content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Update Ubuntu 20.04 DISA Manual STIG to v1r12

Open yunimoo opened this issue 1 year ago • 9 comments
trafficstars

Description:

  • This commit will update Ubuntu 20.04 DISA Manual STIG from v1r9 to v1r12.

Rationale:

  • Part of Ubuntu 20.04 DISA STIG v1r12 profile upgrade

Review Hints:

Build the product:

./build_product ubuntu2004

To test these changes, please ensure that the remediation headers are updated to V1R12.

The Manual STIG is the current latest version, and was obtained from DISA's website. For reference, please review: https://public.cyber.mil/stigs/downloads/

yunimoo avatar Aug 11 '24 00:08 yunimoo

Hi @yunimoo. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar Aug 11 '24 00:08 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar Aug 11 '24 00:08 github-actions[bot]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:12291 This image was built from commit: 886353a0e1449179ba6f10e65ea7037fd7061151

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12291

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12291 make deploy-local

github-actions[bot] avatar Aug 12 '24 06:08 github-actions[bot]

Code Climate has analyzed commit 886353a0 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

qlty-cloud-legacy[bot] avatar Aug 12 '24 07:08 qlty-cloud-legacy[bot]

you should update the profile as well

Thanks for feedback, I'll spend time observing the STIG modifications with the previous Manual STIG

ghost avatar Aug 12 '24 12:08 ghost

you should update the profile as well

Thanks for feedback, I'll spend time observing the STIG modifications with the previous Manual STIG

Leaving this for background info, these are the differences:

./utils/compare_ds.py ./shared/references/disa-stig-ubuntu2004-v1r9-xccdf-manual.xml ./shared/references/disa-stig-ubuntu2004-v1r12-xccdf-manual.xml 
SV-238198r653769_rule is missing in new data stream.
SV-238210r917810_rule is missing in new data stream.
SV-238211r877395_rule is missing in new data stream.
SV-238212r858521_rule is missing in new data stream.
SV-238213r858523_rule is missing in new data stream.
SV-238214r858525_rule is missing in new data stream.
SV-238216r877465_rule is missing in new data stream.
SV-238217r877465_rule is missing in new data stream.
SV-238218r877377_rule is missing in new data stream.
SV-238219r858533_rule is missing in new data stream.
SV-238220r858535_rule is missing in new data stream.
SV-238252r653931_rule is missing in new data stream.
SV-238253r653934_rule is missing in new data stream.
SV-238254r653937_rule is missing in new data stream.
SV-238255r653940_rule is missing in new data stream.
SV-238256r653943_rule is missing in new data stream.
SV-238257r653946_rule is missing in new data stream.
SV-238277r654006_rule is missing in new data stream.
SV-238278r654009_rule is missing in new data stream.
SV-238279r654012_rule is missing in new data stream.
SV-238280r654015_rule is missing in new data stream.
SV-238281r654018_rule is missing in new data stream.
SV-238282r654021_rule is missing in new data stream.
SV-238283r654024_rule is missing in new data stream.
SV-238284r654027_rule is missing in new data stream.
SV-238288r833012_rule is missing in new data stream.
SV-238289r654042_rule is missing in new data stream.
SV-238290r654045_rule is missing in new data stream.
SV-238291r654048_rule is missing in new data stream.
SV-238292r654051_rule is missing in new data stream.
SV-238293r654054_rule is missing in new data stream.
SV-238294r654057_rule is missing in new data stream.
SV-238330r654165_rule is missing in new data stream.
SV-238335r654180_rule is missing in new data stream.
SV-238336r858538_rule is missing in new data stream.
SV-238358r917812_rule is missing in new data stream.
SV-238365r877379_rule is missing in new data stream.
SV-238366r877378_rule is missing in new data stream.
SV-251505r853450_rule is missing in new data stream.
SV-252704r916433_rule is missing in new data stream.
SV-255912r880905_rule is missing in new data stream.

ghost avatar Aug 12 '24 15:08 ghost

you should update the profile as well

Thanks for feedback, I'll spend time observing the STIG modifications with the previous Manual STIG

Leaving this for background info, these are the differences:

./utils/compare_ds.py ./shared/references/disa-stig-ubuntu2004-v1r9-xccdf-manual.xml ./shared/references/disa-stig-ubuntu2004-v1r12-xccdf-manual.xml 
SV-238198r653769_rule is missing in new data stream.
SV-238210r917810_rule is missing in new data stream.
SV-238211r877395_rule is missing in new data stream.
SV-238212r858521_rule is missing in new data stream.
SV-238213r858523_rule is missing in new data stream.
SV-238214r858525_rule is missing in new data stream.
SV-238216r877465_rule is missing in new data stream.
SV-238217r877465_rule is missing in new data stream.
SV-238218r877377_rule is missing in new data stream.
SV-238219r858533_rule is missing in new data stream.
SV-238220r858535_rule is missing in new data stream.
SV-238252r653931_rule is missing in new data stream.
SV-238253r653934_rule is missing in new data stream.
SV-238254r653937_rule is missing in new data stream.
SV-238255r653940_rule is missing in new data stream.
SV-238256r653943_rule is missing in new data stream.
SV-238257r653946_rule is missing in new data stream.
SV-238277r654006_rule is missing in new data stream.
SV-238278r654009_rule is missing in new data stream.
SV-238279r654012_rule is missing in new data stream.
SV-238280r654015_rule is missing in new data stream.
SV-238281r654018_rule is missing in new data stream.
SV-238282r654021_rule is missing in new data stream.
SV-238283r654024_rule is missing in new data stream.
SV-238284r654027_rule is missing in new data stream.
SV-238288r833012_rule is missing in new data stream.
SV-238289r654042_rule is missing in new data stream.
SV-238290r654045_rule is missing in new data stream.
SV-238291r654048_rule is missing in new data stream.
SV-238292r654051_rule is missing in new data stream.
SV-238293r654054_rule is missing in new data stream.
SV-238294r654057_rule is missing in new data stream.
SV-238330r654165_rule is missing in new data stream.
SV-238335r654180_rule is missing in new data stream.
SV-238336r858538_rule is missing in new data stream.
SV-238358r917812_rule is missing in new data stream.
SV-238365r877379_rule is missing in new data stream.
SV-238366r877378_rule is missing in new data stream.
SV-251505r853450_rule is missing in new data stream.
SV-252704r916433_rule is missing in new data stream.
SV-255912r880905_rule is missing in new data stream.

we were already at v1r11, that comparison is misleading

dodys avatar Aug 12 '24 15:08 dodys

we were already at v1r11, that comparison is misleading

Thank you, that's completely true. Seems like we only have v1r9 in the references. I'm having difficulty in finding the v1r11 as DISA doesn't seem to have it archived anywhere. Not sure if there's another source where I could obtain the previous revision?

Other alternative is for me to look through each rule and manually compare but I'm sure there's a better solution than this?

ghost avatar Aug 12 '24 16:08 ghost

we were already at v1r11, that comparison is misleading

Thank you, that's completely true. Seems like we only have v1r9 in the references. I'm having difficulty in finding the v1r11 as DISA doesn't seem to have it archived anywhere. Not sure if there's another source where I could obtain the previous revision?

Other alternative is for me to look through each rule and manually compare but I'm sure there's a better solution than this?

here it is 2004-STIG-V1R11.pdf

But you can also check the U_CAN_Ubuntu_20-04_LTS_V1R12_Revision_History.pdf for a summary of the changes

dodys avatar Aug 13 '24 09:08 dodys

This is now already completed in #12501

dodys avatar Oct 18 '24 08:10 dodys