Hello everybody,
how do you get confidence that your rule works as expected? Only
performing extensive and thorough code reviews? Or by compiling the
content, modifying your system, and finally executing oscap, hoping that
the results will match expectations? Or maybe by using your custom-built
test suite that you have to maintain?
If that's the case, then stop right there! The ComplianceAsCode project
contains tests and test scenarios for a long time, but our effort to
make those approachable has just reached a significant milestone. If you
use an OS with working podman>3.0 (or at least podman<2.2), you can run
and review pretty much any rule test 5 minutes from now if you know what
to do. And if you don't, you just need to read the fresh blog post,
which, being a 5-minutes read, enables anybody with no prior knowledge
to run and review their first rule test run in no more than 10 minutes.
Check it out:
https://complianceascode.github.io/template/2021/03/25/tests_howto.html
Obviously, you can test like no tomorrow even without podman, and there
may be glitches, so those five minutes may protract a little bit. In any
case, let us know about your experience either here on the mailing list,
or in the discussion below the blog post. More people in the team
participate in efforts to make tests more approachable, and we are
interested in any kind of feedback - especially if you would like to
know more about testing.
Looking forward to hearing from you!
Hello all,
I would like to introduce a planed improvement within the area of
applicability of rules / groups / profiles for specific platforms. I
would like to ask you to provide feedback, especially with regards to
content authoring experience.
Currently, you can use the "platform:" keyword to mark a part of SSG
content as applicable for a given platform. This can be done in scope of
profile, group and rule.
Notice that these three scopes are listed in the specific order, as they
go in hierarchy from profile (highest level) to rule (lowest level).
Currently, platforms propagate through this hierarchy. So if you specify
that some profile is applicable only to "machine" platform, all rules
within this profile will be applicable only to the "machine" platform.
The same is true for groups; all rules within a group will inherit a
platform specified for the group.
These platforms are connected with implicit AND. Please note that
currently you can specify only ONE platform per profile / group / rule.
But what if you want to make rule applicable to combination of
platforms? For example there is a rule for ntpd OR chrony:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/serv…
This is currently not possible.
Or what if you want to make rule applicable to conjunction of platforms,
e.g. rule should be applied if Grub2 is installed and UEFI is used.
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/syst…https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/syst…
This is currently possible, but it involves creating groups and abusing
the fact that group applicability is connected with AND with rule
applicability (XCCDF specification).
We would like to change this and make applicability more flexible.
Changes are planed for profile, group and rule definitions.
The first change should allow to define multiple independent platforms.
A new keyword "platforms" will be added. It will expect a list of
platforms. All platforms in the list will be connected with "OR". For
example, for the rule about ntpd and chrony, you could specify:
```
platforms:
- ntp
- chrony
```
The change is backward compatible, it is still possible to specify
single platform through
```
platform: platform_name
```
This change is already being implemented here:
https://github.com/ComplianceAsCode/content/pull/6661
We chose this approach because it is easy to implement. XCCDF
specification already allows to specify multiple platforms per
group/profile/rule and they are implicitly connected with OR.
The next step will be implementing of support for specification of
multiple combined platforms (joining platforms with AND).
The specification would utilize the previous syntax but additionally it
could include a special character, e.g. &.
To specify applicability only for cases when Grub2 and UEFI are present
at the same time, it could be:
```
platforms:
- grub2 & uefi
```
To specify platform for Zipl or Grub2 bootloader but only if UEFI is
used, it could be:
```
platforms:
- zipl & uefi
- grub2 & uefi
```
This change would start using CPE applicability language to define new
platforms which would be created at build time.
What do you think about this initiative? Awaiting your feedback.
Best regards,
Vojtech Polasek
Software engineer, security compliance
Red Hat <https://www.redhat.com>
vpolasek(a)redhat.com <mailto:vpolasek@redhat.com>
<https://www.redhat.com>
Hello all,
*Release of Content version 0.1.55 is scheduled for March 19th*, so I've
created a stabilization branch for it.
Now is a good time to hunt for bugs and propose fixes for them. Starting
today, merged Pull Requests should be assigned to milestone v0.1.56.
Bug fixes should be proposed to master and labeled "bugfix", they will
be cherry-picked to the stabilization branch.
The next release 0.1.56 will happen on May 21st. Stabilization phase
will start on May 10th.
Best regards,
--
Vojtech Polasek
Software engineer, security compliance
Red Hat <https://www.redhat.com>
vpolasek(a)redhat.com <mailto:vpolasek@redhat.com>
<https://www.redhat.com>