Skip to content

Inital RHEL 10 STIG#11793

Merged
jan-cerny merged 30 commits into
ComplianceAsCode:masterfrom
Mab879:rhel10_init_stig
Apr 17, 2024
Merged

Inital RHEL 10 STIG#11793
jan-cerny merged 30 commits into
ComplianceAsCode:masterfrom
Mab879:rhel10_init_stig

Conversation

@Mab879
Copy link
Copy Markdown
Member

@Mab879 Mab879 commented Apr 4, 2024
edited
Loading

Description:

Create the initial RHEL 10 STIG profile.

This is a draft based on RHEL 9.

@Mab879 Mab879 added New Profile Issues or pull requests related to new Profiles. STIG STIG Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Apr 4, 2024
@Mab879 Mab879 added this to the 0.1.73 milestone Apr 4, 2024
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 4, 2024
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 4, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 4, 2024

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 4, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11793
This image was built from commit: ec615c1

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11793

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11793 make deploy-local

@Mab879 Mab879 force-pushed the rhel10_init_stig branch from 313c5ab to 7d2d8bd Compare April 8, 2024 20:46
@Mab879 Mab879 marked this pull request as ready for review April 15, 2024 17:22
@Mab879 Mab879 requested a review from a team as a code owner April 15, 2024 17:22
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 15, 2024
jan-cerny
jan-cerny requested changes Apr 16, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look fine to me

Please rebase this PR on the top of the master branch which should bring in the sssd_enable_pam_service that should make the TF tests green.

@jan-cerny jan-cerny self-assigned this Apr 16, 2024
Mab879 added 16 commits April 16, 2024 10:42
@Mab879
Add Inital RHEL 10 STIG Profile
a1beba2
@Mab879
Remove account_emergency_expire_date from SRG-OS-000002-GPOS-00002
5c05981 
To follow recent STIGs from DISA.
@Mab879
Add configure_tmux_lock_keybinding to SRG-OS-000030-GPOS-00011
874bd66 
This allow the user to lock the session easily.
Also part of recent STIGs.
@Mab879
Update SRG-OS-000037-GPOS-00015
22810ff 
To include more commands to audit
@Mab879
Remove account_unique_id from SRG-OS-000042-GPOS-00020
4b34c92 
It shouldn't be here.
It does not belong.
@Mab879
Add sudo and su auditing to SRG-OS-000064-GPOS-00033
8a68a5a
@Mab879
Add status to does not meet from SRG-OS-000191-GPOS-00080
5afd656
@Mab879
Pull account_emergency_expire_date from SRG GPOS
33e6a6e 
To match the latest STIGs.
@Mab879
Update SSH version to 9.6 in SRG GPOS
e61517b
@Mab879
Remove atm and cramfs from SRG-OS-000095-GPOS-00049
56b859d 
As there are not in RHEL 10.
@Mab879
Add tftp and telnet-server removed to SRG-OS-000074-GPOS-00042
41a0466
@Mab879
Move SRG-OS-000080-GPOS-00048 to use account_temp_expire_date
caff136 
Keep in line with the rest of the STIG
@Mab879
Update SRG-OS-000095-GPOS-00049
8aafdef 
Move sendmail to mailx
@Mab879
Add firewalld_sshd_port_enabled to SRG-OS-000096-GPOS-00050
85cc8be
@Mab879
Move configure_opensc_card_drivers around in SRG GPOS
9ec0c14
@Mab879
Clean up the ocil in group_unique_id
eeda57b 
It was mixing up group name and GID
Mab879 added 14 commits April 16, 2024 10:42
@Mab879
Add group_unique to SRG-OS-000-121-GPOS-00062
8ba4613
@Mab879
Fix SRG-OS-000095-GPOS-00049
fa5fe36
@Mab879
Clean up SRG-OS-000163-GPOS-00072
556d54b 
* Set timeout to 15 minutes to match the SRG
* Remove old text
@Mab879
Update SRG-OS-000191-GPOS-00080
c5233ba 
* Add package_mcafeetp_installed as other STIGs have this here
@Mab879
Remove extraous text from SRG-OS-000228-GPOS-00088
13e5d97
@Mab879
Update title for wireless_disable_interfaces
b5812c1 
To match the other STIGs.
@Mab879
Clean up title for SRG-OS-000276-GPOS-00106
ed65fb6
@Mab879
Add accounts_tmout to SRG-OS-000279-GPOS-00109
eb96755 
Better covers the requirement and matches the other STIGs
@Mab879
Move all variables for SRG-OS-GPOS-000343-00134
40c1313 
Put variables in the correct file.
@Mab879
Ensure that ensure_oracle_gpgkey_installed is only for OL products in…
aed0812 
… srg_gpos
@Mab879
Add AIDE to SRG-OS-000445-GPOS-00199
3517a70 
To match other STIGs
@Mab879
Add audit_rules_privileged_commands_rmmod to SRG-OS-000471-GPOS-00216
cc99653
@Mab879
Add rmmod and modprobe auditing to SRG-OS-000477-GPOS-00222
b073fc5
@Mab879
Set SRG-OS-000480-GPOS-00230 to does not meet
ec615c1 
Currently this project does have any rules to fix this.
Based on RHEL 9 STIG.
@Mab879 Mab879 force-pushed the rhel10_init_stig branch from d4721f6 to ec615c1 Compare April 16, 2024 15:43
@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Apr 16, 2024

Code Climate has analyzed commit ec615c1 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.2% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 requested a review from jan-cerny April 16, 2024 18:31
@jan-cerny jan-cerny merged commit 207ef1c into ComplianceAsCode:master Apr 17, 2024
@Mab879 Mab879 deleted the rhel10_init_stig branch April 17, 2024 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels

New Profile Issues or pull requests related to new Profiles. RHEL10 Red Hat Enterprise Linux 10 product related. STIG STIG Benchmark related.

Projects

None yet

Milestone

0.1.73

Development

Successfully merging this pull request may close these issues.

2 participants

@Mab879 @jan-cerny