content
content copied to clipboard
Published
20 hours ago •
ComplianceAsCode
ComplianceAsCode
Add rhcos4 Profile for BSI Grundschutz
trafficstars
Description:
This PR adds two control files, enhances a profile profile and adds a rule.
Rationale:
Customers were asking for a OpenShift Compliance Operator Profile for BSI. Our current Project Scope was only on SYS1.6. and APP.4.4 Building Blocks (Containers & Kubernetes). But there are more relevant and checkable Buildingblocks. The two biggest ones and most relevant ones are SYS1.1 (General Server) and SYS.1.3 (Linux Server). This PR adds these to enhance the ocp-bsi profile with an rhcos4-bsi profile.
rule only_allow_specific_certs this is a copy and generalization of the only_allow_dod_certs rule. As we have the same requirement i tried to make the rule not specific so it can be reused. I didnt want to change the DOD rule as I do not know, if the phrasing is important in this context
As in OCP4 we follow the scheme of adding one control file per Building Block. As we will have a different one for RHEL9, we postfix them with _rhcos4
Review Hints:
- most of the rules are reused rules from other rhcos4 profiles, thats why it is only one "big" PR, and not several, as it can be tested as a bundle.
Hi @sluetze. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions'.
--- xccdf_org.ssgproject.content_rule_encrypt_partitions
+++ xccdf_org.ssgproject.content_rule_encrypt_partitions
@@ -226,6 +226,9 @@
[reference]:
SRG-OS-000404-GPOS-00183
+[reference]:
+SYS.1.1.A34
+
[rationale]:
The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -76,6 +76,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.1.A6
+
[rationale]:
The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'.
--- xccdf_org.ssgproject.content_rule_partition_for_var
+++ xccdf_org.ssgproject.content_rule_partition_for_var
@@ -79,6 +79,9 @@
[reference]:
R28
+[reference]:
+SYS.1.1.A6
+
[rationale]:
Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -189,6 +189,9 @@
[reference]:
R28
+[reference]:
+SYS.1.1.A6
+
[rationale]:
Placing /var/log in its own partition
enables better separation between log files
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp
@@ -16,6 +16,9 @@
[reference]:
R28
+[reference]:
+SYS.1.1.A6
+
[rationale]:
The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
@@ -6,6 +6,9 @@
To properly set the group owner of /etc/issue, run the command:
$ sudo chgrp root /etc/issue
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net
@@ -5,6 +5,9 @@
[description]:
To properly set the group owner of /etc/issue.net, run the command:
$ sudo chgrp root /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
[reference]:
1.2.8
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue
@@ -6,6 +6,9 @@
To properly set the owner of /etc/issue, run the command:
$ sudo chown root /etc/issue
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
@@ -5,6 +5,9 @@
[description]:
To properly set the owner of /etc/issue.net, run the command:
$ sudo chown root /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
[reference]:
1.2.8
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_issue
@@ -6,6 +6,9 @@
To properly set the permissions of /etc/issue, run the command:
$ sudo chmod 0644 /etc/issue
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /etc/issue.net, run the command:
$ sudo chmod 0644 /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
[reference]:
1.2.8
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_unique_name'.
--- xccdf_org.ssgproject.content_rule_account_unique_name
+++ xccdf_org.ssgproject.content_rule_account_unique_name
@@ -22,6 +22,9 @@
Req-8.1.1
[reference]:
+SYS.1.3.A2
+
+[reference]:
8.2.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_gid_passwd_group_same'.
--- xccdf_org.ssgproject.content_rule_gid_passwd_group_same
+++ xccdf_org.ssgproject.content_rule_gid_passwd_group_same
@@ -196,6 +196,9 @@
[reference]:
SRG-OS-000104-GPOS-00051
+
+[reference]:
+SYS.1.3.A2
[reference]:
8.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument
@@ -13,6 +13,9 @@
[reference]:
SRG-OS-000433-GPOS-00193
+[reference]:
+SYS.1.3.A4
+
[rationale]:
Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
+++ xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
@@ -26,6 +26,9 @@
[reference]:
R8
+[reference]:
+SYS.1.1.A34
+
[rationale]:
A system may struggle to initialize its entropy pool and end up starving. Crediting entropy
from the hardware number generators available in the system helps fill up the entropy pool.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -188,6 +188,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
@@ -185,6 +185,9 @@
[reference]:
R29
+
+[reference]:
+SYS.1.3.A14
[reference]:
2.2.6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -188,6 +188,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -184,6 +184,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -177,6 +177,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
@@ -177,6 +177,9 @@
R29
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -151,6 +151,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -150,6 +150,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. Non-root users who read the boot parameters
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -151,5 +151,8 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Only root should be able to modify important boot parameters.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -150,6 +150,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Only root should be able to modify important boot parameters. Also, non-root users who read
the boot parameters may be able to identify weaknesses in security upon boot and be able to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -143,6 +143,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Proper permissions ensure that only the root user can modify important boot
parameters.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -143,6 +143,9 @@
[reference]:
R29
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Proper permissions ensure that only the root user can read or modify important boot
parameters.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
@@ -19,6 +19,9 @@
[reference]:
SRG-OS-000095-GPOS-00049
+[reference]:
+SYS.1.1.A5
+
[rationale]:
Disabling FireWire protects the system against exploitation of any
flaws in its implementation.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_bluetooth_disabled'.
--- xccdf_org.ssgproject.content_rule_service_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_service_bluetooth_disabled
@@ -327,6 +327,9 @@
[reference]:
PR.PT-4
+[reference]:
+SYS.1.1.A6
+
[rationale]:
Disabling the bluetooth service prevents the system from attempting
connections to Bluetooth devices, which entails some security risk.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
@@ -309,6 +309,9 @@
[reference]:
SRG-OS-000300-GPOS-00118
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled
@@ -28,6 +28,9 @@
[reference]:
AC-18(4)
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled
@@ -28,6 +28,9 @@
[reference]:
AC-18(4)
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled
@@ -28,6 +28,9 @@
[reference]:
AC-18(4)
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled
@@ -28,6 +28,9 @@
[reference]:
AC-18(4)
+[reference]:
+SYS.1.1.A6
+
[rationale]:
If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
New content has different text for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_in_bios'.
--- xccdf_org.ssgproject.content_rule_wireless_disable_in_bios
+++ xccdf_org.ssgproject.content_rule_wireless_disable_in_bios
@@ -290,6 +290,9 @@
[reference]:
PR.PT-4
+[reference]:
+SYS.1.1.A6
+
[rationale]:
Disabling wireless support in the BIOS prevents easy
activation of the wireless interface, generally requiring administrators
New content has different text for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces'.
--- xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
+++ xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
@@ -325,6 +325,9 @@
[reference]:
SRG-OS-000481-GPOS-00481
+
+[reference]:
+SYS.1.1.A6
[reference]:
1.3.3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable'.
--- xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
+++ xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
@@ -172,6 +172,9 @@
R54
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
@@ -17,6 +17,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
@@ -15,6 +15,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
@@ -167,6 +167,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells
@@ -15,6 +15,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
@@ -17,6 +17,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
@@ -18,6 +18,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_group
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
@@ -167,6 +167,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
@@ -174,6 +174,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shells
@@ -15,6 +15,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
@@ -19,6 +19,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
@@ -15,6 +15,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
@@ -19,6 +19,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
@@ -19,6 +19,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_group
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_group
@@ -175,6 +175,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
@@ -168,6 +168,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
@@ -175,6 +175,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
@@ -175,6 +175,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_shells
@@ -15,6 +15,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
The /etc/shells file contains the list of full pathnames to shells on the system.
Since this file is used by many system programs this file should be protected.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'.
--- xccdf_org.ssgproject.content_rule_service_autofs_disabled
+++ xccdf_org.ssgproject.content_rule_service_autofs_disabled
@@ -278,6 +278,9 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+SYS.1.3.A3
+
[rationale]:
Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_bios_disable_usb_boot'.
--- xccdf_org.ssgproject.content_rule_bios_disable_usb_boot
+++ xccdf_org.ssgproject.content_rule_bios_disable_usb_boot
@@ -111,6 +111,9 @@
[reference]:
PR.AC-6
+[reference]:
+SYS.1.3.A3
+
[rationale]:
Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument
@@ -136,6 +136,12 @@
[reference]:
PR.AC-6
+[reference]:
+SYS.1.1.A5
+
+[reference]:
+SYS.1.3.A3
+
[rationale]:
Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_nousb_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_nousb_argument
+++ xccdf_org.ssgproject.content_rule_grub2_nousb_argument
@@ -136,6 +136,9 @@
[reference]:
PR.AC-6
+[reference]:
+SYS.1.3.A3
+
[rationale]:
Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
@@ -249,6 +249,12 @@
SRG-APP-000141-CTR-000315
[reference]:
+SYS.1.1.A5
+
+[reference]:
+SYS.1.3.A3
+
+[reference]:
3.4.2
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space'.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
@@ -130,6 +130,9 @@
R9
[reference]:
+SYS.1.3.A4
+
+[reference]:
3.3.1.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions'.
--- xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions
+++ xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions
@@ -78,6 +78,9 @@
SRG-APP-000450-CTR-001105
[reference]:
+SYS.1.3.A4
+
+[reference]:
2.2.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument
@@ -12,6 +12,9 @@
[reference]:
SRG-APP-000243-CTR-000600
+
+[reference]:
+SYS.1.3.A4
[reference]:
CNTR-OS-000560
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument
@@ -12,6 +12,9 @@
[reference]:
SRG-APP-000243-CTR-000600
+
+[reference]:
+SYS.1.3.A4
[reference]:
CNTR-OS-000560
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_libselinux_installed'.
--- xccdf_org.ssgproject.content_rule_package_libselinux_installed
+++ xccdf_org.ssgproject.content_rule_package_libselinux_installed
@@ -6,6 +6,18 @@
The libselinux package can be installed with the following command:
$ sudo dnf install libselinux
+
+[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
[reference]:
1.2.6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux'.
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -483,6 +483,18 @@
PR.PT-4
[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
1.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons'.
--- xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
+++ xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
@@ -450,6 +450,15 @@
PR.PT-3
[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
1.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled'.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -16,6 +16,18 @@
and give the administrator the opportunity to assess the impact and necessary efforts
before setting it to "enforcing", which is strongly recommended.
+[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
+
[rationale]:
Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux
controls without a system reboot. It also avoids labeling any persistent objects such as
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype'.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -518,6 +518,15 @@
APP.4.4.A4
[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
SYS.1.6.A3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_state'.
--- xccdf_org.ssgproject.content_rule_selinux_state
+++ xccdf_org.ssgproject.content_rule_selinux_state
@@ -516,6 +516,15 @@
APP.4.4.A4
[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
SYS.1.6.A3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
@@ -171,6 +171,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
@@ -13,5 +13,8 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
@@ -13,6 +13,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_config
@@ -171,6 +171,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
@@ -13,5 +13,8 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
@@ -13,6 +13,9 @@
[reference]:
R50
+[reference]:
+SYS.1.3.A14
+
[rationale]:
If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
@@ -172,6 +172,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
@@ -186,6 +186,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
@@ -184,6 +184,9 @@
R50
[reference]:
+SYS.1.3.A14
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -388,6 +388,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SYS.1.3.A8
+
+[reference]:
2.2.6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -428,6 +428,9 @@
[reference]:
R33
+
+[reference]:
+SYS.1.3.A8
[reference]:
2.2.6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -33,6 +33,9 @@
[reference]:
SRG-OS-000108-GPOS-00055
+[reference]:
+SYS.1.3.A8
+
[rationale]:
Without the use of multifactor authentication, the ease of access to
privileged functions is greatly increased. Multifactor authentication
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
--- xccdf_org.ssgproject.content_rule_package_audit_installed
+++ xccdf_org.ssgproject.content_rule_package_audit_installed
@@ -207,6 +207,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_auditd_enabled
+++ xccdf_org.ssgproject.content_rule_service_auditd_enabled
@@ -575,6 +575,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument
@@ -18,6 +18,9 @@
SRG-APP-000092-CTR-000165
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000170
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_audit_option'.
--- xccdf_org.ssgproject.content_rule_coreos_audit_option
+++ xccdf_org.ssgproject.content_rule_coreos_audit_option
@@ -339,6 +339,9 @@
SRG-APP-000092-CTR-000165
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000170
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events'.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -390,6 +390,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1.3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions'.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -572,6 +572,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -589,6 +589,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -589,6 +589,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -595,6 +595,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -604,6 +604,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -589,6 +589,12 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
10.2.1.5
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
@@ -12,6 +12,9 @@
[reference]:
SRG-OS-000063-GPOS-00032
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -17,6 +17,9 @@
[reference]:
SRG-OS-000063-GPOS-00032
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
@@ -334,6 +334,9 @@
[reference]:
SRG-APP-000118-CTR-000240
+
+[reference]:
+SYS.1.3.A14
[reference]:
10.3.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
@@ -15,6 +15,9 @@
[reference]:
SRG-OS-000063-GPOS-00032
+[reference]:
+SYS.1.3.A14
+
[rationale]:
Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
@@ -340,6 +340,9 @@
SRG-APP-000118-CTR-000240
[reference]:
+SYS.1.3.A14
+
+[reference]:
10.3.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -439,6 +439,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -442,6 +442,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -439,6 +439,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -439,6 +439,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
@@ -445,6 +445,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
@@ -442,6 +442,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
@@ -466,6 +466,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
@@ -460,6 +460,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
@@ -442,6 +442,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
@@ -472,6 +472,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
@@ -460,6 +460,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
@@ -471,6 +471,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
@@ -436,6 +436,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.3.4
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
@@ -285,6 +285,9 @@
SRG-APP-000502-CTR-001270
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
@@ -386,6 +386,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1.3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
@@ -413,6 +413,9 @@
R73
[reference]:
+SYS.1.1.A10
+
+[reference]:
10.2.1.3
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at
@@ -29,6 +29,9 @@
[reference]:
CM-6(a)
+[reference]:
+SYS.1.1.A10
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
@@ -300,6 +300,9 @@
SRG-APP-000502-CTR-001270
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
@@ -288,6 +288,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
@@ -261,6 +261,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
@@ -291,6 +291,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
@@ -63,6 +63,9 @@
SRG-APP-000029-CTR-000085
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap
@@ -56,6 +56,9 @@
[reference]:
CM-6(a)
+[reference]:
+SYS.1.1.A10
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
@@ -291,6 +291,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap
@@ -56,6 +56,9 @@
[reference]:
CM-6(a)
+[reference]:
+SYS.1.1.A10
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
@@ -266,6 +266,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
@@ -291,6 +291,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
@@ -261,6 +261,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
@@ -261,6 +261,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
@@ -231,6 +231,9 @@
SRG-APP-000502-CTR-001270
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000950
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
@@ -264,6 +264,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
@@ -276,6 +276,9 @@
SRG-OS-000755-GPOS-00220
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
@@ -276,6 +276,9 @@
R33
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
@@ -264,6 +264,9 @@
SRG-OS-000755-GPOS-00220
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
@@ -258,6 +258,9 @@
SRG-APP-000029-CTR-000085
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
@@ -312,6 +312,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
@@ -261,6 +261,9 @@
SRG-APP-000495-CTR-001235
[reference]:
+SYS.1.1.A10
+
+[reference]:
CNTR-OS-000930
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl
@@ -56,6 +56,9 @@
[reference]:
CM-6(a)
+[reference]:
+SYS.1.1.A10
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Code Climate has analyzed commit deee809c and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 62.0% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
/test 4.16-e2e-aws-rhcos4-bsi /test 4.17-e2e-aws-rhcos4-bsi /test 4.18-e2e-aws-rhcos4-bsi
@sluetze: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/4.16-e2e-aws-rhcos4-bsi | deee809c793f5e0654ad38558264a72471bebc89 | link | true | /test 4.16-e2e-aws-rhcos4-bsi |
| ci/prow/4.18-e2e-aws-rhcos4-bsi | deee809c793f5e0654ad38558264a72471bebc89 | link | true | /test 4.18-e2e-aws-rhcos4-bsi |
| ci/prow/4.17-e2e-aws-rhcos4-bsi | deee809c793f5e0654ad38558264a72471bebc89 | link | true | /test 4.17-e2e-aws-rhcos4-bsi |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:
/test 4.12-e2e-aws-ocp4-cis
/test 4.12-e2e-aws-ocp4-cis-node
/test 4.12-e2e-aws-ocp4-e8
/test 4.12-e2e-aws-ocp4-high
/test 4.12-e2e-aws-ocp4-high-node
/test 4.12-e2e-aws-ocp4-moderate
/test 4.12-e2e-aws-ocp4-moderate-node
/test 4.12-e2e-aws-ocp4-pci-dss
/test 4.12-e2e-aws-ocp4-pci-dss-4-0
/test 4.12-e2e-aws-ocp4-pci-dss-node
/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.12-e2e-aws-ocp4-stig
/test 4.12-e2e-aws-ocp4-stig-node
/test 4.12-e2e-aws-rhcos4-e8
/test 4.12-e2e-aws-rhcos4-high
/test 4.12-e2e-aws-rhcos4-moderate
/test 4.12-e2e-aws-rhcos4-stig
/test 4.12-images
/test 4.13-e2e-aws-ocp4-bsi
/test 4.13-e2e-aws-ocp4-bsi-node
/test 4.13-e2e-aws-ocp4-cis
/test 4.13-e2e-aws-ocp4-cis-node
/test 4.13-e2e-aws-ocp4-e8
/test 4.13-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high-node
/test 4.13-e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate-node
/test 4.13-e2e-aws-ocp4-pci-dss
/test 4.13-e2e-aws-ocp4-pci-dss-4-0
/test 4.13-e2e-aws-ocp4-pci-dss-node
/test 4.13-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.13-e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig-node
/test 4.13-e2e-aws-rhcos4-bsi
/test 4.13-e2e-aws-rhcos4-e8
/test 4.13-e2e-aws-rhcos4-high
/test 4.13-e2e-aws-rhcos4-moderate
/test 4.13-e2e-aws-rhcos4-stig
/test 4.13-images
/test 4.14-e2e-aws-ocp4-bsi
/test 4.14-e2e-aws-ocp4-bsi-node
/test 4.14-e2e-aws-ocp4-pci-dss-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.14-e2e-aws-rhcos4-bsi
/test 4.14-images
/test 4.15-e2e-aws-ocp4-bsi
/test 4.15-e2e-aws-ocp4-bsi-node
/test 4.15-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis-node
/test 4.15-e2e-aws-ocp4-e8
/test 4.15-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high-node
/test 4.15-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate-node
/test 4.15-e2e-aws-ocp4-pci-dss
/test 4.15-e2e-aws-ocp4-pci-dss-4-0
/test 4.15-e2e-aws-ocp4-pci-dss-node
/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.15-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig-node
/test 4.15-e2e-aws-rhcos4-bsi
/test 4.15-e2e-aws-rhcos4-e8
/test 4.15-e2e-aws-rhcos4-high
/test 4.15-e2e-aws-rhcos4-moderate
/test 4.15-e2e-aws-rhcos4-stig
/test 4.15-e2e-rosa-ocp4-cis-node
/test 4.15-e2e-rosa-ocp4-pci-dss-node
/test 4.15-images
/test 4.16-e2e-aws-ocp4-bsi
/test 4.16-e2e-aws-ocp4-bsi-node
/test 4.16-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis-node
/test 4.16-e2e-aws-ocp4-e8
/test 4.16-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high-node
/test 4.16-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate-node
/test 4.16-e2e-aws-ocp4-pci-dss
/test 4.16-e2e-aws-ocp4-pci-dss-4-0
/test 4.16-e2e-aws-ocp4-pci-dss-node
/test 4.16-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.16-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig-node
/test 4.16-e2e-aws-rhcos4-bsi
/test 4.16-e2e-aws-rhcos4-e8
/test 4.16-e2e-aws-rhcos4-high
/test 4.16-e2e-aws-rhcos4-moderate
/test 4.16-e2e-aws-rhcos4-stig
/test 4.16-images
/test 4.17-e2e-aws-ocp4-bsi
/test 4.17-e2e-aws-ocp4-bsi-node
/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-cis-node
/test 4.17-e2e-aws-ocp4-e8
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-high-node
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-moderate-node
/test 4.17-e2e-aws-ocp4-pci-dss
/test 4.17-e2e-aws-ocp4-pci-dss-4-0
/test 4.17-e2e-aws-ocp4-pci-dss-node
/test 4.17-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-stig-node
/test 4.17-e2e-aws-rhcos4-bsi
/test 4.17-e2e-aws-rhcos4-e8
/test 4.17-e2e-aws-rhcos4-high
/test 4.17-e2e-aws-rhcos4-moderate
/test 4.17-e2e-aws-rhcos4-stig
/test 4.17-images
/test 4.18-e2e-aws-ocp4-bsi
/test 4.18-e2e-aws-ocp4-bsi-node
/test 4.18-e2e-aws-ocp4-cis
/test 4.18-e2e-aws-ocp4-cis-node
/test 4.18-e2e-aws-ocp4-e8
/test 4.18-e2e-aws-ocp4-high
/test 4.18-e2e-aws-ocp4-high-node
/test 4.18-e2e-aws-ocp4-moderate
/test 4.18-e2e-aws-ocp4-moderate-node
/test 4.18-e2e-aws-ocp4-pci-dss
/test 4.18-e2e-aws-ocp4-pci-dss-4-0
/test 4.18-e2e-aws-ocp4-pci-dss-node
/test 4.18-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.18-e2e-aws-ocp4-stig
/test 4.18-e2e-aws-ocp4-stig-node
/test 4.18-e2e-aws-rhcos4-bsi
/test 4.18-e2e-aws-rhcos4-e8
/test 4.18-e2e-aws-rhcos4-high
/test 4.18-e2e-aws-rhcos4-moderate
/test 4.18-e2e-aws-rhcos4-stig
/test 4.18-images
/test e2e-aws-ocp4-bsi
/test e2e-aws-ocp4-bsi-node
/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-arm
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-4-0
/test e2e-aws-ocp4-pci-dss-node
/test e2e-aws-ocp4-pci-dss-node-4-0
/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-bsi
/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-high
/test e2e-aws-rhcos4-moderate
/test e2e-aws-rhcos4-stig
/test images
Use /test all to run the following jobs that were automatically triggered:
pull-ci-ComplianceAsCode-content-master-4.12-images
pull-ci-ComplianceAsCode-content-master-4.13-images
pull-ci-ComplianceAsCode-content-master-4.14-images
pull-ci-ComplianceAsCode-content-master-4.15-images
pull-ci-ComplianceAsCode-content-master-4.16-images
pull-ci-ComplianceAsCode-content-master-4.17-images
pull-ci-ComplianceAsCode-content-master-4.18-images
pull-ci-ComplianceAsCode-content-master-images
In response to this:
/test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
/lgtm
Pre-merge verification steps:
- Verify profile rhcos4-bsi-2022 exists:
$ oc get profiles |grep rhcos4-bsi
upstream-rhcos4-bsi 80m 2022
upstream-rhcos4-bsi-2022 80m 2022
- Verify rule only-allow-specific-certs exists and is part of the profile rhcos4-bsi
$ oc get rules |grep only-allow-specific-certs
upstream-rhcos4-only-allow-specific-certs 82m
$ oc describe profile upstream-rhcos4-bsi-2022 |grep only-allow
upstream-rhcos4-only-allow-specific-certs
- Read the profile and rule description and see whether they are correctly associated
$ oc describe profile upstream-rhcos4-bsi-2022
...
$ oc describe rule upstream-rhcos4-only-allow-specific-certs
...
- Perform a compliance scan using these profiles, check whether the autoremediation works and see the results of the scan
→ These have been checked by running test cases 80570 (Create and check scans for ocp4 and rhcos4 BSI profiles) and 80578 (Check the autoremediation works for BSI profiles) locally - Both test cases have PASSed and logs could be found in PR #23941 in the openshift-test-private repo.
