-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Applying remediations after full scan causes dependency problems between related rules #1880
Comments
This was referenced Aug 16, 2022
This was referenced Jul 26, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Example of a problem
There are 2 rules in a benchmark:
/etc/shells
file, ruleno_tmux_in_shells
)package_tmux_installed
)The
tmux
package is not installed by default, therefore result of remediation will be:1: pass
2: fixed
But additional scan of the system will result in:
1: fail
2: pass
This is because the remediation of the rule
package_tmux_installed
will addtmux
into the/etc/shells
file which will make the ruleno_tmux_in_shells
fail.There are many more such cases (and slowly they are increasing in count), e.g.:
ComplianceAsCode/content#8913
ComplianceAsCode/content#8487
ComplianceAsCode/content#9132
ComplianceAsCode/content#9250
Currently, the only workaround is to run the remediation once more which should fix those dependent rules.
The issue can be solved by applying a remediation after scanning each rule which would solve the issue if rules are properly orderend in a benchmark (e.g. rules about package installation/removal are sorted first in the benchmark).
The text was updated successfully, but these errors were encountered: