Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update PCI-DSS profile for RHEL #11267

Merged
merged 22 commits into from
Nov 17, 2023
Merged

Update PCI-DSS profile for RHEL #11267

merged 22 commits into from
Nov 17, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

PCI-DSS profiles for RHEL products were based on PCI-DSSv3.2.1, which will be retired in March 2024.
There was already a control file for PCI-DSSv4, which was largely reviewed and updated by #11214

In this meantime it was also enabled CI tests for PCI-DSS profile by #11257

This PR is finally updating the RHEL profiles to consume the PCI-DSSv4 control file.

Rationale:

  • Keep updated with PCI-DSS.

Review Hints:

Specially the test-farm tests should be very important to detect issues
Additional tests can be executed locally with automatus.

@marcusburghardt
Update PCI-DSS profile for RHEL9
2c7b9f0 
The profile is now consuming the pcidss_4 control file. Previous pcidss
profile for RHEL 9 was based on PCI-DSSv3.2.1.
@marcusburghardt
Update PCI-DSS profile for RHEL8
f1f101f 
The profile is now consuming pcidss_4 control file. Previous pcidss
profile for RHEL 8 was based on PCI-DSSv3.2.1.
@marcusburghardt
Update PCI-DSS profile for RHEL7
43eb517 
The profile is now consuming pcidss_4 control file. Previous pcidss
profile for RHEL 7 was based on PCI-DSSv3.2.1.
@marcusburghardt marcusburghardt added RHEL Red Hat Enterprise Linux product related. Highlight This PR/Issue should make it to the featured changelog. Update Profile Issues or pull requests related to Profiles updates. pci-dss labels Nov 10, 2023
@marcusburghardt marcusburghardt added this to the 0.1.71 milestone Nov 10, 2023
@marcusburghardt marcusburghardt requested a review from a team as a code owner November 10, 2023 08:45
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@marcusburghardt marcusburghardt marked this pull request as draft November 10, 2023 09:00
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Nov 10, 2023
@marcusburghardt
Copy link
Member Author

There are already some few issues caught by CI tests. I will fix them before moving this PR from Draft to Ready.

@marcusburghardt
Define prodtype for set_ipv6_loopback_traffic
172c52c 
Deinition based on current presence of the rule in existing profiles
and control files.
@marcusburghardt
Define prodtype for package_audit-audispd-plugins_installed
ba8a0d2 
Deinition based on current presence of the rule in existing profiles and
control files.
@marcusburghardt
Define prodtype for set_loopback_traffic
5a4f463 
Deinition based on current presence of the rule in existing profiles and
control files.
@marcusburghardt
Define prodtype for NTP service rules
49ad9ee 
These two rules are very similar but use a different name for the
service. It would be possible to unify these templated rules in the
future and deprecate one of them. For now, it is only included the
prodtype in both rules based on the current presence of the rule in
existing profiles and control files.
@marcusburghardt
Define prodtype for ntpd_specify_multiple_servers
0b5e226 
Deinition based on current presence of the rule in existing profiles
and control files.
@marcusburghardt
Define prodtype for ntpd_specify_remote_server
8d0e22b 
Deinition based on current presence of the rule in existing profiles
and control files.
@marcusburghardt
Include rhel cces in ntpd_specify_multiple_servers
5bfd8b0 
This rule is used by extention in
chronyd_or_ntpd_specify_multiple_servers.
@marcusburghardt
Include rhel8 in prodtype for service_ntpd_enabled
1978afc 
Also included rhel8 cce. This rule is used by extention in
chronyd_or_ntpd_specify_remote_server,
chronyd_or_ntpd_specify_multiple_servers, and
service_chronyd_or_ntpd_enabled, all used in rhel8.
@marcusburghardt
Include rhel8 in prodtype for ntpd_specify_remote_server
37bcd4e 
Also included rhel8 cce. This rule is used by extention in
chronyd_or_ntpd_specify_remote_server.
@marcusburghardt
Update pcidss reference for rhel8 profile stability test
0b41091
@marcusburghardt marcusburghardt marked this pull request as ready for review November 13, 2023 15:50
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Nov 13, 2023
@marcusburghardt
Copy link
Member Author

@teacup-on-rockingchair and @dodys , after the third commit in this PR I included "prodtype" in some rules used by SUSE and Ubuntu. Could you take a look if you are fine with these prodtype changes, please?

@Mab879 Mab879 self-assigned this Nov 13, 2023
dodys
dodys reviewed Nov 13, 2023
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a minor comment

linux_os/guide/system/auditing/package_audit-audispd-plugins_installed/rule.yml Outdated
@@ -1,5 +1,7 @@
documentation_complete: true

prodtype: fedora,ol9,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we currently have this rule only in ubuntu2004

Copy link
Member Author

@marcusburghardt marcusburghardt Nov 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Removing these products from the product type raises some concerns:
https://complianceascode.readthedocs.io/en/latest/manual/developer/06_contributing_with_content.html#agreements

It would remove them from data streams. Is that ok for you? Otherwise we can keep them there.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need to figure out something for RHEL 9 as the package doesn't exist there.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, the package doesn't exist there. But the rule was already already in the data stream by the absence of prodtype.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is worth noting that the rule is not selected in any of our shipped RHEL 9 profiles as of b461247 . How about putting a comment to the rule.yaml file explaining why the rhel9 profile got there?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Managed by b95070c , 2f2e088 and 2d4af5f

@marcusburghardt
Include ol8 in prodtype for service_ntpd_enabled
0fc8df8 
Error was reported by CI tests.
@marcusburghardt
Include ol8 in prodtype for ntpd_specify_remote_server
00503fc 
Reported by CI tests.
@marcusburghardt
Include rhv4 in prodtype for ntpd_specify_remote_server
fcaec63 
Reported by CI tests.
@marcusburghardt
Complement pcidss_4 requirement 10.3.3
b95070c 
Include the package_audispd-plugins_installed rule used for RHEL.
@marcusburghardt
Exclude rule in pci-dss profile for rhel9
2f2e088 
Excluded the rule package_audit-audispd-plugins_installed in favor of
package_audispd-plugins_installed.
@marcusburghardt
Remove old ubuntu versions from package_audit-audispd-plugins_installed
2d4af5f 
The rule is only used by ubuntu2004 so the ubuntu1604 and ubuntu1804
introcuded by a previous commit were removed now.
@marcusburghardt marcusburghardt mentioned this pull request Nov 17, 2023
Open
@marcusburghardt
Exclude rpm_verify_permissions in pcidss profiles for RHEL
582f247 
CI tests detected the rpm_verify_permissions rule is failing after
pci-dss remediation. More investigation is needed before enabling this
rule. Issue ComplianceAsCode#11285
@marcusburghardt
Update pcidss reference for rhel8 profile stability test
962956c
@codeclimate CodeClimate
Copy link

codeclimate bot commented Nov 17, 2023

Code Climate has analyzed commit 962956c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.8%.

View more on Code Climate.

@marcusburghardt
Copy link
Member Author

I believe we are good now. There is one issue that can be investigated in a separate PR: #11285

Mab879
Mab879 approved these changes Nov 17, 2023
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Thank you for your hard work.

@Mab879 Mab879 merged commit cfc9388 into ComplianceAsCode:master Nov 17, 2023
@marcusburghardt marcusburghardt deleted the pci_dss_rhel branch November 17, 2023 18:48
@vojtapolasek vojtapolasek mentioned this pull request Nov 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek left review comments

@dodys dodys dodys left review comments

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
Highlight This PR/Issue should make it to the featured changelog. pci-dss RHEL Red Hat Enterprise Linux product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.71
Development

Successfully merging this pull request may close these issues.
4 participants
@marcusburghardt @Mab879 @vojtapolasek @dodys