Add Lynis baseline for aarch64 Tumbleweed

[ggardet]

• Verification run:
  • https://openqa.opensuse.org/t1950143
  • https://openqa.opensuse.org/t1950144

[Vogtinator]

Noteworthy diff to x86_64:

   - Disable kernel support of some filesystems
-    - Module cramfs is blacklisted                            [ OK ]
-    - Module freevxfs is blacklisted                          [ OK ]
-    - Module hfs is blacklisted                               [ OK ]

Shouldn't this blacklisting also appear on aarch64?

[Vogtinator]

CC @lilyeyes

[lilyeyes]

Noteworthy diff to x86_64:

   - Disable kernel support of some filesystems
-    - Module cramfs is blacklisted                            [ OK ]
-    - Module freevxfs is blacklisted                          [ OK ]
-    - Module hfs is blacklisted                               [ OK ]

Shouldn't this blacklisting also appear on aarch64?

Thanks for the PR.
I am not sure if missing the blacklisting is OK. But I checked the lynis outputs for sle15sp4 on aarch64 it is the same with your baseline (no the Module * is blackedlisted [OK]). Etc, https://openqa.suse.de/assets/other/07274343-baseline-lynis-audit-system-nocolors-15-SP4-aarch64-textmode
You can ask [email protected] for a double check for TW.

[jsegitz]

I checked on a current tumbleweed x86 and there the modules are also not blacklisted. So it's fine to have this missing for aarch64.

[lilyeyes]

LGTM

[Vogtinator]

I checked on a current tumbleweed x86 and there the modules are also not blacklisted. So it's fine to have this missing for aarch64.

They are blacklisted by /usr/lib/modprobe.d/60-blacklist_fs-*.conf in the suse-module-tools package.

Did you check using Lynis? If so, it might be a bug or intentional change in display.

[jsegitz]

Did you check using Lynis? If so, it might be a bug or intentional change in display.

yes, I used Lynis on a fresh install. I have another look

[jsegitz]

It's a lynis issue. I've sent a PR
CISOfy/lynis#1215
and a fix is on the way to Factory:
https://build.opensuse.org/request/show/925115

@lilyeyes: Shouldn't that have triggered the tests on x86 before as the baseline didn't match anymore?

[lilyeyes]

It's a lynis issue. I've sent a PR CISOfy/lynis#1215 and a fix is on the way to Factory: https://build.opensuse.org/request/show/925115

@lilyeyes: Shouldn't that have triggered the tests on x86 before as the baseline didn't match anymore?

I have checked lynis baselines and current lynis outputs for sles15sp4 b47.1 on x86 and did not find the "Module * is blackedlisted [OK]".
I have checked lynis baselines and current lynis outputs for sles15sp3 GM on x86 and did not find the "Module * is blackedlisted [OK]" as well.
If this "blackedlisted" is needed I will revise the baselines accordingly when the lynix fix is available for sles.

[ggardet]

@lilyeyes The blacklisting is only on Tumbleweed.

[ggardet]

The list of files for each distro is here: https://github.com/os-autoinst/os-autoinst-distri-opensuse/tree/master/data/lynis

[lilyeyes]

@lilyeyes: Shouldn't that have triggered the tests on x86 before as the baseline didn't match anymore?

On TW, the openQA lynis test case found the difference between baseline and current lynis outputs but only checked the status as the contents are too complicated to check all of them (e.g., if the status is [ OK ] / [ YES ] / [ DONE ] then this item will be passed. if [ ERROR ] / ... / [WEAK] found then it will be failed, etc. )

FYI.
https://openqa.opensuse.org/tests/1966946#step/9_[+]_File_systems/4 (baseline)
https://openqa.opensuse.org/tests/1966946#step/9_[+]_File_systems/5 (current)

IMO, if "[2C- Disable kernel support of some filesystems�[15C" contains the status like [OK] / [WEAK] test case can catch the bug.

[tjyrinki]

The CI is stuck on Running to isotovideo test, could you make a dummy force push to trigger it again? At least I do not have powers to kick the CI manually otherwise.

[ggardet]

The CI is stuck on Running to isotovideo test, could you make a dummy force push to trigger it again? At least I do not have powers to kick the CI manually otherwise.

Done