Remove rules that cannot be applied during image build #10946
Conversation
Public Cloud images are built in a context that is different from a running system. For example systemd is not running. As such systemctl start and systemctl status will fail, see issue ComplianceAsCode#10945 for details. Remove firewalld rule outright; in the cloud other mechanisms exist for handling connections to a running system and is generally the recommendation not to run a firewall in the instance Comment out the logrotate rule, we'd like to re-enable this after ComplianceAsCode#10945 is addressed Comment out pam due to the way bash behaves. Requires a separate PR to address the bash issue. No issue filed yet.
|
Hi @rjschwei. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
Mab879
added
SLES
|
Code Climate has analyzed commit 6e1ef14 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.2% (0.0% change). View more on Code Climate. |
|
I looked at the failure on test Gate / Build, Test on Fedora Rawhide (Container) (pull_request) And don't see how this could be related to this change. |
|
The hardening profiles are used to apply rules to off-line images that will then be sent to cloud service providers. Since the is OS is not active when the hardening is done, the profiles should not reference rules that require active system services. When the original work was done, the rules to be removed at least appeared to pass the post remediation restest. That is no longer the case, so we want to remove the rules for the hardening profiles. |
teacup-on-rockingchair
merged commit 39ba9af
into
ComplianceAsCode:master
Public Cloud images are built in a context that is different from a running system. For example systemd is not running. As such systemctl start and systemctl status will fail, see issue #10945 for details.
Remove firewalld rule outright; in the cloud other mechanisms exist for handling connections to a running system and is generally the recommendation not to run a firewall in the instance
Comment out the logrotate rule, we'd like to re-enable this after #10945 is addressed
Comment out pam due to the way bash behaves. Requires a separate PR to address the bash issue. No issue filed yet.
Description:
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes # Issue number here (e.g. Updating sysctl XCCDF naming #26) or remove this line if no issue exists.
Review Hints:
Review hints here. Replace this text. Don't use the italics format!
Use this optional section to give any relevant information which could help the reviewer to more quickly and assertively understand and test the changes.
Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc.