Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule: sshd_include_crypto_policy, drop remediations, improve OVAL #13028

Merged
merged 1 commit into from
Feb 12, 2025
Merged

Rule: sshd_include_crypto_policy, drop remediations, improve OVAL #13028

merged 1 commit into from
Feb 12, 2025

Conversation

evgenyz
Copy link
Member

@evgenyz evgenyz commented Feb 11, 2025

Description:

  • We are dropping all remediations for now, as the recommended one is questionable.
  • OVAL now recognizes Include directive in any drop-in file, in case-insensitive and tolerant to different separators way.
  • Dropping the not osbuild platform as well.

Rationale:

  • Current remediation causes a lot of troubles and most likely not efficient: Fix ssh include cryptopolicy #12931.
  • We should not force the location of the Include directive in the check, any drop-in file is OK.
  • Platform is not needed if the rule does not try to remediate the system in a barbaric way.

@evgenyz
Copy link
Member Author

evgenyz commented Feb 11, 2025

Not creating backport until we all agree on the changeset.

@evgenyz evgenyz added Ansible Ansible remediation update. OVAL OVAL update. Related to the systems assessments. Bash Bash remediation update. productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates. STIG STIG Benchmark related. labels Feb 11, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 11, 2025
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
+++ xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
@@ -7,6 +7,9 @@
 In order to accomplish this the SSHD configuration should include the configuration file provided by the system crypto policy.
 The following line should be present in /etc/ssh/sshd_config or in a file included by this file (a file within the /etc/ssh/sshd_config.d directory):
 Include /etc/crypto-policies/back-ends/opensshserver.config
+
+[warning]:
+There is no automated remediation because recommended action could severely disrupt the system and might not be efficient in fixing the problem.
 
 [reference]:
 CCI-001453

New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'.
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'.
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'
--- xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
+++ xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
@@ -1 +1 @@
-oval:ssg-installed_env_is_osbuild:def:1
+

@evgenyz evgenyz added this to the blocker milestone Feb 11, 2025
@Mab879 Mab879 modified the milestones: blocker, 0.1.76 Feb 12, 2025
@Mab879
Copy link
Member

Mab879 commented Feb 12, 2025

I wondering if we should have some sort of failing Automatus test to make sure the rule works.

@evgenyz
Copy link
Member Author

evgenyz commented Feb 12, 2025
edited
Loading

I wondering if we should have some sort of failing Automatus test to make sure the rule works.

Fair enough, got too far. Reinstated all tests but without extra workarounds and with fixes (ssh -> sshd etc).

Edit: GH is a bit slow on updating PRs today.

@evgenyz evgenyz force-pushed the fix-sshd_include_crypto_policy branch from b0f13a3 to 9aab74e Compare February 12, 2025 08:33
@vojtapolasek vojtapolasek self-assigned this Feb 12, 2025
vojtapolasek
vojtapolasek requested changes Feb 12, 2025
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR @evgenyz .
Please see my comments.
Additionaly, I would like to ask you to add a warning to rule.yml stating that the rule does not have a remediation and giving some reason for that.
You can see an example of warning in sshd_set_idle_timeout.
Categories of warnings are shown here: https://complianceascode.readthedocs.io/en/latest/manual/developer/04_style_guide.html#rule-sections

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml Show resolved Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh Outdated Show resolved Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh Outdated Show resolved Hide resolved
@evgenyz evgenyz force-pushed the fix-sshd_include_crypto_policy branch 2 times, most recently from 7f7b463 to 93b1b5f Compare February 12, 2025 10:18
@codeclimate CodeClimate
Copy link

codeclimate bot commented Feb 12, 2025

Code Climate has analyzed commit 93b1b5f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@evgenyz evgenyz force-pushed the fix-sshd_include_crypto_policy branch 2 times, most recently from 7b276c4 to e5d664f Compare February 12, 2025 12:00
@evgenyz
Rule: sshd_include_crypto_policy, drop remediations, improve OVAL
ca71a05 
We are dropping all remediations for now, as the recommended one
is questionable.

OVAL now recognizes Include directive in any drop-in file,
in case-insensitive and tolerant to different separators way.

Dropping the 'not osbuild' platform as well.
@evgenyz evgenyz force-pushed the fix-sshd_include_crypto_policy branch from e5d664f to ca71a05 Compare February 12, 2025 12:29
vojtapolasek
vojtapolasek approved these changes Feb 12, 2025
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now. Thank you.

@evgenyz evgenyz mentioned this pull request Feb 12, 2025
Merged
@vojtapolasek
Copy link
Collaborator

Merging. Failing automatus checks happen because the rule is currently only in RHEL 9 datastream.

@vojtapolasek vojtapolasek merged commit 7fb2776 into ComplianceAsCode:master Feb 12, 2025
39 of 109 checks passed
@evgenyz evgenyz deleted the fix-sshd_include_crypto_policy branch February 12, 2025 14:06
vojtapolasek added a commit that referenced this pull request Feb 12, 2025
@vojtapolasek
Merge pull request #13037 from evgenyz/stabilization-v0.1.76
0cdba0e 
 Rule: sshd_include_crypto_policy, drop remediations, improve OVAL #13028
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

@Mab879 Mab879 Awaiting requested review from Mab879

Assignees

@vojtapolasek vojtapolasek

Labels
Ansible Ansible remediation update. Bash Bash remediation update. OVAL OVAL update. Related to the systems assessments. productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
3 participants
@evgenyz @Mab879 @vojtapolasek