-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OCP4 STIG control file and auto-add references #11593
Add OCP4 STIG control file and auto-add references #11593
Conversation
I was reviewing the built rule in stigid:
- CNTR-OS-000020
- CNTR-OS-000020
- CNTR-OS-000020 |
Thank you for the review @Mab879 I have added two commits regarding duplicate references.
Example traceback
|
I plan to post more details on the profile changes and address the code climate findings. |
1c968a5
to
e0f27fa
Compare
e0f27fa
to
a9cb965
Compare
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
bcff6c1
to
27ff094
Compare
/hold for test |
Verification failed with 4.15.0-rc.5 + compliance-operator.v1.4.0 + PR #11593 code
@yuumasato Could you please help me check this issue. Thanks |
@BhargaviGudi the mentioned rules are in the profile: But for various reasons they result in But the most curious ones are the
content/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml Line 37 in 011089d
|
|
Thanks @Vincent056. So the rules' |
Verification pass with 4.16.0-0.nightly-2024-02-26-013420
upstream-rhcos4-stig-master DONE NON-COMPLIANT |
/unhold |
@rhmdnd @Vincent056 I'll move the rules from |
Actually, it will be laborious to move the rules from the control file to the profile file. As we have both |
@rhmdnd @Vincent056 Turns out all the rules are The data stream doesn'n have extraneous |
ed9e06d
to
8fcad8b
Compare
I have update some of the controls' pending status and rebased to latest master. |
/test e2e-aws-ocp4-stig |
ocp4 and rhcos4 products should have a different URI than the unix-linux products. The OpenShift Container Platform STIG can be found at https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform
Update SRG CTR reference to a more specific URI. The application-servers is about Apache, JBoss and other server applications.
Run test_product_stability.py --update-reference-data to update 'stigid' and 'srg-app-ctr' for ocp4 and rhcos4.
Run test_product_stability.py --update-reference-data to update and update all products stability data.
/test e2e-aws-ocp4-stig |
ping @dodys @teacup-on-rockingchair @Mab879 regarding product stability data |
Code Climate has analyzed commit 4d7e9a2 and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 36.3% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.8% (0.0% change). View more on Code Climate. |
/hold for test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Verification passed with 4.16.0-0.nightly-2024-03-11-195522 + compliance-operator
|
/unhold |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm 🙇
Follow on patch to ComplianceAsCode#11593
Description:
CNTR-OS-XXXX
).SRG-APP-XXXXXX-CTR-XXXXXX
references:container-platform
and fix STIG ID URIsapp-srg-ctr
reference URI and updatedstigid
URI forocp4
andrhcos4
.test_product_stability.py --update-reference-data
Rationale:
container-platform
URI more accurately points to the source of SRG CTR and STIG ID.ocp4
andrhcos4
and check that referncesSRG-APP-XXXXXX-CTR-XXXXX
andCNTR-OS-XXXXX
havehref
pointing tohttps://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform
Review Hints:
ocp4
andrhcos4
are there.