +340,9 @@
SRG-APP-000118-CTR-000240
[reference]:
+SYS.1.3.A14
+
+[reference]:
10.3.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -439,6 +439,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -442,6 +442,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -439,6 +439,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -439,6 +439,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
@@ -445,6 +445,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
@@ -442,6 +442,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
@@ -466,6 +466,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
@@ -460,6 +460,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
@@ -442,6 +442,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
@@ -472,6 +472,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
@@ -460,6 +460,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
@@ -471,6 +471,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
@@ -436,6 +436,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
@@ -285,6 +285,9 @@
SRG-APP-000502-CTR-001270
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
@@ -386,6 +386,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1.3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
@@ -413,6 +413,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1.3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at
@@ -29,6 +29,9 @@
[reference]:
CM-6(a)
+[reference]:
+SYS.1.1.A10
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
@@ -300,6 +300,9 @@
SRG-APP-000502-CTR-001270
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
@@ -288,6 +288,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
@@ -261,6 +261,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
@@ -291,6 +291,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
@@ -63,6 +63,9 @@
SRG-APP-000029-CTR-000085
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap
@@ -56,6 +56,9 @@
[reference]:
CM-6(a)
+[reference]:
+SYS.1.1.A10
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
@@ -291,6 +291,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap
@@ -56,6 +56,9 @@
[reference]:
CM-6(a)
+[reference]:
+SYS.1.1.A10
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
@@ -266,6 +266,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
@@ -291,6 +291,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
@@ -261,6 +261,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
@@ -261,6 +261,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
@@ -231,6 +231,9 @@
SRG-APP-000502-CTR-001270
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000950
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
@@ -264,6 +264,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
@@ -276,6 +276,9 @@
SRG-OS-000755-GPOS-00220
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
@@ -276,6 +276,9 @@
R33
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
@@ -264,6 +264,9 @@
SRG-OS-000755-GPOS-00220
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
@@ -258,6 +258,9 @@
SRG-APP-000029-CTR-000085
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
@@ -312,6 +312,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
@@ -261,6 +261,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl
@@ -56,6 +56,9 @@
[reference]:
CM-6(a)
+[reference]:
+SYS.1.1.A10
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts, |
|
Code Climate has analyzed commit deee809 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 62.0% (0.0% change). View more on Code Climate. |
yuumasato
added
OpenShift
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
yuumasato
requested changes
Feb 28, 2025
controls/bsi_sys_1_1_rhcos4.yml
Outdated
| @@ -0,0 +1,682 @@ | |||
| # In BSI Basic Protection are multiple Requirements in one control. | |||
There was a problem hiding this comment.
Suggested change
| # In BSI Basic Protection are multiple Requirements in one control. | |
| # In BSI Basic Protection there are multiple Requirements in one control. |
controls/bsi_sys_1_1_rhcos4.yml
Outdated
| notes: >- | ||
| Section 1: If you dont utilize specific software to control the allowed devices for usb ports, | ||
| you can ensure compliance by disabling the usb port completely. | ||
| Interfaces is ambigious, it is focussed on usb etc. not on network. |
There was a problem hiding this comment.
Suggested change
| Interfaces is ambigious, it is focussed on usb etc. not on network. | |
| Interfaces is ambiguous, it is focused on usb etc. not on network. |
controls/bsi_sys_1_1_rhcos4.yml
Outdated
| (1) It MUST be ensured that only specified removable storage media and other devices can be | ||
| connected to servers. All interfaces that are no longer needed must be disabled. | ||
| notes: >- | ||
| Section 1: If you dont utilize specific software to control the allowed devices for usb ports, |
There was a problem hiding this comment.
Suggested change
| Section 1: If you dont utilize specific software to control the allowed devices for usb ports, | |
| Section 1: If you don't utilize specific software to control the allowed devices for usb ports, |
controls/bsi_sys_1_1_rhcos4.yml
Outdated
| checked at regular intervals. (4) The results SHOULD be appropriately documented. | ||
| notes: >- | ||
| This requirement must be implemented organizationally. | ||
| If we interprete this towards hardening, the CIS Profile could be used |
There was a problem hiding this comment.
Suggested change
| If we interprete this towards hardening, the CIS Profile could be used | |
| If we interpret this towards hardening, the CIS Profile could be used |
controls/bsi_sys_1_1_rhcos4.yml
Outdated
Comment on lines
288
to
289
| Some parts could be technically checked, i.e. if repositories are configureg, if AV is | ||
| installed and therelike. |
There was a problem hiding this comment.
Suggested change
| Some parts could be technically checked, i.e. if repositories are configureg, if AV is | |
| installed and therelike. | |
| Some parts could be technically checked, i.e. if repositories are configured, if AV is | |
| installed and therelike. |
Not sure what therelike means.
linux_os/guide/system/network/network_ssl/only_allow_specific_certs/rule.yml
Show resolved
Hide resolved
controls/bsi_sys_1_3_rhcos4.yml
Outdated
| @@ -0,0 +1,429 @@ | |||
| # In BSI Basic Protection are multiple Requirements in one control. | |||
There was a problem hiding this comment.
Suggested change
| # In BSI Basic Protection are multiple Requirements in one control. | |
| # In BSI Basic Protection there are multiple Requirements in one control. |
Comment on lines
28
to
29
| - bsi_app_4_4:all | ||
| - bsi_sys_1_6:all |
There was a problem hiding this comment.
Does it makes sense to keep these two controls here?
I see that the folowwing rules are being added by the kubernetes and containerization control files, maybe they should be migrated to the General and Linux Server control files?
- coreos_enable_selinux_kernel_argument
- selinux_policytype
- selinux_state
- service_firewalld_enabled
- var_selinux_policy_name=targeted
- var_selinux_state=enforcing
There was a problem hiding this comment.
The same rules are also applied by the general/linux control files. so they are selected multiple times. So technically we could remove app_4_4 and sys_1_6 here without making a difference in the rules. I personally would prefer to leave them here, as we would have more transparency how the controls are adressed.
|
/test 4.16-e2e-aws-rhcos4-bsi |
|
@sluetze: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/test |
|
@rhmdnd: The Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
rhmdnd
reviewed
Mar 19, 2025
| @@ -0,0 +1,2 @@ | |||
| --- | |||
| default_result: MANUAL | |||
There was a problem hiding this comment.
We could use an assertion file to capture the entire posture of the BSI profile in a single place.
We should be able to use the one from CI results:
There was a problem hiding this comment.
@rhmdnd shall I add this to this PR or to a seperate one?
|
/lgtm Pre-merge verification steps:
→ These have been checked by running test cases 80570 (Create and check scans for ocp4 and rhcos4 BSI profiles) and 80578 (Check the autoremediation works for BSI profiles) locally - Both test cases have PASSed and logs could be found in PR #23941 in the openshift-test-private repo. |
|
/retest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR adds two control files, enhances a profile profile and adds a rule.
Rationale:
Customers were asking for a OpenShift Compliance Operator Profile for BSI. Our current Project Scope was only on SYS1.6. and APP.4.4 Building Blocks (Containers & Kubernetes). But there are more relevant and checkable Buildingblocks. The two biggest ones and most relevant ones are SYS1.1 (General Server) and SYS.1.3 (Linux Server). This PR adds these to enhance the ocp-bsi profile with an rhcos4-bsi profile.
rule
only_allow_specific_certsthis is a copy and generalization of theonly_allow_dod_certsrule. As we have the same requirement i tried to make the rule not specific so it can be reused. I didnt want to change the DOD rule as I do not know, if the phrasing is important in this contextAs in OCP4 we follow the scheme of adding one control file per Building Block. As we will have a different one for RHEL9, we postfix them with _rhcos4
Review Hints: