Skip to content

Implement rules for /etc/security/opasswd permissions #12693

Merged
dodys merged 2 commits into
ComplianceAsCode:masterfrom
mpurg:ubuntu2404_cis_7.1.10
Dec 10, 2024
Merged

Implement rules for /etc/security/opasswd permissions #12693
dodys merged 2 commits into
ComplianceAsCode:masterfrom
mpurg:ubuntu2404_cis_7.1.10

Conversation

@mpurg
Copy link
Copy Markdown
Contributor

@mpurg mpurg commented Dec 10, 2024
edited
Loading

Description:

  • Satisfies Ubuntu 24.04 CIS v1 recommendation 7.1.10 (Ensure permissions on /etc/security/opasswd are configured)
  • New rules:
    • file_groupowner_etc_security_opasswd
    • file_owner_etc_security_opasswd
    • file_permissions_etc_security_opasswd
    • file_groupowner_etc_security_opasswd_old
    • file_owner_etc_security_opasswd_old
    • file_permissions_etc_security_opasswd_old

Rationale:

  • The Ubuntu 24.04 CIS v1 recommendation 7.1.10 requires ownership and permissions to be set on both opasswd and opasswd.old. The existing rule file_etc_security_opasswd satisfies half of the requirement, but, since the implementation is not consistent with other similar rules (not using template or tests), both requirements were implemented as new rules instead of extending the existing rule.

mpurg added 2 commits December 10, 2024 09:25
@mpurg
Implement rules for /etc/security/opasswd permissions
6988f21 
New rules:
- file_groupowner_etc_security_opasswd
- file_owner_etc_security_opasswd
- file_permissions_etc_security_opasswd
- file_groupowner_etc_security_opasswd_old
- file_owner_etc_security_opasswd_old
- file_permissions_etc_security_opasswd_old

Note: The Ubuntu 24.04 CIS v1 recommendation 7.1.10 requires
ownership and permissions to be set on both opasswd and opasswd.old.
The existing rule `file_etc_security_opasswd` satisfies half of the
requirement, but, since the implementation is not consistent with other
similar rules (not using template or tests), both requirements
were implemented as new rules instead.
@mpurg
Add rules to ubuntu2404 CIS control 7.1.10
867ef8d
@mpurg mpurg requested a review from a team as a code owner December 10, 2024 08:28
@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Dec 10, 2024
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Dec 10, 2024

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 10, 2024

Start a new ephemeral environment with changes proposed in this pull request:

ubuntu2404 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Dec 10, 2024

Code Climate has analyzed commit 867ef8d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

@dodys dodys self-assigned this Dec 10, 2024
@dodys dodys added Ubuntu Ubuntu product related. Update Profile Issues or pull requests related to Profiles updates. CIS CIS Benchmark related. labels Dec 10, 2024
@dodys dodys added this to the 0.1.76 milestone Dec 10, 2024
@dodys dodys added the New Rule Issues or pull requests related to new Rules. label Dec 10, 2024
dodys
dodys approved these changes Dec 10, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys merged commit db834ce into ComplianceAsCode:master Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dodys dodys dodys approved these changes

Assignees

@dodys dodys

Labels

CIS CIS Benchmark related. needs-ok-to-test Used by openshift-ci bot. New Rule Issues or pull requests related to new Rules. Ubuntu Ubuntu product related. Update Profile Issues or pull requests related to Profiles updates.

Projects

None yet

Milestone

0.1.76

Development

Successfully merging this pull request may close these issues.

2 participants

@mpurg @dodys