Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to _guard_var templates for timesync rules on Ubuntu 24.04 #12903

Merged
merged 4 commits into from
Jan 29, 2025
Merged

Switch to _guard_var templates for timesync rules on Ubuntu 24.04 #12903

merged 4 commits into from
Jan 29, 2025

Conversation

mpurg
Copy link
Contributor

@mpurg mpurg commented Jan 27, 2025
edited
Loading

Description:

  • Modify timesync package/service install/enable rules to use _guard_var templates on Ubuntu 24.04
  • Introduce variable var_timesync_service
  • Adapt Ubuntu 24.04 CIS controls

Rationale:

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Used by openshift-ci bot. needs-ok-to-test Used by openshift-ci bot. labels Jan 27, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 27, 2025

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dodys dodys self-assigned this Jan 27, 2025
@mpurg mpurg marked this pull request as ready for review January 27, 2025 19:33
@mpurg mpurg requested a review from a team as a code owner January 27, 2025 19:33
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 27, 2025
mpurg added 4 commits January 27, 2025 20:40
@mpurg
Create new variable var_timesync_service
84570c1 
The variable is used to select the desired timesync service
(systemd-timesync vs chrony) in package/service install/enable
rules when using _guard_var templates.

Analogous to var_network_filtering_service introduced in ComplianceAsCode#11818
@mpurg
Switch to selecting timesync with var_timesync_service on Ubuntu 24.04
f8559c6
@mpurg
Use _guard_var templates for timesync packages on Ubuntu 24.04
5661775
@mpurg
Use _guard_var templates for timesync services on Ubuntu 24.04
13f6dbc
@mpurg mpurg force-pushed the ubuntu2404_timesync_guard_var branch from 751dfc0 to 13f6dbc Compare January 27, 2025 19:40
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 27, 2025

Code Climate has analyzed commit 13f6dbc and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@mpurg
Copy link
Contributor Author

mpurg commented Jan 29, 2025

All automatus tests (except missing rule package_timesyncd_removed) pass locally in KVM:

INFO - xccdf_org.ssgproject.content_rule_service_chronyd_disabled                                                              
INFO - Script service_enabled-var_not_value.fail.sh using profile (all) OK                                               
INFO - Script service_enabled-var_is_value.pass.sh using profile (all) OK                                                
INFO - Script service_disabled.pass.sh using profile (all) OK                                                            

INFO - xccdf_org.ssgproject.content_rule_service_chronyd_enabled                                                         
INFO - Script service_disabled-var_not_value.pass.sh using profile (all) OK                                              
INFO - Script service_disabled.fail.sh using profile (all) OK                                                            
INFO - Script service_enabled.pass.sh using profile (all) OK                                                             

INFO - xccdf_org.ssgproject.content_rule_service_timesyncd_disabled                                                      
INFO - Script service_enabled-var_is_value.pass.sh using profile (all) OK                                                
INFO - Script service_enabled-var_not_value.fail.sh using profile (all) OK                                               
INFO - Script service_disabled.pass.sh using profile (all) OK                                                            

INFO - xccdf_org.ssgproject.content_rule_service_timesyncd_enabled                                                       
INFO - Script service_disabled.fail.sh using profile (all) OK                                
INFO - Script service_disabled-var_not_value.pass.sh using profile (all) OK                                              
INFO - Script service_enabled.pass.sh using profile (all) OK                                                             

INFO - xccdf_org.ssgproject.content_rule_package_chrony_installed                                                        
INFO - Script package-removed-wrong-var.pass.sh using profile (all) OK                                             
INFO - Script package-installed.pass.sh using profile (all) OK                                                                 
INFO - Script package-installed-removed.fail.sh using profile (all) OK                                                   
INFO - Script package-removed.fail.sh using profile (all) OK                                                             

INFO - xccdf_org.ssgproject.content_rule_package_timesyncd_installed                                                     
INFO - Script package-installed-removed.fail.sh using profile (all) OK                                                   
INFO - Script package-removed.fail.sh using profile (all) OK                                                             
INFO - Script package-installed.pass.sh using profile (all) OK                                                                 
INFO - Script package-removed-wrong-var.pass.sh using profile (all) OK                                                   

WARNING - Rule 'xccdf_org.ssgproject.content_rule_package_timesyncd_removed' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU_24-04' in '/tmp/ssgts-ds-pfmf_qqb'
ERROR - No tests found matching the rule ID(s) 'package_timesyncd_removed'                                               
WARNING - Nothing has been tested!

dodys
dodys approved these changes Jan 29, 2025
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys added this to the 0.1.76 milestone Jan 29, 2025
@dodys dodys added Ubuntu Ubuntu product related. Update Profile Issues or pull requests related to Profiles updates. CIS CIS Benchmark related. labels Jan 29, 2025
@dodys dodys merged commit 86fbd5c into ComplianceAsCode:master Jan 29, 2025
96 of 99 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dodys dodys dodys approved these changes

Assignees

@dodys dodys

Labels
CIS CIS Benchmark related. needs-ok-to-test Used by openshift-ci bot. Ubuntu Ubuntu product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
2 participants
@mpurg @dodys