Add Hummingbird product support#14605
Draft
jan-cerny wants to merge 5 commits intoComplianceAsCode:masterfrom
Draft
Add Hummingbird product support#14605jan-cerny wants to merge 5 commits intoComplianceAsCode:masterfrom
jan-cerny wants to merge 5 commits intoComplianceAsCode:masterfrom
Conversation
Introduce the new "hummingbird" product with product.yml, CMakeLists, build script entry, constants, OVAL platform check, and CIS/STIG profile skeletons. This commit adds compliance content for scanning Red Hat's Hummingbird container images and containers. Hummingbird images are based on their own special Linux distribution, also called Hummingbird, which isn't a RHEL derivative nor Fedora variant. See https://hummingbird-project.io/.
Add control files mapping CIS and STIG requirements to rules for the hummingbird product. The profile are derived from RHEL 10 profiles, but rules that aren't applicable to containers aren't selected.
Update rule descriptions, OCIL, and Jinja2 macros to handle hummingbird as a container-based product: adjust library dir descriptions, crypto policy text, GPG key instructions, package install/remove macros, and file permission/ownership macros.
Exclude the distroless default user (UID 65532) from home directory checks for hummingbird, since distroless images have no /home directory and this user's home is set to /tmp.
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' differs.
--- oval:ssg-installed_OS_is_vendor_supported:def:1
+++ oval:ssg-installed_OS_is_vendor_supported:def:1
@@ -3,6 +3,7 @@
extend_definition oval:ssg-installed_OS_is_rhel8:def:1
extend_definition oval:ssg-installed_OS_is_rhel9:def:1
extend_definition oval:ssg-installed_OS_is_rhel10:def:1
+extend_definition oval:ssg-installed_OS_is_hummingbird:def:1
extend_definition oval:ssg-installed_OS_is_ol7:def:1
extend_definition oval:ssg-installed_OS_is_ol8:def:1
extend_definition oval:ssg-installed_OS_is_ol9:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled' differs.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -1,2 +1,8 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q dnf5; then
sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled' differs.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -1,3 +1,28 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.10.4.1
+ - NIST-800-171-3.4.8
+ - NIST-800-53-CM-11(a)
+ - NIST-800-53-CM-11(b)
+ - NIST-800-53-CM-5(3)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SA-12
+ - NIST-800-53-SA-12(10)
+ - NIST-800-53-SC-12
+ - NIST-800-53-SC-12(3)
+ - NIST-800-53-SI-7
+ - PCI-DSS-Req-6.2
+ - PCI-DSSv4-6.3
+ - PCI-DSSv4-6.3.3
+ - enable_strategy
+ - ensure_gpgcheck_never_disabled
+ - high_severity
+ - low_complexity
+ - medium_disruption
+ - no_reboot_needed
+
- name: Grep for dnf repo section names
ansible.builtin.shell: |
set -o pipefail
@@ -5,6 +30,7 @@
register: repo_grep_results
failed_when: repo_grep_results.rc not in [0, 1]
changed_when: false
+ when: '"dnf5" in ansible_facts.packages'
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
@@ -36,7 +62,9 @@
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?'' )
if repo_grep_results is not skipped else [] }}'
- when: repo_grep_results is not skipped
+ when:
+ - '"dnf5" in ansible_facts.packages'
+ - repo_grep_results is not skipped
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -1 +1 @@
-
+oval:ssg-package_dnf:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_boot_grub2'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_boot_grub2
+++ xccdf_org.ssgproject.content_rule_file_groupowner_boot_grub2
@@ -6,7 +6,6 @@
The files in /boot/grub2 should
be group-owned by the root group to prevent
destruction or modification of the file.
-
To properly set the group owner of /boot/grub2, run the command:
$ sudo chgrp root /boot/grub2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_boot_grub2'.
--- xccdf_org.ssgproject.content_rule_file_owner_boot_grub2
+++ xccdf_org.ssgproject.content_rule_file_owner_boot_grub2
@@ -6,7 +6,6 @@
The files in /boot/grub2 should
be owned by the root user to prevent
destruction or modification of the file.
-
To properly set the owner of /boot/grub2, run the command:
$ sudo chown root /boot/grub2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_boot_grub2'.
--- xccdf_org.ssgproject.content_rule_file_permissions_boot_grub2
+++ xccdf_org.ssgproject.content_rule_file_permissions_boot_grub2
@@ -6,7 +6,6 @@
The files in /boot/grub2 should
have mode 0600 to prevent
destruction or modification of the file.
-
To properly set the permissions of /boot/grub2, run the command:
$ sudo chmod 0600 /boot/grub2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -6,7 +6,6 @@
The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
-
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
@@ -5,7 +5,6 @@
[description]:
The file /boot/grub2/user.cfg should be group-owned by the root
group to prevent reading or modification of the file.
-
To properly set the group owner of /boot/grub2/user.cfg, run the command:
$ sudo chgrp root /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -6,7 +6,6 @@
The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -5,7 +5,6 @@
[description]:
The file /boot/grub2/user.cfg should be owned by the root
user to prevent reading or modification of the file.
-
To properly set the owner of /boot/grub2/user.cfg, run the command:
$ sudo chown root /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -4,7 +4,6 @@
[description]:
File permissions for /boot/grub2/grub.cfg should be set to 600.
-
To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
@@ -4,7 +4,6 @@
[description]:
File permissions for /boot/grub2/user.cfg should be set to 600.
-
To properly set the permissions of /boot/grub2/user.cfg, run the command:
$ sudo chmod 600 /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -6,7 +6,6 @@
The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
-
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -5,7 +5,6 @@
[description]:
The file /boot/grub2/user.cfg should be group-owned by the
root group to prevent reading or modification of the file.
-
To properly set the group owner of /boot/grub2/user.cfg, run the command:
$ sudo chgrp root /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -6,7 +6,6 @@
The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -5,7 +5,6 @@
[description]:
The file /boot/grub2/user.cfg should be owned by the root
user to prevent reading or modification of the file.
-
To properly set the owner of /boot/grub2/user.cfg, run the command:
$ sudo chown root /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -4,7 +4,6 @@
[description]:
File permissions for /boot/grub2/grub.cfg should be set to 700.
-
To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 700 /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -4,7 +4,6 @@
[description]:
File permissions for /boot/grub2/user.cfg should be set to 600.
-
To properly set the permissions of /boot/grub2/user.cfg, run the command:
$ sudo chmod 600 /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
--- xccdf_org.ssgproject.content_rule_file_permissions_systemmap
+++ xccdf_org.ssgproject.content_rule_file_permissions_systemmap
@@ -6,7 +6,6 @@
The System.map files are symbol map files generated during the compilation of the Linux
kernel. They contain the mapping between kernel symbols and their corresponding memory
addresses. In general, there is no need for non-root users to read these files.
-
To properly set the permissions of /boot/System.map*, run the command:
$ sudo chmod 0600 /boot/System.map*
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs'.
--- xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
@@ -11,11 +11,14 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-group-owned by the root user. If the directories, is found to be owned
-by a user other than root correct its
-ownership with the following command:
+stored in /lib/modules.
+
+All files in these directories should be group-owned by the root group.
+
+If the directories are found to be owned by a group other than root correct
+its ownership with the following command:
$ sudo chgrp root DIR
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs'.
--- xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
@@ -11,11 +11,14 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-owned by the root user. If the directories, is found to be owned
-by a user other than root correct its
-ownership with the following command:
+stored in /lib/modules.
+
+All files in these directories should be owned by the root user.
+
+If the directories are found to be owned by a user other than root correct
+its ownership with the following command:
$ sudo chown root DIR
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs'.
--- xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs
@@ -11,10 +11,13 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are
-stored in /lib/modules. All sub-directories in these directories
-should not be group-writable or world-writable. If any file in these
-directories is found to be group-writable or world-writable, correct
+stored in /lib/modules.
+
+All sub-directories in these directories should not be group-writable or world-writable.
+
+If any file in these directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w DIR
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs'.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -11,11 +11,14 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-owned by the root user. If the directory, or any file in these
-directories, is found to be owned by a user other than root correct its
-ownership with the following command:
+stored in /lib/modules.
+
+All files in these directories should be owned by the root user.
+
+If the directory, or any file in these directories, is found to be owned
+by a user other than root correct its ownership with the following command:
$ sudo chown root FILE
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs'.
--- xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
@@ -11,11 +11,14 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are
-stored in /lib/modules. All files in these directories
-should not be group-writable or world-writable. If any file in these
-directories is found to be group-writable or world-writable, correct
-its permission with the following command:
+stored in /lib/modules.
+
+All files in these directories should not be group-writable or world-writable.
+
+If any file in these directories is found to be group-writable
+or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_at_allow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_at_allow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_at_allow
@@ -4,7 +4,6 @@
[description]:
If /etc/at.allow exists, it must be group-owned by root.
-
To properly set the group owner of /etc/at.allow, run the command:
$ sudo chgrp root /etc/at.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
@@ -4,7 +4,6 @@
[description]:
If /etc/cron.allow exists, it must be group-owned by root.
-
To properly set the group owner of /etc/cron.allow, run the command:
$ sudo chgrp root /etc/cron.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_at_allow'.
--- xccdf_org.ssgproject.content_rule_file_owner_at_allow
+++ xccdf_org.ssgproject.content_rule_file_owner_at_allow
@@ -4,7 +4,6 @@
[description]:
If /etc/at.allow exists, it must be owned by root.
-
To properly set the owner of /etc/at.allow, run the command:
$ sudo chown root /etc/at.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_allow'.
--- xccdf_org.ssgproject.content_rule_file_owner_cron_allow
+++ xccdf_org.ssgproject.content_rule_file_owner_cron_allow
@@ -4,7 +4,6 @@
[description]:
If /etc/cron.allow exists, it must be owned by root.
-
To properly set the owner of /etc/cron.allow, run the command:
$ sudo chown root /etc/cron.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_at_allow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_at_allow
+++ xccdf_org.ssgproject.content_rule_file_permissions_at_allow
@@ -5,7 +5,6 @@
[description]:
If /etc/at.allow exists, it must have permissions 0640
or more restrictive.
-
To properly set the permissions of /etc/at.allow, run the command:
$ sudo chmod 0640 /etc/at.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_allow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_cron_allow
+++ xccdf_org.ssgproject.content_rule_file_permissions_cron_allow
@@ -5,7 +5,6 @@
[description]:
If /etc/cron.allow exists, it must have permissions 0640
or more restrictive.
-
To properly set the permissions of /etc/cron.allow, run the command:
$ sudo chmod 0640 /etc/cron.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
@@ -6,7 +6,6 @@
All audit logs must be group owned by root user. The path for audit log can
be configured via log_file parameter in /etc/audit/auditd.conf
or, by default, the path for audit log is /var/log/audit/.
-
To properly set the group owner of /var/log/audit/*, run the command:
$ sudo chgrp root /var/log/audit/*
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration' differs.
--- ocil:ssg-file_groupownership_audit_configuration_ocil:questionnaire:1
+++ ocil:ssg-file_groupownership_audit_configuration_ocil:questionnaire:1
@@ -1,9 +1,7 @@
-
To properly set the group owner of /etc/audit/, run the command:
$ sudo chgrp root /etc/audit/
-
To properly set the group owner of /etc/audit/rules.d/, run the command:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -4,12 +4,10 @@
[description]:
All audit configuration files must be owned by root user.
-
To properly set the owner of /etc/audit/, run the command:
$ sudo chown root /etc/audit/
-
To properly set the owner of /etc/audit/rules.d/, run the command:
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs.
--- ocil:ssg-file_ownership_audit_configuration_ocil:questionnaire:1
+++ ocil:ssg-file_ownership_audit_configuration_ocil:questionnaire:1
@@ -1,9 +1,7 @@
-
To properly set the owner of /etc/audit/, run the command:
$ sudo chown root /etc/audit/
-
To properly set the owner of /etc/audit/rules.d/, run the command:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
@@ -4,12 +4,10 @@
[description]:
All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/.
-
To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit
-
To properly set the owner of /var/log/audit/*, run the command:
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit' differs.
--- ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1
+++ ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1
@@ -1,9 +1,7 @@
-
To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit
-
To properly set the owner of /var/log/audit/*, run the command:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig'.
--- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
+++ xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
@@ -6,7 +6,6 @@
All audit logs must be owned by root user. The path for audit log can be
configured via log_file parameter in /etc/audit/auditd.conf
or by default, the path for audit log is /var/log/audit/.
-
To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/*
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration' differs.
--- ocil:ssg-file_permissions_audit_configuration_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_audit_configuration_ocil:questionnaire:1
@@ -1,7 +1,5 @@
-
To properly set the permissions of /etc/audit/, run the command:
$ sudo chmod 0640 /etc/audit/
-
To properly set the permissions of /etc/audit/rules.d/, run the command:
$ sudo chmod 0640 /etc/audit/rules.d/
Is it the case that ? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
This PR adds compliance content for scanning Red Hat's Hummingbird container images and containers.
Hummingbird container images are minimal, distro-less container images. They are hardened and aim for zero CVEs. Hummingbird images are based on their own special Linux distribution, also called Hummingbird, which isn't a RHEL derivative nor Fedora variant. See https://hummingbird-project.io/.
The PR adds control files mapping CIS and STIG requirements to rules for the hummingbird product. The CIS and STIG profiles are derived from RHEL 10 profiles, but rules that aren't applicable to containers aren't selected.
Selected rules are updated to better describe Hummingbird container images.
For more details please read commit messages of each commit.
Rationale:
This way the ComplianceAsCode will have a specialized selection of rules, profiles and applicability checks, tailored to Hummingbird. Having specialized product folder allows us to refine rule descriptions and rationales and tailor the texts to give more specialized advice focused on container images, and remove misleading text from HTML guides and reports. (For example, we shouldn’t confuse readers of the reports by having there texts about kernel and dnf).
Review Hints:
build the Hummingbird product using
./build_product hummingbirdscan the latest variant of some Hummingbird container images with the CIS profile
quay.io/hummingbird-hatchling/nginx:latest,quay.io/hummingbird-hatchling/openjdk:latestor any other image you likepodman pull quay.io/hummingbird-hatchling/nginx:latestpodman unshareoscap-podmanoscap-podman quay.io/hummingbird-hatchling/nginx:latest xccdf eval --profile cis --results-arf /tmp/arf.xml --report /tmp/report.html /home/jcerny/work/git/scap-security-guide/build/ssg-hummingbird-ds.xmlin a similar way, scan the FIPS images with the STIG profile - they end with
:latest-fips, for example:quay.io/hummingbird-hatchling/nginx:latest-fipsreview the HTML reports from the scan