Fix OVAL for rule apt_conf_disallow_unauthenticated#11863
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: debian10 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
Hi @mpurg. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated' differs.
--- oval:ssg-apt_conf_disallow_unauthenticated:def:1
+++ oval:ssg-apt_conf_disallow_unauthenticated:def:1
@@ -1,3 +1,2 @@
-criteria OR
-criterion oval:ssg-test_unauthenticated_apt_conf:tst:1
-criterion oval:ssg-test_unauthenticated_apt_conf_d:tst:1
+criteria AND
+criterion oval:ssg-test_apt_conf_disallow_unauthenticated:tst:1 |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
7d3b4f2 to
a7dae0f
Compare
The previous oval was checking for existence of unwanted values
(yes,true,True) in a parameter and failed to catch others:
- value=1
- quoted values ("yes", "true", "True")
- case permutations of values yes or true
- case permutations of keyword APT::Get::AllowUnauthenticated
- different usage of keyword (see tests wrong_value2.fail.sh)
The new version checks for the existence of case-insensitive
AllowUnauthenticated keyword. It passes if it either doesn't
exist, or is well-defined to "false".
a7dae0f to
0cce7d7
Compare
|
Code Climate has analyzed commit 0cce7d7 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
/packit build |
Description:
Reversed the logic in
apt_conf_disallow_unauthenticatedOVAL to pass when good values of the parameterAllowUnauthenticatedare present or the parameter is undefined, instead of checking that the wrong values are not present. This also better aligns the rule with STIG UBTU-22-214010.Rationale:
The previous oval was checking for existence of unwanted values (yes,true,True) in the parameter, failing to catch others, like:
The new version checks for the existence of case-insensitive AllowUnauthenticated keyword. It passes if it either doesn't
exist, or is well-defined to "false".