Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable dconf profiles in bash remediation of dconf rules on Ubuntu #12016

Merged
merged 3 commits into from
May 31, 2024
Merged

Enable dconf profiles in bash remediation of dconf rules on Ubuntu #12016

merged 3 commits into from
May 31, 2024

Conversation

mpurg
Copy link
Contributor

@mpurg mpurg commented May 21, 2024

Description:

  • Added enabling of dconf profiles to the remediation of the individual dconf rules instead of relying on rule enable_dconf_user_profile.
  • Created new macro bash_enable_dconf_user_profile for enabling dconf profiles.

Rationale:

  • Several dconf rules checked for the existence of dconf user profiles by extending the oval definition with enable_dconf_user_profile, but did not create the dconf profiles in their remediations, thus always failing on Ubuntu because the dconf profiles do not exist by default.

@mpurg mpurg requested a review from a team as a code owner May 21, 2024 18:22
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 21, 2024

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label May 21, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented May 21, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12016
This image was built from commit: c2bc84a

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12016

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12016 make deploy-local

@dodys dodys self-assigned this May 22, 2024
@dodys dodys added the Ubuntu Ubuntu product related. label May 22, 2024
@dodys
Copy link
Contributor

dodys commented May 22, 2024

/packit build

@mpurg mpurg force-pushed the ubuntu_fix_dconf_remediation branch 2 times, most recently from 3c0df2f to 4080db5 Compare May 27, 2024 12:06
@mpurg mpurg marked this pull request as draft May 29, 2024 09:34
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label May 29, 2024
@mpurg mpurg force-pushed the ubuntu_fix_dconf_remediation branch from 4080db5 to a85fe6c Compare May 29, 2024 09:35
@mpurg mpurg marked this pull request as ready for review May 29, 2024 19:39
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label May 29, 2024
@mpurg mpurg marked this pull request as draft May 29, 2024 20:10
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label May 29, 2024
@mpurg mpurg force-pushed the ubuntu_fix_dconf_remediation branch 2 times, most recently from b7c822c to e0db31f Compare May 29, 2024 21:31
@mpurg mpurg marked this pull request as ready for review May 29, 2024 21:38
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label May 29, 2024
mpurg added 2 commits May 29, 2024 23:41
@mpurg
Move remediation logic for enabling dconf profiles to macro
bc3d2f0 
Created new macro `bash_enable_dconf_user_profile`.
@mpurg
Enable dconf profiles in bash remediations of dconf rules
678ef4f 
Several dconf rules check for the existence of dconf user profiles
by extending the oval definition with `enable_dconf_user_profile`,
but do not create the profiles in their remediations, thus always
fail on Ubuntu because the dconf profiles do not exist by default.
@mpurg mpurg force-pushed the ubuntu_fix_dconf_remediation branch 2 times, most recently from 749987d to 7e2e491 Compare May 30, 2024 12:28
@mpurg
Copy link
Contributor Author

mpurg commented May 30, 2024

@marcusburghardt @jan-cerny could you have a look at the test testing-farm:centos-7-x86_64:/static-checks please. It seems to be failing across multiple PRs.

@marcusburghardt
Copy link
Member

@marcusburghardt @jan-cerny could you have a look at the test testing-farm:centos-7-x86_64:/static-checks please. It seems to be failing across multiple PRs.

It should be fixed. I restarted the failed job now.

@mpurg
Remove enable_dconf_user_profile from ubuntu 22.04 stig profile
c2bc84a 
The rule is no longer needed because the individual dconf rules
implement the check and remediation for enabling the dconf profiles.
@mpurg mpurg force-pushed the ubuntu_fix_dconf_remediation branch from 7e2e491 to c2bc84a Compare May 31, 2024 08:18
@codeclimate CodeClimate
Copy link

codeclimate bot commented May 31, 2024

Code Climate has analyzed commit c2bc84a and detected 12 issues on this pull request.

Here's the issue category breakdown:

Category Count
Bug Risk 12

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@mpurg
Copy link
Contributor Author

mpurg commented May 31, 2024

@marcusburghardt @jan-cerny could you have a look at the test testing-farm:centos-7-x86_64:/static-checks please. It seems to be failing across multiple PRs.

It should be fixed. I restarted the failed job now.

It still seems to be failing.

dodys
dodys approved these changes May 31, 2024
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys merged commit d6c8d5e into ComplianceAsCode:master May 31, 2024
105 of 108 checks passed
@Mab879 Mab879 added this to the 0.1.75 milestone Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dodys dodys dodys approved these changes

Assignees

@dodys dodys

Labels
needs-ok-to-test Used by openshift-ci bot. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
4 participants
@mpurg @dodys @marcusburghardt @Mab879