Skip to content

new rule sysctl_use_max_user_namespaces_no_remediation#13351

Merged
jan-cerny merged 3 commits into
ComplianceAsCode:masterfrom
vojtapolasek:add_sysctl_user_max_user_namespaces_no_remediation
Apr 17, 2025
Merged

new rule sysctl_use_max_user_namespaces_no_remediation#13351
jan-cerny merged 3 commits into
ComplianceAsCode:masterfrom
vojtapolasek:add_sysctl_user_max_user_namespaces_no_remediation

Conversation

@vojtapolasek
Copy link
Copy Markdown
Collaborator

@vojtapolasek vojtapolasek commented Apr 17, 2025

Description:

  • add new rule which is identical to syscl_user_max_user_namespaces but it lacks remediation
  • point to this rule as an alternative from sysctl_user_max_user_namespaces
  • replace all occurences of this rule in RHEL STIG profiles by the no_remediate vrsion, including stig_gui profiles

Rationale:

  • this is a ballance between giving users ability to not remediate the rule and see its real check result at the same time

Review Hints:

  • use automatus to test STIG profile and the new rule separately

@vojtapolasek
add new rule sysctl_user_max_user_namespaces_no_remediation
0d1d167 
This rule is almost the same as syscl_user_max_user_namespaces, but it does not contain any remediation
@vojtapolasek
sysctl_user_max_user_namespaces: remove STIG specific policy and stig…
9259516 
… references as it is no longer part of stig

also add warning pointing to the alternative rule without a remediation
@vojtapolasek
RHEL STIG profiles: use sysctl_user_max_user_namespaces_no_remediatio…
ea4907e 
…n everywhere
@vojtapolasek vojtapolasek added New Rule Issues or pull requests related to new Rules. RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates. Update Profile Issues or pull requests related to Profiles updates. RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related. labels Apr 17, 2025
@vojtapolasek vojtapolasek added this to the 0.1.77 milestone Apr 17, 2025
@vojtapolasek vojtapolasek changed the title new rule syscl_use_max_user_namespaces_no_remediation new rule sysctl_use_max_user_namespaces_no_remediation Apr 17, 2025
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 17, 2025

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces'.
--- xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
+++ xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
@@ -14,9 +14,11 @@
 to large non-zero value.
 
 [warning]:
-This configuration baseline was created to deploy the base operating system for general purpose
-workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
-it is expected that user.max_user_namespaces will be enabled.
+Remediation of this rule might impair or prevent functionality of certain applications.
+This stands especially for general container usage and for certain desktop applications.
+There is an alternative rule which performs the same check but it intentionally lacks the remediation part.
+If needed, you can use the rule sysctl_user_max_user_namespaces_no_remediation.
+In that case, ensure that such use case is properly documented.
 
 [reference]:
 CCI-000366
@@ -33,12 +35,6 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
-[reference]:
-RHEL-08-040284
-
-[reference]:
-SV-230548r1017310_rule
-
 [rationale]:
 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
 These unnecessary capabilities or services are often overlooked and therefore may remain unsecured.

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
+++ xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
@@ -3,7 +3,6 @@
     manager: auto
   tags:
   - CCE-82211-4
-  - DISA-STIG-RHEL-08-040284
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SC-39
   - disable_strategy
@@ -26,7 +25,6 @@
   when: '"kernel" in ansible_facts.packages'
   tags:
   - CCE-82211-4
-  - DISA-STIG-RHEL-08-040284
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SC-39
   - disable_strategy
@@ -45,7 +43,6 @@
   when: '"kernel" in ansible_facts.packages'
   tags:
   - CCE-82211-4
-  - DISA-STIG-RHEL-08-040284
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SC-39
   - disable_strategy
@@ -65,7 +62,6 @@
   when: '"kernel" in ansible_facts.packages'
   tags:
   - CCE-82211-4
-  - DISA-STIG-RHEL-08-040284
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SC-39
   - disable_strategy

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 17, 2025

@vojtapolasek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.14-images ea4907e link true /test 4.14-images
ci/prow/4.15-images ea4907e link true /test 4.15-images
ci/prow/4.13-images ea4907e link true /test 4.13-images
ci/prow/4.18-images ea4907e link true /test 4.18-images
ci/prow/4.12-images ea4907e link true /test 4.12-images
ci/prow/4.17-images ea4907e link true /test 4.17-images
ci/prow/4.16-images ea4907e link true /test 4.16-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Apr 17, 2025

Code Climate has analyzed commit ea4907e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny self-assigned this Apr 17, 2025
jan-cerny
jan-cerny approved these changes Apr 17, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have run test scenarios. Also, I have verified that the removed rule is still part of RHEL 8 and 9 data streams because it's part of OSPP and CUI profiles.

@jan-cerny jan-cerny merged commit 7ae816c into ComplianceAsCode:master Apr 17, 2025
93 of 109 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

Assignees

@jan-cerny jan-cerny

Labels

New Rule Issues or pull requests related to new Rules. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates. Update Rule Issues or pull requests related to Rules updates.

Projects

None yet

Milestone

0.1.77

Development

Successfully merging this pull request may close these issues.

2 participants

@vojtapolasek @jan-cerny