content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

[do not merge] Build SCE content by default in rhel9 and rhel10 products

Open jan-cerny opened this issue 1 year ago • 5 comments

Description:

Build SCE checks into RHEL 9 and RHEL 10 data streams by default.

Rationale:

This change supports building bootable container images based on RHEL 9 and 10 (and CentOS Stream 9 and 10).

SCE checks will be used during the image build for the rules for which the classic OVAL check don't work in a container build environment (mainly service enabled/disabled rules).

Review Hints:

Build the RHEL 10 and RHEL 9 products and verify visually that SCE extended components are present in the built data stream.

Then, you can download the built scap-security-guide RPMs EL9 from Packit from COPR and verify visually that SCE extended components are present in the shipped data stream.

wget .....
rpm2cpio $rpm | cpio -ivdm
vim ./usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

jan-cerny avatar Oct 11 '24 13:10 jan-cerny

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

openshift-ci[bot] avatar Oct 11 '24 13:10 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar Oct 11 '24 13:10 github-actions[bot]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

github-actions[bot] avatar Oct 11 '24 13:10 github-actions[bot]

The problem is that:

The following requirements and recommendations apply to the xccdf:check element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OVAL checking system~Use of the OVAL checking system SHALL be indicated by setting the xccdf:check element's @system attribute to "http://oval.mitre.org/XMLSchema/oval-definitions-5 ".

jan-cerny avatar Oct 17 '24 12:10 jan-cerny

I have rebased this PR on the top of the latest upstream master branch.

jan-cerny avatar Oct 23 '24 08:10 jan-cerny

Code Climate has analyzed commit 7c812c3d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

qlty-cloud-legacy[bot] avatar Oct 23 '24 09:10 qlty-cloud-legacy[bot]