Skip to content

Detect non-existent PATH directories in RHEL 9 CIS#13991

Merged
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
jan-cerny:RHEL-102330
Oct 7, 2025
Merged

Detect non-existent PATH directories in RHEL 9 CIS#13991
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
jan-cerny:RHEL-102330

Conversation

@jan-cerny
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny commented Oct 6, 2025

This commit better aligns our RHEL 9 CIS profiles with the RHEL 9 CIS Benchmark 2.0 requirement 5.4.2.5 "Ensure root path integrity". CIS Benchmark requires that all directories in the root user's PATH variable are owned by root and are existing directories. Based on this requirement we add the rules no_dirs_unowned_by_root and root_path_all_dirs to the profile selections. Moreover, we enhance OVAL in root_path_all_dirs so that the check fails if any of the paths specified in PATH don't exist. We add a new test scenario covering this situation.

Resolves: https://issues.redhat.com/browse/RHEL-102330

@jan-cerny jan-cerny added this to the 0.1.79 milestone Oct 6, 2025
@jan-cerny jan-cerny added bugfix Fixes to reported bugs. CIS CIS Benchmark related. labels Oct 6, 2025
Mab879
Mab879 requested changes Oct 6, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI fails are valid. Please take a look. Stable profiles and cce seem to be a problem.

@jan-cerny
Detect non-existent PATH directories in RHEL 9 CIS
3b3dfcb 
This commit better aligns our RHEL 9 CIS profiles with the RHEL 9 CIS
Benchmark 2.0 requirement 5.4.2.5 "Ensure root path integrity".
CIS Benchmark requires that all directories in the root user's PATH
variable are owned by root and are existing directories. Based on this
requirement we add the rules no_dirs_unowned_by_root and
root_path_all_dirs to the profile selections. Moreover, we enhance OVAL
in root_path_all_dirs so that the check fails if any of the paths
specified in PATH don't exist. We add a new test scenario covering this
situation.

Resolves: https://issues.redhat.com/browse/RHEL-102330
@jan-cerny
Copy link
Copy Markdown
Collaborator Author

jan-cerny commented Oct 7, 2025

I have added CCEs and updated stable profiles.

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Oct 7, 2025

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 3b3dfcb link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 self-assigned this Oct 7, 2025
@Mab879 Mab879 merged commit 6ebcdb5 into ComplianceAsCode:master Oct 7, 2025
133 of 136 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot Bot mentioned this pull request Oct 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@Mab879 Mab879

Labels

bugfix Fixes to reported bugs. CIS CIS Benchmark related.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879