content
content copied to clipboard
ComplianceAsCode
Update ansible remediation to harden_sshd_ciphers_openssh_conf_crypto_policy rule
Description:
Updated Ansible remediation
Add 'variables' clause and OL9 platform in header of the following tests stig_correct.pass.sh stig_correct_commented.fail.sh stig_correct_followed_by_incorrect_commented.pass.sh stig_empty_file.fail.sh stig_empty_policy.fail.sh stig_incorrect_followed_by_correct_commented.fail.sh stig_incorrect_policy.fail.sh stig_missing_file.fail.sh
Rationale:
In the task filling gaps in OL9 automation, the rule harden_sshd_ciphers_openssh_conf_crypto_policy has a remediation deficit with ansible. The Ansible remediation already existed; it just needed OL9 added to the "platform" clause. The test update is to align the test with best practices, since the profile can generate inconsistencies in the test because the variable may have a different value in the profile than the one used in the test, this can cause the test to fail.
Hi @mrkanon. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
rhel8 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12324
This image was built from commit: b5f83672d0d5b284e3e25d802def18bdcf28a5fc
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12324
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12324 make deploy-local
Code Climate has analyzed commit b5f83672 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.4% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for the PR.
What was the reasoning behind moving to variable vs profile in the tests?
Thanks for the PR.
What was the reasoning behind moving to
variablevsprofilein the tests?
This is because the "*.pass.sh" tests fails when it should pass, because the variable evaluated in the test may be different than the value in the profile. The change in the remaining tests is to maintain consistency.
Waving the two failing automatus CI checks since SLE15 and Ubuntu don't have crypto policy rules.