os icon indicating copy to clipboard operation
os copied to clipboard
verified publisher icon wolfi-dev

chainguard-security-guide: update to CG stig 3.2.2, add tests

Open stevebeattie opened this issue 7 months ago • 0 comments

v3.2.2 release tightens up the package pattern match in the Remote Services check to avoid false positives.

Also add tests of individual rules and checks to ensure that we don't regress in the future:

  • ensure the certificate bundle hash passes / commit matches (will fail on updates to ca-certificates as the stig will need to be updated)

  • ensure the "no remote services" check passes even when python 3.12 with telnetlib.py in the standard python library is installed (telnetlib.py was removed in python 3.13, will need to come up with a different check then).

Ref: https://github.com/chainguard-dev/stigs/pull/14 Ref: https://github.com/chainguard-dev/prodsec/issues/220

stevebeattie avatar May 28 '25 20:05 stevebeattie