Skip to content

Add initial Ubuntu 20.04 CIS Profiles #7181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 5, 2021
Merged

Add initial Ubuntu 20.04 CIS Profiles #7181

merged 6 commits into from
Jul 5, 2021

Conversation

@cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Jun 30, 2021
edited
Loading

Description:

This pull request adds initial Ubuntu 20.04 CIS profiles (at all four combinations of applicability) based on the existing profile mechanism. We use profile inheritance to minimize the size of profiles after CIS Level 1 server. This is based on work originally on pull request #6416 and supersedes it. Included are completed profiles minus rules not yet in upstream from our internal fork; those may be added at later time.

Additionally, this pull request adds missing CIS references and Ubuntu prodtypes to rules used in these profiles so they could build. This is done using automated tooling previously upstreamed (or attempted to be, see the failed autorefer pull request in #6908). Note that sorting of references was not done, as that PR isn't yet merged (#6882) either.

Once this change set is merged, in the immediate future, other changes to existing rules will be upstreamed. Additionally, depending on how this goes, @dodys is working on a STIG profile, which we might want to upstream as well.

Note: At this point in time, the profiles themselves are completed, but testing of all rules &c for Ubuntu applicability/functionality is not yet done and obviously not all rule changes have yet been upstreamed (though, numerous changes have been made internally). If you'd like us to mark it documentation_complete: false as a result, let us know.

Rationale:

Maintaining prodtypes and references downstream, even with utilities to help, has resulted in significant merge conflicts. Contributing the profiles to the community and upstreaming the prodtypes/reference changes alone will help with that effort significantly.

    Co-Authored-By: Brian Turek <[email protected]>
    Co-Authored-By: Gabriel Becker <[email protected]>
    Co-Authored-By: Richard Maciel Costa <[email protected]>
    Signed-off-by: Alexander Scheel <[email protected]>

/cc @richardmaciel-canonical @dodys

@cipherboy cipherboy added Ubuntu Ubuntu product related. New Rule Issues or pull requests related to new Rules. labels Jun 30, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jun 30, 2021

@cipherboy: GitHub didn't allow me to request PR reviews from the following users: richardmaciel-canonical, dodys.

Note that only ComplianceAsCode members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

Description:

This pull request adds initial Ubuntu 20.04 CIS profiles (at all four combinations of applicability) based on the existing profile mechanism. We use profile inheritance to minimize the size of profiles after CIS Level 1 server. This is based on work originally on pull request #6416 and supersedes it. Included are completed profiles minus rules not yet in upstream from our internal fork; those will be added at later time.

Additionally, this pull request adds missing CIS references and Ubuntu prodtypes to rules used in these profiles so they could build. This is done using automated tooling previously upstreamed (or attempted to be, see the failed autorefer pull request in #6908). Note that sorting of references was not done, as that PR isn't yet merged (#6882) either.

Once this change set is merged, in the immediate future, other changes to existing rules will be upstreamed. Additionally, depending on how this goes, @dodys is working on a STIG profile, which we might want to upstream as well.

Rationale:

Maintaining prodtypes and references downstream, even with utilities to help, has resulted in significant merge conflicts. Contributing the profiles to the community and upstreaming the prodtypes/reference changes alone will help with that effort significantly.

   Co-Authored-By: Brian Turek <[email protected]>
   Co-Authored-By: Gabriel Becker <[email protected]>
   Co-Authored-By: Richard Maciel Costa <[email protected]>
   Signed-off-by: Alexander Scheel <[email protected]>

/cc @richardmaciel-canonical @dodys

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cipherboy cipherboy mentioned this pull request Jun 30, 2021
Closed
@cipherboy cipherboy force-pushed the initial-cis-profiles branch from 59d15f4 to dfb3b3b Compare June 30, 2021 18:47
@openshift-ci openshift-ci bot added the needs-rebase Used by openshift-ci bot. label Jun 30, 2021
@cipherboy cipherboy force-pushed the initial-cis-profiles branch from dfb3b3b to 6d5ca5f Compare June 30, 2021 18:47
@openshift-ci openshift-ci bot removed the needs-rebase Used by openshift-ci bot. label Jun 30, 2021
@cipherboy cipherboy requested review from jan-cerny, matejak and yuumasato and removed request for matejak July 1, 2021 11:34
cipherboy
cipherboy commented Jul 1, 2021
View reviewed changes
products/ubuntu2004/profiles/cis_level1_server.profile
- partition_for_tmp

### 1.1.3 Ensure nodev option set on /tmp partition (Automated)
# Needs rule
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just as an FYI, these and others in this subsection are ones I was talking about w.r.t. _optional form; we can introduce them upstream in a future PR.

yuumasato
yuumasato approved these changes Jul 2, 2021
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me, but I haven't checked the Ubuntu CIS references.

@cipherboy I trust that somebody else has reviewed them for you.

cipherboy and others added 6 commits July 2, 2021 11:15
@cipherboy @Caligatio
@ggbecker @richardmaciel-canonical
Add initial CIS profiles to Ubuntu 20.04
ca0a02e 
This takes inspiration from ComplianceAsCode#6416 and Canonical's present internal
branch; rules which don't yet exist in upstream were dropped from these
profiles. Over time more rules will be added and these will align better
with our internal profiles.

Co-Authored-By: Brian Turek <[email protected]>
Co-Authored-By: Gabriel Becker <[email protected]>
Co-Authored-By: Richard Maciel Costa <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy
Add ubuntu2004 to CIS Level 1 Server rules
6129e24 
This is an automated commit. To regenerate, run:

    ./utils/rule_dir_json.py
    ./utils/autoprodtyper.py ubuntu2004 cis_level1_server

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy
Add ubuntu2004 to CIS Level 2 Server rules
c88bdba 
This is an automated commit. To regenerate, run:

    ./utils/rule_dir_json.py
    ./utils/autoprodtyper.py ubuntu2004 cis_level2_server

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy
Add cis reference to CIS Level 1 Server rules
b97e436 
This is an automated commit. To regenerate, run:

    ./utils/rule_dir_json.py
    ./utils/autorefer.py ubuntu2004 cis_level1_server cis

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy
Add cis reference to CIS Level 2 Server rules
53d8365 
This is an automated commit. To regenerate, run:

    ./utils/rule_dir_json.py
    ./utils/autorefer.py ubuntu2004 cis_level2_server cis

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy @Caligatio
@ggbecker @richardmaciel-canonical
Add OVAL feed to Ubuntu 20.04 product.yml
6058606 
Co-Authored-By: Brian Turek <[email protected]>
Co-Authored-By: Gabriel Becker <[email protected]>
Co-Authored-By: Richard Maciel Costa <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy force-pushed the initial-cis-profiles branch from 6d5ca5f to 6058606 Compare July 2, 2021 15:18
@cipherboy
Copy link
Contributor Author

Rebased to fix merge conflicts.

@yuumasato yuumasato added this to the 0.1.57 milestone Jul 5, 2021
@yuumasato yuumasato merged commit 76c1167 into ComplianceAsCode:master Jul 5, 2021
@cipherboy
Copy link
Contributor Author

Thanks for the merge, @yuumasato :-)

@yuumasato yuumasato added the New Profile Issues or pull requests related to new Profiles. label Jul 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuumasato yuumasato yuumasato approved these changes

@matejak matejak Awaiting requested review from matejak

@jan-cerny jan-cerny Awaiting requested review from jan-cerny

Assignees

No one assigned

Labels

New Profile Issues or pull requests related to new Profiles. New Rule Issues or pull requests related to new Rules. Ubuntu Ubuntu product related.

Projects

None yet

Milestone

0.1.57

Development

Successfully merging this pull request may close these issues.

2 participants

@cipherboy @yuumasato