content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Add al2023 product

Open hipponix opened this issue 1 year ago • 2 comments

Description:

  • Add AL2023 Product
  • Add CIS level 1 and level 2 controls

Rationale:

  • AWS is now supporting AL2023 and announced is end of life for AL2
  • Al2023 product is missing in the existing catalog

Review Hints:

./build_product -j 8 al2023

hipponix avatar May 20 '24 08:05 hipponix

Hi @hipponix. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar May 20 '24 08:05 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

al2023 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar May 20 '24 08:05 github-actions[bot]

@marcusburghardt should you need more work here from my end or even split it into multiple PRs to ease you review process, just let me know. This is my first PR here and might have (mistakenly) skipped needed practices. Best Mirco

hipponix avatar May 29 '24 09:05 hipponix

@marcusburghardt should you need more work here from my end or even split it into multiple PRs to ease you review process, just let me know. This is my first PR here and might have (mistakenly) skipped needed practices. Best Mirco

Hi @hipponix , first thanks for the contribution. I didn't have a time to review this PR (likely others project maintainers neither). We should manage it soon.

marcusburghardt avatar May 29 '24 09:05 marcusburghardt

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:12006 This image was built from commit: 1324b12e4fa3d3f32422583d7e013db8bd46441b

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12006

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12006 make deploy-local

github-actions[bot] avatar May 29 '24 09:05 github-actions[bot]

@marcusburghardt should you need more work here from my end or even split it into multiple PRs to ease you review process, just let me know. This is my first PR here and might have (mistakenly) skipped needed practices. Best Mirco

Hi @hipponix , first thanks for the contribution. I didn't have a time to review this PR (likely others project maintainers neither). We should manage it soon.

no intent to put some pressure here, thanks @marcusburghardt ! I noticed there are quite a few PRs to be processed so you maintainers might be very busy.

hipponix avatar May 29 '24 11:05 hipponix

@hipponix do not merge master into your feature branch, that creates unnecessary commits, please rebase your branch instead

dodys avatar May 31 '24 13:05 dodys

/packit build

dodys avatar Jun 05 '24 08:06 dodys

@hipponix a quick rebase on master to resolve the conflicts in .github/workflows/gate_fedora.yml should get this a good state for a full review.

Mab879 avatar Jun 10 '24 15:06 Mab879

It seems there are issues in the controls/cis_al2023.yml file in this PR. The file seems to be copied from RHEL 9, and the titles and section numbers are not correct for Amazon Linux 2023.

I've made, coincidentally, a similar PR to add support for Amazon Linux, (#12060), which contains a controls/cis_al2023.yml file entirely generated from scratch, starting from the CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf document.

I think this current PR could be merged as is, then I could open a new PR to fix the controls/cis_al2023.yml file.

0intro avatar Jun 12 '24 15:06 0intro

It seems there are issues in the controls/cis_al2023.yml file in this PR. The file seems to be copied from RHEL 9, and the titles and section numbers are not correct for Amazon Linux 2023.

I've made, coincidentally, a similar PR to add support for Amazon Linux, (#12060), which contains a controls/cis_al2023.yml file entirely generated from scratch, starting from the CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf document.

I think this current PR could be merged as is, then I could open a new PR to fix the controls/cis_al2023.yml file.

I would rather suggest that Mirco (@hipponix) add your commit: https://github.com/ComplianceAsCode/content/pull/12060/commits/2a5ffe75a310a26b3a128652b050f2cd9649e2c0 to this PR, keeping your contribution that way and as the author of the change

dodys avatar Jun 12 '24 15:06 dodys

I would rather suggest that Mirco (@hipponix) add your commit: 2a5ffe7 to this PR, keeping your contribution that way and as the author of the change

Yes, we may do that as well. As far I've seen, the only change that would have to be made to this commit would be sed s/ensure_redhat_gpgkey_installed/ensure_amazon_gpgkey_installed/

0intro avatar Jun 12 '24 15:06 0intro

@hipponix I think you could include this commit as is: https://github.com/0intro/content/commit/975b25cf6d0ec162d7b05e4407ab5ff527602c24

0intro avatar Jun 12 '24 16:06 0intro

It seems there are issues in the controls/cis_al2023.yml file in this PR. The file seems to be copied from RHEL 9, and the titles and section numbers are not correct for Amazon Linux 2023.

I've made, coincidentally, a similar PR to add support for Amazon Linux, (#12060), which contains a controls/cis_al2023.yml file entirely generated from scratch, starting from the CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf document.

I think this current PR could be merged as is, then I could open a new PR to fix the controls/cis_al2023.yml file.

Hi @0intro , Thanks for stepping in here! I have considered RH9 as a reference to get me guided during the project build and structure, but can guarantee that the control/cis_al2023.yml has been created from scratch and by following the official CIS al2023 linux benchmark .. RH9 has a different structure and content :)

I might have missed something though .. will contact you shortly and ask for help!

Thanks and speak soon.

hipponix avatar Jun 12 '24 21:06 hipponix

The controls/cis_al2023.yml file currently available as part of this PR is nearly identical to control/cis_rhel9.yml, with the removal of l1_workstation and l2_workstation.

Just by looking at the beginning of controls/cis_al2023.yml , I can see the sections 1.1.1.3 from 1.1.1.7 are missing, compared to CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf.

There are a lot of other inaccuracies, like:

  • Incorrect section numbers (example: "Ensure core dump storage is disabled" should be 1.5.3 instead of 1.5.1).
  • Incorrect section titles (example: "Ensure usb-storage is disabled" should be "Disable USB Storage").
  • Sections that are missing (example: "3.1.3 Ensure SCTP is disabled").
  • Sections that don't exist (example: section 6.2.12 to 6.2.16 don't exist in the PDF).
  • Wrong profile (example: section 1.1.1.1 should be l2_server instead of l1_server).

You can compare the controls/cis_al2023.yml file from from this PR to the controls/cis_al2023.yml file I wrote, which matches CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf pretty much exactly.

0intro avatar Jun 13 '24 01:06 0intro

The controls/cis_al2023.yml file currently available as part of this PR is nearly identical to control/cis_rhel9.yml, with the removal of l1_workstation and l2_workstation.

Just by looking at the beginning of controls/cis_al2023.yml , I can see the sections 1.1.1.3 from 1.1.1.7 are missing, compared to CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf.

There are a lot of other inaccuracies, like:

  • Incorrect section numbers (example: "Ensure core dump storage is disabled" should be 1.5.3 instead of 1.5.1).
  • Incorrect section titles (example: "Ensure usb-storage is disabled" should be "Disable USB Storage").
  • Sections that are missing (example: "3.1.3 Ensure SCTP is disabled").
  • Sections that don't exist (example: section 6.2.12 to 6.2.16 don't exist in the PDF).
  • Wrong profile (example: section 1.1.1.1 should be l2_server instead of l1_server).

You can compare the controls/cis_al2023.yml file from from this PR to the controls/cis_al2023.yml file I wrote, which matches CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf pretty much exactly.

Hi @0intro

You're right, the actual file is not what I wanted to provide and it has been (mistakenly) reverted back during a previous rebase. I think I've overlooked it.

Here you can find a commit on my branch, two weeks ago approx .. with a proper file reflecting CIS controls: https://github.com/hipponix/content/blob/e745325648f56fa2b74c04352549790d4deb38a9/controls/cis_al2023.yml

I tried my best to follow any single control from CIS by following their existing review - But you're right in saying the initial copy was a pure RH9 version, which I have later dismissed in favor of a new file version.

Let me put this back and kindly you to review it ..

Thank you!

hipponix avatar Jun 13 '24 12:06 hipponix

Here you can find a commit on my branch, two weeks ago approx .. with a proper file reflecting CIS controls: https://github.com/hipponix/content/blob/e745325648f56fa2b74c04352549790d4deb38a9/controls/cis_al2023.yml

OK, I've started to look at it, and it looks much better. I have some remarks however.

Could you please include this change in this PR, so I could do a proper review? Thanks.

0intro avatar Jun 13 '24 12:06 0intro

Here you can find a commit on my branch, two weeks ago approx .. with a proper file reflecting CIS controls: https://github.com/hipponix/content/blob/e745325648f56fa2b74c04352549790d4deb38a9/controls/cis_al2023.yml

OK, I've started to look at it, and it looks much better. I have some remarks however.

Could you please include this change in this PR, so I could do a proper review? Thanks.

Done!

hipponix avatar Jun 13 '24 15:06 hipponix

pausing and converting into draft this PR for now as I would need to perform more tests on AL2023 and check for any possible regressions should have anything been wrongly introduced.

hipponix avatar Jun 13 '24 17:06 hipponix

Thanks, but your last commit doesn't contain the right cis_al2023.yaml file.

0intro avatar Jun 13 '24 19:06 0intro

almost done, now testing on AL2023 (CIS detection and remediation)

hipponix avatar Jun 17 '24 12:06 hipponix

just noticed al2023 does not need the NetworkManager support and it implies a different detection/remediation. @0intro if you have already tackled it by any chance, feel free to chime in or contribute. Thanks!

hipponix avatar Jun 17 '24 13:06 hipponix

just noticed al2023 does not need the NetworkManager support and it implies a different detection/remediation.

What rules are relying on NetworkManager? By the way, there are also some incorrect references to NetworkManager in the CIS Amazon Linux 2023 Benchmark PDF (notably section 3.4.2.1), but that's not the only inconsistency in the PDF.

Also, the controls/cis_al2023.yml file is still not the proper one (it's still the RHEL 9 one). Could you replace it from the one from https://github.com/hipponix/content/blob/e745325648f56fa2b74c04352549790d4deb38a9/controls/cis_al2023.yml? It overall sounds good, but I have some remarks on it.

0intro avatar Jun 17 '24 17:06 0intro

just noticed al2023 does not need the NetworkManager support and it implies a different detection/remediation.

What rules are relying on NetworkManager? By the way, there are also some incorrect references to NetworkManager in the CIS Amazon Linux 2023 Benchmark PDF (notably section 3.4.2.1), but that's not the only inconsistencies in the PDF.

Also, the controls/cis_al2023.yml file is still not the proper one (it's still the RHEL 9 one). Could you replace it from the one from https://github.com/hipponix/content/blob/e745325648f56fa2b74c04352549790d4deb38a9/controls/cis_al2023.yml? It overall sounds good, but I have some remarks on it.

  • NetworkManager -> the remediation ansible playbook generated by the oscap xccdf generate fix command, introduces a change for the NetworkManager which is not the default network component on AL2023, as it uses systemd-network if I recall it correctly. The ansible file is generated via this file here : linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/ansible/shared.yml and precisely within this extract, starting from line 30 below (this is where AL2023 lands):
{{% if product in ["sle12", "sle15"] %}}
 11 
 12 - name: Wicked Deactivate Wireless Network Interfaces
 13   command: wicked ifdown {{ item }}
 14   loop: '{{ ansible_facts.interfaces }}'
 15   when:
 16     - ansible_facts.services['wickedd.service'].state == 'running'
 17     - 'item.startswith("wl")'
 18 
 19 - name: Wicked Disable Wireless Network Interfaces
 20   lineinfile:
 21     path: /etc/sysconfig/network/ifcfg-{{ item }}
 22     regexp: '^STARTMODE='
 23     line: STARTMODE=off
 24   loop: '{{ ansible_facts.interfaces }}'
 25   when:
 26     - ansible_facts.services['wickedd.service'].state == 'running'
 27     - 'item.startswith("wl")'
 28 {{%- else %}}
 29 
 30 - name: Ensure NetworkManager is installed
 31   ansible.builtin.package:
 32     name: "{{ item }}"
 33     state: present
 34   with_items:
 35     - NetworkManager

Not an expert here and fairly new instead, please correct me where I am wrong.

  • controls/cis_al2023.yml -> this is what I see in my repo also opening the same through the codespace above within this PR : https://github.com/hipponix/content/blob/8138dc32ab7a1f3a7365d341964c54352b260e01/controls/cis_al2023.yml What do you mean by "still the RHEL 9" one .. please point me to the mistake and I will promptly correct.

Again, sorry if I mistakenly messed things up!

hipponix avatar Jun 17 '24 19:06 hipponix

  • NetworkManager -> the remediation ansible playbook generated by the oscap xccdf generate fix command, introduces a change for the NetworkManager which is not the default network component on AL2023, as it uses systemd-network if I recall it correctly. The ansible file is generated via this file here : linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/ansible/shared.yml and precisely within this extract, starting from line 30 below (this is where AL2023 lands):

Yes, NetworkManager is not present in Amazon Linux 2023.

The issue it that in your current controls/cis_al2023.yml file, there is this rule:

  - id: 3.1.2
    title: Ensure wireless interfaces are disabled (Automated)
    levels:
      - l1_server
    status: automated
    rules:
      - wireless_disable_interfaces

However, this rule doesn't exist in CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf. This issue will disappear once you will have fixed the controls/cis_al2023.yml file.

* controls/cis_al2023.yml -> this is what I see in my repo also opening the same through the codespace above within this PR  :  https://github.com/hipponix/content/blob/8138dc32ab7a1f3a7365d341964c54352b260e01/controls/cis_al2023.yml
  What do you mean by "still the RHEL 9" one .. please point me to the mistake and I will promptly correct.

That file is basically a copy of controls/cis_rhel9.yml with the l1_workstation and l2_workstation configuration profiles removed. This is quite different from what is described in CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf. For example, just by looking at the beginning of the file, I can see that sections from 1.1.1.3 to 1.1.1.7 are missing.

Earlier, you posted a different version of the controls/cis_al2023.yml (present on your repository, but the reference is missing from your current branch) which was much better: https://github.com/hipponix/content/blob/e745325648f56fa2b74c04352549790d4deb38a9/controls/cis_al2023.yml.

If you replace the current controls/cis_al2023.yml file by your other version of the file, it should be good for further review (and will fix your wireless_disable_interfaces rule issue).

Thanks.

0intro avatar Jun 17 '24 19:06 0intro

  • NetworkManager -> the remediation ansible playbook generated by the oscap xccdf generate fix command, introduces a change for the NetworkManager which is not the default network component on AL2023, as it uses systemd-network if I recall it correctly. The ansible file is generated via this file here : linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/ansible/shared.yml and precisely within this extract, starting from line 30 below (this is where AL2023 lands):

Yes, NetworkManager is not present in Amazon Linux 2023.

The issue it that in your current controls/cis_al2023.yml file, there is this rule:

  - id: 3.1.2
    title: Ensure wireless interfaces are disabled (Automated)
    levels:
      - l1_server
    status: automated
    rules:
      - wireless_disable_interfaces

However, this rule doesn't exist in CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf. This issue will disappear once you will have fixed the controls/cis_al2023.yml file.

* controls/cis_al2023.yml -> this is what I see in my repo also opening the same through the codespace above within this PR  :  https://github.com/hipponix/content/blob/8138dc32ab7a1f3a7365d341964c54352b260e01/controls/cis_al2023.yml
  What do you mean by "still the RHEL 9" one .. please point me to the mistake and I will promptly correct.

That file is basically a copy of controls/cis_rhel9.yml with the l1_workstation and l2_workstation configuration profiles removed. This is quite different from what is described in CIS_Amazon_Linux_2023_Benchmark_v1.0.0.pdf. For example, just by looking at the beginning of the file, I can see that sections from 1.1.1.3 to 1.1.1.7 are missing.

Earlier, you posted a different version of the controls/cis_al2023.yml (present on your repository, but the reference is missing from your current branch) which was much better: https://github.com/hipponix/content/blob/e745325648f56fa2b74c04352549790d4deb38a9/controls/cis_al2023.yml.

If you replace the current controls/cis_al2023.yml file by your other version of the file, it should be good for further review (and will fix your wireless_disable_interfaces rule issue).

Thanks.

Thanks @0intro

hipponix avatar Jun 18 '24 11:06 hipponix

@0intro do we have any additional testing tool to validate the syntax/lint/cis-control you've just pointed out to me or is it just by you looking at the CIS control file? I've read the contributor/developer docs and might have missed any useful cmd line (or automation) tool I can leverage next time to early detect syntax and CIS content issue along with avoiding you guys validating it for me, and consuming precious time.

Thanks for helping @0intro , appreciate your step by step validation. I feel like it is becoming more and more robust.

Best

hipponix avatar Jun 18 '24 14:06 hipponix

@0intro do we have any additional testing tool to validate the syntax/lint/cis-control you've just pointed out to me or is it just by you looking at the CIS control file? I've read the contributor/developer docs and might have missed any useful cmd line (or automation) tool I can leverage next time to early detect syntax and CIS content issue along with avoiding you guys validating it for me, and consuming precious time.

Actually, I've independently wrote the controls/cis_al2023.yml file on my side, a few weeks ago. I've started from the CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v1.0.0.pdf document, and converted it to the YAML format, partly automatically and partly manually. Then, I've compared to controls/cis_rhel9.yml to match the rule names.

It's easy to make mistakes in this process, so I've compared your version with mine, so we get the best of both of our versions.

I think it may be worth, in the future, to write a proper parser that converts from the PDF CIS documents to the controls YAML format.

0intro avatar Jun 18 '24 14:06 0intro

@0intro changes applied as per your reviews - could you pls have a final look at it ?

hipponix avatar Jun 20 '24 10:06 hipponix

@Mab879 let me know should you need anything else from my send. Thank you!

hipponix avatar Jun 24 '24 08:06 hipponix