Skip to content

Update RHEL 9 STIG to V2R5#13795

Merged
vojtapolasek merged 8 commits into
ComplianceAsCode:masterfrom
Mab879:rhel9_v2r5
Aug 21, 2025
Merged

Update RHEL 9 STIG to V2R5#13795
vojtapolasek merged 8 commits into
ComplianceAsCode:masterfrom
Mab879:rhel9_v2r5

Conversation

@Mab879
Copy link
Copy Markdown
Member

@Mab879 Mab879 commented Aug 13, 2025

Description:

  • Update RHEL 9 STIG to V2R5

Rationale:

Keeping the STIG up-to-date.

@Mab879 Mab879 added this to the 0.1.78 milestone Aug 13, 2025
@Mab879 Mab879 added RHEL9 Red Hat Enterprise Linux 9 product related. Update Profile Issues or pull requests related to Profiles updates. STIG STIG Benchmark related. labels Aug 13, 2025
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 13, 2025
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Aug 13, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jan-cerny jan-cerny self-assigned this Aug 15, 2025
Mab879 added 4 commits August 19, 2025 14:29
@Mab879
Add new rule fips_custom_stig_sub_policy
b73366d 
Signed-off-by: Matthew Burket <mburket@redhat.com>
@Mab879
Clean up rootfiles_configured
f74eb55 
Signed-off-by: Matthew Burket <mburket@redhat.com>
@Mab879
Update RHEL 9 STIG to V2R5
7b2d0fd
@Mab879
Clean up of fips_custom_stig_sub_policy
92bd913
@Mab879 Mab879 force-pushed the rhel9_v2r5 branch 2 times, most recently from 292ab32 to 165868d Compare August 19, 2025 21:58
@Mab879 Mab879 marked this pull request as ready for review August 19, 2025 22:05
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 19, 2025
vojtapolasek
vojtapolasek requested changes Aug 20, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @Mab879 for analyzing changes and submiting this PR.
I am missing the Ansible remediation for the new rule which deals with custom stig subpolicy. Is this intentional?
Also please see my other comments.

Comment thread linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/bash/shared.sh
# strategy = configure
# complexity = low
# disruption = low

Copy link
Copy Markdown
Collaborator

@vojtapolasek vojtapolasek Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please can you explain what is this good for?

Copy link
Copy Markdown
Member Author

@Mab879 Mab879 Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was to match other uses of this macro, but I have adjust this.

Comment thread linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml
@@ -0,0 +1,27 @@
documentation_complete: true

title: 'Implement STIG Sub Crypto Policy'
Copy link
Copy Markdown
Collaborator

@vojtapolasek vojtapolasek Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you plan on expanding the description and rationale? Or adding fixtest / checktext?

Copy link
Copy Markdown
Member Author

@Mab879 Mab879 Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sentence is done now.

@Mab879
Copy link
Copy Markdown
Member Author

Mab879 commented Aug 20, 2025

Ansible remediation has been added. Fix and check text is in the policy file.

vojtapolasek
vojtapolasek reviewed Aug 20, 2025
View reviewed changes
Comment thread linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/ansible/shared.yml
- name: "{{{ rule_title }}} - Create custom crypto policy - cipher"
ansible.builtin.lineinfile:
path: /etc/crypto-policies/policies/modules/STIG.pmod
owner: root
Copy link
Copy Markdown
Collaborator

@vojtapolasek vojtapolasek Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mab879 please add

create: true

Somewhere in this and the following task.

vojtapolasek
vojtapolasek reviewed Aug 20, 2025
View reviewed changes
Comment thread linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/ansible/shared.yml
# disruption = low

- name: "{{{ rule_title }}} - Create custom crypto policy - cipher"
ansible.builtin.lineinfile:
Copy link
Copy Markdown
Collaborator

@vojtapolasek vojtapolasek Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also @Mab879 I think we will need a regex parameter for this task. Currently, it appends the line, but it leaves existing (potentially incorrect) lines in tact.
The update-crypto-policies command then fails.

@Mab879 Mab879 requested a review from vojtapolasek August 20, 2025 15:46
vojtapolasek
vojtapolasek approved these changes Aug 21, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now.
I rerun ctest on all products locally and it passes, it seems that Testingfarm has some problems with provisioning of machines.
I also waive the Automatus Fedora test as new rules are not present in fedora product.
I verified that new rules work by running Automatus tests on RHEL 9.

@vojtapolasek vojtapolasek merged commit a4ed5a7 into ComplianceAsCode:master Aug 21, 2025
127 of 131 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot Bot mentioned this pull request Aug 21, 2025
Merged
@Mab879 Mab879 deleted the rhel9_v2r5 branch August 21, 2025 17:05
This was referenced Aug 25, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

Assignees

@vojtapolasek vojtapolasek

Labels

RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates.

Projects

None yet

Milestone

0.1.78

Development

Successfully merging this pull request may close these issues.

3 participants

@Mab879 @vojtapolasek @jan-cerny