Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce new remediation type Kickstart #12144

Merged
merged 8 commits into from
Jul 29, 2024
Merged

Introduce new remediation type Kickstart #12144

merged 8 commits into from
Jul 29, 2024

Conversation

jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Jul 10, 2024
edited
Loading

Description:

This PR introduces new remediation type "kickstart". This new remediation type will be used by OpenSCAP to generate RHEL kickstarts from our built data streams. These kickstarts will be used for system installation. as a lightweight alternative to OSCAP Anaconda Addon. The URN of this type will be "urn:xccdf:fix:script:kickstart".

The ability to process this remediation type will be added to OpenSCAP in OpenSCAP/openscap#2136. The description of the language and format of the kickstart remediation type can be found in the OpenSCAP PR.

At this moment, the commands used in this PR are:

  • package install package_name - adds package_name to %packages section in the kickstart
  • package remove package_name - adds -package_name to %packages section in the kickstart
  • service enable service_name - adds service_name to list in the --enabled= option in the services command in commands section in the kickstart
  • service disable service_name - adds service_name to list in the --disabled= option in the services command in commands section in the kickstart
  • logvol path size - adds logvol entry to the commands section of the kickstart that will mount a partition of the given size in MB to the given path as a mount point
  • bootloader option or bootloader option=value - adds option or option=value to the list in the --append= option in the bootloader command in commands section in the kickstart

We expect to add support for more commands in OpenSCAP, eg. command to configure firewall or commands for adding custom %post sections in the kickstart.

This PR adds the new kickstart remediations for the most favorite templates (package_installed, package_removed, service_enabled, service_disabled, mount, grub2_bootloader_template). This way, we will cover most of the rules that need to be configured during the system installation.

For more details, please read commit messages of every commit.

Rationale:

This change will enable us to add special remediation content to our rules, needed for enabling and testing the kickstart generator feature of OpenSCAP.

Review Hints:

Work together with OpenSCAP feature.

@jan-cerny jan-cerny added the Highlight This PR/Issue should make it to the featured changelog. label Jul 10, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 10, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 10, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 10, 2024
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_aide_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_crypto-policies_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_home'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'.
blueprint remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log' differs.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -1,4 +1,4 @@
 
 [[customizations.filesystem]]
 mountpoint = "/var/log"
-size = 5368709120
+size = 1073741824

New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_gdm_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_binutils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nss-tools_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rear_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tar_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_vim_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-cli_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_geolite2-city_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_geolite2-country_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_iprutils_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_pigz_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tuned_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tmux_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_opensc_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_install_smartcard_packages'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_pcscd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_logrotate_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_syslogng_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_syslogng_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_firewalld_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libreswan_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables-services_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables-services_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nftables_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ufw_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_bluetooth_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libselinux_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_mcstrans_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_avahi-autoipd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_avahi_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_psacct_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_psacct_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_abrtd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_acpid_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_certmonger_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_cockpit_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_cpupower_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_kdump_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_netconsole_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntpdate_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_oddjobd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_portreserve_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_qpidd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_quota_nld_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rdisc_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rhnsd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_saslauthd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_sysstat_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_cron_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_crond_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_atd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nis_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ntpdate_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_telnetd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_dhcp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_dhcpd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_bind_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_named_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ftp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_vsftpd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_vsftpd_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_httpd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_httpd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nginx_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_cyrus-imapd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_dovecot_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_dovecot_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_389-ds-base_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openldap-clients_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openldap-servers_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_slapd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_mailx_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_postfix_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_sendmail_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_postfix_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nfs-utils_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_netfs_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rpcbind_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nfslock_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcbind_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nfs_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_chrony_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ntp_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntp_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntpd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsync_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsyncd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_xinetd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_xinetd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ypbind_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ypserv_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ypbind_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ypserv_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsh_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rexec_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rlogin_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsh_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_talk-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_talk_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_telnet_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_telnet_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tftp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_tftp_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_cups_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_cups_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_squid_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_squid_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_freeradius_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rngd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_quagga_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_zebra_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_samba-common_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_samba_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_smb_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_net-snmp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_snmpd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openssh-clients_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openssh-server_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openssh-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_sshd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_sshd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_sssd-ipa_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_sssd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_usbguard_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument'.

@comps
Copy link
Collaborator

comps commented Jul 10, 2024
edited
Loading

<comment moved to OpenSCAP/openscap#2136 as it was related to the underlying implementation>

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 10, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12144
This image was built from commit: 13c8a39

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12144

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12144 make deploy-local

@jan-cerny jan-cerny mentioned this pull request Jul 11, 2024
Merged
@evgenyz
Copy link
Member

evgenyz commented Jul 17, 2024

Any reason it is still in draft state? It looks like a good boostrap for Kickstart remediations.

@jan-cerny
Copy link
Collaborator Author

Any reason it is still in draft state? It looks like a good boostrap for Kickstart remediations.

@evgenyz We are waiting for content authors working on profiles to provide early feedback.

@jan-cerny
Introduce new remediation type: Kickstart
008e162 
This will enable us to add special remediation content to our rules.
It will be used by OpenSCAP to generate RHEL kickstarts from our built
data streams. These kickstarts will be used as a lightweight alternative
to OSCAP Anaconda Addon.
@jan-cerny
Add Kickstart remediation for templated rules
b7e8463 
This commit will add a Kickstart remediation for these templates:
- package_installed
- package_removed
- service_enabled
- service_disabled
@jan-cerny
Add Kickstart remediation to 'mount' template
931fc63
@jan-cerny
Add newline
2f8d4c9
@jan-cerny
Simplify the mount kickstart template
7bb2d08
@jan-cerny
Add Kickstart remediation to 'grub2_bootloader_argument' template
49261d6
@jan-cerny
Resolve Code Climate problems
a518d1d
@evgenyz evgenyz requested review from a team and evgenyz July 22, 2024 07:30
@evgenyz evgenyz self-assigned this Jul 22, 2024
@evgenyz
Copy link
Member

evgenyz commented Jul 22, 2024
edited
Loading

Any reason it is still in draft state? It looks like a good boostrap for Kickstart remediations.

@evgenyz We are waiting for content authors working on profiles to provide early feedback.

I've added @ComplianceAsCode/red-hatters as a reviewer. If you want specific opinion to move forward, please tag these people. Otherwise it is unclear when we will be able to proceed.

@jan-cerny jan-cerny marked this pull request as ready for review July 26, 2024 07:57
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 26, 2024
@jan-cerny jan-cerny added this to the 0.1.74 milestone Jul 26, 2024
@evgenyz evgenyz added the Kickstart Kickstart file updates. label Jul 29, 2024
@jan-cerny
Disable Kickstart remediation in partition_for_boot
13c8a39 
In rule partition_for_boot the kickstart remediation conflicts with
`bootprot --kickstart` command which we use in the generated kickstart
by default. This causes problems in some profiles for example RHEL 8
ANSSI where this conflict breaks the installation. We can disable
this remediation for this rule because the creation of the partition
is handled by the `bootprot --kickstart` command.
@jan-cerny
Copy link
Collaborator Author

I have disable Kickstart remediation in partition_for_boot.

@codeclimate CodeClimate
Copy link

codeclimate bot commented Jul 29, 2024

Code Climate has analyzed commit 13c8a39 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 50.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@evgenyz evgenyz merged commit fa363ef into ComplianceAsCode:master Jul 29, 2024
90 of 96 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evgenyz evgenyz evgenyz approved these changes

Assignees

@evgenyz evgenyz

Labels
Highlight This PR/Issue should make it to the featured changelog. Kickstart Kickstart file updates.
Projects
None yet
Milestone
0.1.74
Development

Successfully merging this pull request may close these issues.
3 participants
@jan-cerny @comps @evgenyz