Introduce new remediation type Kickstart by jan-cerny · Pull Request #12144 · ComplianceAsCode/content

jan-cerny · 2024-07-10T14:50:31Z

Description:

This PR introduces new remediation type "kickstart". This new remediation type will be used by OpenSCAP to generate RHEL kickstarts from our built data streams. These kickstarts will be used for system installation. as a lightweight alternative to OSCAP Anaconda Addon. The URN of this type will be "urn:xccdf:fix:script:kickstart".

The ability to process this remediation type will be added to OpenSCAP in OpenSCAP/openscap#2136. The description of the language and format of the kickstart remediation type can be found in the OpenSCAP PR.

At this moment, the commands used in this PR are:

package install package_name - adds package_name to %packages section in the kickstart
package remove package_name - adds -package_name to %packages section in the kickstart
service enable service_name - adds service_name to list in the --enabled= option in the services command in commands section in the kickstart
service disable service_name - adds service_name to list in the --disabled= option in the services command in commands section in the kickstart
logvol path size - adds logvol entry to the commands section of the kickstart that will mount a partition of the given size in MB to the given path as a mount point
bootloader option or bootloader option=value - adds option or option=value to the list in the --append= option in the bootloader command in commands section in the kickstart

We expect to add support for more commands in OpenSCAP, eg. command to configure firewall or commands for adding custom %post sections in the kickstart.

This PR adds the new kickstart remediations for the most favorite templates (package_installed, package_removed, service_enabled, service_disabled, mount, grub2_bootloader_template). This way, we will cover most of the rules that need to be configured during the system installation.

For more details, please read commit messages of every commit.

Rationale:

This change will enable us to add special remediation content to our rules, needed for enabling and testing the kickstart generator feature of OpenSCAP.

Review Hints:

Work together with OpenSCAP feature.

openshift-ci · 2024-07-10T14:50:36Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

github-actions · 2024-07-10T14:51:59Z

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

github-actions · 2024-07-10T14:54:24Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_aide_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_crypto-policies_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_home'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'.
blueprint remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log' differs.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -1,4 +1,4 @@
 
 [[customizations.filesystem]]
 mountpoint = "/var/log"
-size = 5368709120
+size = 1073741824

New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_gdm_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_binutils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nss-tools_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rear_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tar_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_vim_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-cli_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_geolite2-city_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_geolite2-country_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_iprutils_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_pigz_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tuned_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tmux_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_opensc_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_install_smartcard_packages'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_pcscd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_logrotate_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_syslogng_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_syslogng_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_firewalld_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libreswan_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables-services_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables-services_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nftables_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ufw_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_bluetooth_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_libselinux_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_mcstrans_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_avahi-autoipd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_avahi_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_psacct_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_abrt_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_psacct_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_abrtd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_acpid_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_certmonger_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_cockpit_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_cpupower_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_kdump_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_netconsole_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntpdate_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_oddjobd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_portreserve_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_qpidd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_quota_nld_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rdisc_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rhnsd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_saslauthd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_sysstat_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_cron_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_crond_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_atd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nis_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ntpdate_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_telnetd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_dhcp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_dhcpd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_bind_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_named_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ftp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_vsftpd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_vsftpd_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_httpd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_httpd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nginx_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_cyrus-imapd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_dovecot_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_dovecot_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_389-ds-base_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openldap-clients_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openldap-servers_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_slapd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_mailx_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_postfix_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_sendmail_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_postfix_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_nfs-utils_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_netfs_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rpcbind_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nfslock_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcbind_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_nfs_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_chrony_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ntp_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntp_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntpd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsync_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsyncd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_xinetd_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_xinetd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ypbind_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_ypserv_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ypbind_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_ypserv_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_rsh_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rexec_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rlogin_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsh_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_talk-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_talk_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_telnet_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_telnet_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_tftp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_tftp_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_cups_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_cups_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_squid_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_squid_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_freeradius_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_rngd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_quagga_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_zebra_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_samba-common_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_samba_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_smb_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_net-snmp_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_snmpd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openssh-clients_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openssh-server_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_openssh-server_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_sshd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_sshd_disabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_sssd-ipa_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_sssd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_usbguard_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'.
New data stream adds kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument'.

comps · 2024-07-10T15:07:30Z

github-actions · 2024-07-10T15:10:12Z

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12144
This image was built from commit: 13c8a39

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12144

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12144 make deploy-local

evgenyz · 2024-07-17T08:09:48Z

Any reason it is still in draft state? It looks like a good boostrap for Kickstart remediations.

jan-cerny · 2024-07-18T14:54:34Z

Any reason it is still in draft state? It looks like a good boostrap for Kickstart remediations.

@evgenyz We are waiting for content authors working on profiles to provide early feedback.

This will enable us to add special remediation content to our rules. It will be used by OpenSCAP to generate RHEL kickstarts from our built data streams. These kickstarts will be used as a lightweight alternative to OSCAP Anaconda Addon.

This commit will add a Kickstart remediation for these templates: - package_installed - package_removed - service_enabled - service_disabled

evgenyz · 2024-07-22T07:32:48Z

Any reason it is still in draft state? It looks like a good boostrap for Kickstart remediations.

@evgenyz We are waiting for content authors working on profiles to provide early feedback.

I've added @ComplianceAsCode/red-hatters as a reviewer. If you want specific opinion to move forward, please tag these people. Otherwise it is unclear when we will be able to proceed.

In rule partition_for_boot the kickstart remediation conflicts with `bootprot --kickstart` command which we use in the generated kickstart by default. This causes problems in some profiles for example RHEL 8 ANSSI where this conflict breaks the installation. We can disable this remediation for this rule because the creation of the partition is handled by the `bootprot --kickstart` command.

jan-cerny · 2024-07-29T07:52:03Z

I have disable Kickstart remediation in partition_for_boot.

qlty-cloud-legacy · 2024-07-29T08:34:47Z

Code Climate has analyzed commit 13c8a39 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 50.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

jan-cerny added the Highlight This PR/Issue should make it to the featured changelog. label Jul 10, 2024

openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 10, 2024

jan-cerny mentioned this pull request Jul 11, 2024

Introduce ability to generate kickstarts OpenSCAP/openscap#2136

Merged

jan-cerny added 7 commits July 19, 2024 10:10

Introduce new remediation type: Kickstart

008e162

This will enable us to add special remediation content to our rules. It will be used by OpenSCAP to generate RHEL kickstarts from our built data streams. These kickstarts will be used as a lightweight alternative to OSCAP Anaconda Addon.

Add Kickstart remediation for templated rules

b7e8463

This commit will add a Kickstart remediation for these templates: - package_installed - package_removed - service_enabled - service_disabled

Add Kickstart remediation to 'mount' template

931fc63

Add newline

2f8d4c9

Simplify the mount kickstart template

7bb2d08

Add Kickstart remediation to 'grub2_bootloader_argument' template

49261d6

Resolve Code Climate problems

a518d1d

jan-cerny force-pushed the kickstarts branch from 5635b81 to a518d1d Compare July 19, 2024 08:17

evgenyz requested review from a team and evgenyz July 22, 2024 07:30

evgenyz self-assigned this Jul 22, 2024

jan-cerny marked this pull request as ready for review July 26, 2024 07:57

openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 26, 2024

jan-cerny added this to the 0.1.74 milestone Jul 26, 2024

evgenyz approved these changes Jul 26, 2024

View reviewed changes

evgenyz added the Kickstart Kickstart file updates. label Jul 29, 2024

evgenyz merged commit fa363ef into ComplianceAsCode:master Jul 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Introduce new remediation type Kickstart#12144

Introduce new remediation type Kickstart#12144
evgenyz merged 8 commits into
ComplianceAsCode:masterfrom
jan-cerny:kickstarts

jan-cerny commented Jul 10, 2024 •

edited

Loading

Uh oh!

openshift-ci Bot commented Jul 10, 2024

Uh oh!

github-actions Bot commented Jul 10, 2024

Uh oh!

github-actions Bot commented Jul 10, 2024 •

edited

Loading

Uh oh!

comps commented Jul 10, 2024 •

edited

Loading

Uh oh!

github-actions Bot commented Jul 10, 2024 •

edited

Loading

Uh oh!

evgenyz commented Jul 17, 2024

Uh oh!

jan-cerny commented Jul 18, 2024

Uh oh!

evgenyz commented Jul 22, 2024 •

edited

Loading

Uh oh!

jan-cerny commented Jul 29, 2024

Uh oh!

qlty-cloud-legacy Bot commented Jul 29, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jan-cerny commented Jul 10, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description:

Rationale:

Review Hints:

Uh oh!

openshift-ci Bot commented Jul 10, 2024

Uh oh!

github-actions Bot commented Jul 10, 2024

Uh oh!

github-actions Bot commented Jul 10, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

comps commented Jul 10, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Jul 10, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

evgenyz commented Jul 17, 2024

Uh oh!

jan-cerny commented Jul 18, 2024

Uh oh!

evgenyz commented Jul 22, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jan-cerny commented Jul 29, 2024

Uh oh!

qlty-cloud-legacy Bot commented Jul 29, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jan-cerny commented Jul 10, 2024 •

edited

Loading

github-actions Bot commented Jul 10, 2024 •

edited

Loading

comps commented Jul 10, 2024 •

edited

Loading

github-actions Bot commented Jul 10, 2024 •

edited

Loading

evgenyz commented Jul 22, 2024 •

edited

Loading