Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce and apply the "partition exists" platform #9204

Merged
merged 3 commits into from
Aug 10, 2022

Conversation

matejak
Copy link
Member

@matejak matejak commented Jul 21, 2022

Description:

This PR introduces platforms related to existence of partitions that can be used to extend applicability behaviors.
The new functionality is heavily macro-based, and instantiated for /tmp and /var/tmp partitions.

TODO:

Rationale:

If a profile doesn't require separate partitions, but it prescribes mount options if they exist, the applicability approach is the right one.

@matejak matejak added this to the 0.1.64 milestone Jul 21, 2022
@matejak matejak requested a review from vojtapolasek July 21, 2022 14:55
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 21, 2022
@openshift-ci
Copy link

openshift-ci bot commented Jul 21, 2022

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@matejak
Copy link
Member Author

matejak commented Jul 22, 2022

Checks using content test filtering fail because of ComplianceAsCode/content-test-filtering#27

@matejak matejak force-pushed the applicability_var_tmp branch from 3c9e4cb to e8fb348 Compare July 22, 2022 15:26
@evgenyz evgenyz self-assigned this Aug 9, 2022

{{%- macro partition_exists_criterion(path) %}}
{{%- set escaped_path = path | replace("/", "_") %}}
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ path|escape_id }}}_exists" />

There is a special Jinja filter that can create XCCDF-compatible IDs from anything.

@evgenyz
Copy link
Member

evgenyz commented Aug 9, 2022

It just cries for being templated. But that will come shortly.

id="test_partition_{{{ escaped_path }}}_exists"
version="1">
<linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
{{#- <linux:partition_state state_ref="" /> #}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

- Improve description of OVAL macro
- Use the escape_id filter to produce IDs
@matejak matejak force-pushed the applicability_var_tmp branch from e8fb348 to 7b3c9eb Compare August 10, 2022 09:34
@matejak matejak marked this pull request as ready for review August 10, 2022 09:49
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 10, 2022
@codeclimate
Copy link

codeclimate bot commented Aug 10, 2022

Code Climate has analyzed commit 7b3c9eb and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

@evgenyz
Copy link
Member

evgenyz commented Aug 10, 2022

I think we need @mildas help here. Shared OVALs don't necessary have a connected rule.

@openshift-ci
Copy link

openshift-ci bot commented Aug 10, 2022

@matejak: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ocp4-cis-node 7b3c9eb link true /test e2e-aws-ocp4-cis-node
ci/prow/e2e-aws-ocp4-pci-dss-node 7b3c9eb link true /test e2e-aws-ocp4-pci-dss-node
ci/prow/e2e-aws-rhcos4-moderate 7b3c9eb link true /test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-rhcos4-e8 7b3c9eb link true /test e2e-aws-rhcos4-e8
ci/prow/e2e-aws-ocp4-high 7b3c9eb link true /test e2e-aws-ocp4-high
ci/prow/e2e-aws-ocp4-high-node 7b3c9eb link true /test e2e-aws-ocp4-high-node
ci/prow/e2e-aws-ocp4-e8 7b3c9eb link true /test e2e-aws-ocp4-e8
ci/prow/e2e-aws-ocp4-stig 7b3c9eb link true /test e2e-aws-ocp4-stig

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@evgenyz evgenyz merged commit a1e7512 into ComplianceAsCode:master Aug 10, 2022
@matejak
Copy link
Member Author

matejak commented Aug 10, 2022

I have used this snippet to verify whether the json_query is used correctly, and saved that one as task.yml.

- name: test
  hosts: localhost
  tasks:
    - set_fact:
        my_device: "{{ ansible_mounts|json_query(\"[?mount=='/'].mount\") | first }}"
      vars:
        query: "[?mount=='/'].device"
    - debug:
        var: my_device

and running ansible-playbook -c local task.yml

yuumasato pushed a commit to yuumasato/scap-security-guide that referenced this pull request Aug 11, 2022
…ar_tmp

Patch-name: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
Patch-status: Introduce and apply the "partition exists" platform
yuumasato pushed a commit to yuumasato/scap-security-guide that referenced this pull request Aug 11, 2022
…ar_tmp

Patch-name: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
Patch-status: Introduce and apply the "partition exists" platform
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants