Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable ensure_shadow_group_empty for RHEL7 #10416

Merged
merged 2 commits into from
Apr 4, 2023
Merged

Enable ensure_shadow_group_empty for RHEL7 #10416

merged 2 commits into from
Apr 4, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

The ensure_shadow_group_empty rule satisfies the following CIS requirement for RHEL7:

  • 6.2.4 - Ensure shadow group is empty (Automated)

This rule was already removed from latest CIS versions for RHEL8 and RHEL9.
It is likely possible it will be also removed in RHEL7. In this context, it is not intended to include an Ansible remediation in this PR.

In any case, the requirement is still present in the current CIS version for RHEL7 and the respective control file was updated.

Rationale:

Better CIS coverage for RHEL7.

@marcusburghardt marcusburghardt added RHEL7 Red Hat Enterprise Linux 7 product related. CIS CIS Benchmark related. labels Apr 3, 2023
@marcusburghardt marcusburghardt added this to the 0.1.68 milestone Apr 3, 2023
@marcusburghardt marcusburghardt requested a review from a team as a code owner April 3, 2023 19:57
@marcusburghardt marcusburghardt requested a review from Mab879 April 3, 2023 19:58
@github-actions
Copy link

github-actions bot commented Apr 3, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel7 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 self-assigned this Apr 3, 2023
Mab879
Mab879 requested changes Apr 3, 2023
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release rebase on the latest master, that should fix the issue with the Fedora CI failure.

@marcusburghardt marcusburghardt force-pushed the cis_ensure_shadow_group_empty branch from 1e4da19 to 38246a1 Compare April 4, 2023 11:05
@marcusburghardt
Copy link
Member Author

Release rebase on the latest master, that should fix the issue with the Fedora CI failure.

Done. Thanks

@codeclimate
Copy link

codeclimate bot commented Apr 4, 2023

Code Climate has analyzed commit 38246a1 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

@marcusburghardt
Copy link
Member Author

Automatus CS8 and CS9 are expected to fail because this rule was enabled only for RHEL7.

@Mab879 Mab879 added the Update Profile Issues or pull requests related to Profiles updates. label Apr 4, 2023
@Mab879 Mab879 merged commit 91005db into ComplianceAsCode:master Apr 4, 2023
@marcusburghardt marcusburghardt deleted the cis_ensure_shadow_group_empty branch April 4, 2023 20:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
CIS CIS Benchmark related. RHEL7 Red Hat Enterprise Linux 7 product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.68
Development

Successfully merging this pull request may close these issues.
2 participants
@marcusburghardt @Mab879