Additional work on the almalinux9 product #12883
Conversation
|
Hi @sej7278. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Any idea how to fix this, I think we saw it in the initial new product PR too, one of the RHEL profiles has a test for suse gpgkeys which seems odd, but it doesn't fall for suse, but does for almalinux: https://github.com/ComplianceAsCode/content/actions/runs/12917258491/job/36023245261#step:8:370 The ctest's pass locally so I'm not sure how to reproduce. When I'm back behind a computer I'll dig out the profile and maybe remove the almalinux gpgkey reference, but not sure how to retest without committing it to this PR. This was the previous discussion of the issue: |
sej7278
force-pushed
the
alma9-more-changes
branch
from
137fe1f to
5d7d0fe
Compare
|
Some bizarre failing tests: not sure why RHEL8 can't install chrony or audit i can understand why Debian 12 can't install audit but this should cover that surely?: blob/master/linux_os/guide/auditing/package_audit_installed/rule.yml#L50 |
sej7278
force-pushed
the
alma9-more-changes
branch
from
5d43270 to
01eca75
Compare
Hopefully I can provide some clarity. We are using the UBI container images which have a limited package set. This is expected.
You are correct, it appears that on Debian there is no "audit" package. That should be fixed in a separate PR. Also, a time-out. OpenSCAP has bug where sometimes it deadlocks a during scan. Unfortunately, I have found this bug very hard to reproduce on demand. See last item. |
|
Thanks @Mab879 I tried to find why the package name switch from audit to auditd wasn't working for Debian but I haven't figured it out yet. Ubuntu has the same logic but isn't failing tests. I did wonder if UBI8 was too minimal to support auditd and chrony. I've heard about OpenSCAP timeouts from some folks at work, I'll ask them if they can reliably reproduce the issue. I know they mentioned loops in CVE OVAL data triggering it on low spec machines e.g. 1 vcpu and 2gb ram. |
|
I noticed the ol9 (and rhel9 as mentioned on #12810) ssg-ol9-guide-anssi_bp28_minimal.html fails linkchecker. The failing link is: https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx It seems to be on the wayback machine: https://web.archive.org/web/20240730052711/https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx |
I'm working on fixing that. PR should be up shorty. |
|
Code Climate has analyzed commit 945e22d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
LGTM. I suppose that ANSSI profiles for Alma Linux will submitted in a separate PR.
@ComplianceAsCode/suse-maintainers PTAL, the changes are only to explicitly exclude rule ensure_almalinux_gpgkey_installed from SUSE profiles, so hopefully will be easy to review.
Description:
More content for the almalinux9 product.
Added
multi_platform_almalinuxto various tests and remediation scripts where applicable - didn't just blindly usesed, hence why its taking a while!I've still got about 300 files in linux_os/guide/ to go through before I even start working on the STIG or other profiles like ANSSI.
Verified and added the
pkg_releaseandpkg_version.