SLE Add dependency to crypto-policies-scripts package #13088

teacup-on-rockingchair · 2025-02-20T08:59:28Z

Description:

Add dependency in configure_crypto_policy rule to crypto-policies-scripts package for SLE platform

Rationale:

The remediation scripts depend on the utility from crypto-policies-scripts package

…ipts package for SLE platform

openshift-ci · 2025-02-20T08:59:32Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

github-actions · 2025-02-20T09:03:57Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_crypto_policy
@@ -1,5 +1,7 @@
 
 var_system_crypto_policy=''
+
+
 
 
 stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)

codeclimate · 2025-02-20T09:27:49Z

Code Climate has analyzed commit 051a760 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 62.0% (0.0% change).

View more on Code Climate.

jan-cerny

I have discovered a suspicious fail in Automatus on RHEL 9 with Ansible Remediations.

jcerny@fedora:~/work/git/scap-security-guide (pr/13088)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible --scenario policy_default_cis_l1.pass.sh configure_crypto_policy
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-02-20-1747/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_configure_crypto_policy
INFO - Script policy_default_cis_l1.pass.sh using profile xccdf_org.ssgproject.content_profile_cis_server_l1 OK
ERROR - Script policy_default_cis_l1.pass.sh using profile xccdf_org.ssgproject.content_profile_cis_workstation_l1 found issue:
ERROR - Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy has not been evaluated! Wrong profile selected in test scenario or there has been problem starting the evaluation. Please inspect the log file /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-02-20-1747/configure_crypto_policy-policy_default_cis_l1.pass.sh-initial.verbose.log for details.
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.

This doesn't happen for me with the current upstream master. That indicates it could be caused by this PR. I will try to investigate what is going on there.

teacup-on-rockingchair · 2025-02-24T10:15:39Z

ERROR - Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy has not been evaluated! Wrong profile selected in test scenario or there has been problem starting the evaluation. Please inspect the log file /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-02-20-1747/configure_crypto_policy-policy_default_cis_l1.pass.sh-initial.verbose.log for details.

Thanks will check it on my local setup also

jan-cerny · 2025-02-24T14:07:28Z

@teacup-on-rockingchair I spent quite a lot of time with this and I discovered that it isn't reproducible deterministically. It happens only sometimes. Also, today I'm able to get this error also with the current upstream master and also it fails with the latest release tag. That means the problem isn't caused by contents of this PR.

I think it's somehow related to how Automatus works with VMs and VM snapshots. There is a snapshot revert done between executing of each scenarios. Perhaps it tries to connect to the VM before it starts.

Add dependency in configure_crypto_policy rule to crypto-policies-scr…

051a760

…ipts package for SLE platform

openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 20, 2025

teacup-on-rockingchair added Ansible Ansible remediation update. OVAL OVAL update. Related to the systems assessments. Bash Bash remediation update. SLES SUSE Linux Enterprise Server product related. labels Feb 20, 2025

teacup-on-rockingchair added this to the 0.1.77 milestone Feb 20, 2025

teacup-on-rockingchair marked this pull request as ready for review February 20, 2025 09:46

openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 20, 2025

jan-cerny self-assigned this Feb 20, 2025

rhmdnd mentioned this pull request Feb 20, 2025

Fix Kubernetes Test Content Parsing Workflow #13084

Merged

jan-cerny reviewed Feb 20, 2025

View reviewed changes

jan-cerny approved these changes Feb 24, 2025

View reviewed changes

jan-cerny merged commit a2501c9 into ComplianceAsCode:master Feb 24, 2025
107 of 111 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SLE Add dependency to crypto-policies-scripts package #13088

SLE Add dependency to crypto-policies-scripts package #13088

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

SLE Add dependency to crypto-policies-scripts package #13088

SLE Add dependency to crypto-policies-scripts package #13088

Uh oh!

Conversation

Description:

Rationale:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!