ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

Change rule platforms - Part 3: Individual rules in the "services" group #12507

Closed jan-cerny closed 1 month ago

jan-cerny commented 1 month ago

Many rules currently marked with the machine platform should be applicable also to bootable containers. The reason is that often these rules check configuration that should be applied if the bootable container is deployed and booted on a real system. The applicability of these rules needs to be extended by marking them with the system_with_kernel platform instead.

We change the platforms carefully, we don't perform a blind mass platform replacement because not every rule that is currently marked as machine should be applicable to bootable containers, for example partition rules should be evaluated as "not applicable" when scanning a bootable container.

For more details, please read commit messages of all commits.

Review hints

For normal (non-bootable) containers, run a scan and verify that the rules affected by this change are still evaluated as notapplicable as they were before this change. For example: sudo oscap-podman centos:stream9 xccdf eval --profile stig --report /tmp/report.html build/ssg-cs9-ds.xml

github-actions[bot] commented 1 month ago

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

codeclimate[bot] commented 1 month ago

Code Climate has analyzed commit 26aa2c96 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.0% (0.0% change).

View more on Code Climate.