Skip to content

Move ISM O references to the control file #13922

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 1, 2025
Merged

Move ISM O references to the control file #13922

merged 3 commits into from
Oct 1, 2025

Conversation

Mab879
Copy link
Member

@Mab879 Mab879 commented Sep 23, 2025

Description:

Move ISM O references to the control file

Rationale:

Fixes #12423
Fixes #12427
Fixes #12430

@Mab879 Mab879 added this to the 0.1.79 milestone Sep 23, 2025
@Mab879 Mab879 added RHEL Red Hat Enterprise Linux product related. Update Profile Issues or pull requests related to Profiles updates. labels Sep 23, 2025
@Mab879
Copy link
Member Author

Mab879 commented Sep 23, 2025

/retest-required

@jan-cerny jan-cerny self-assigned this Sep 24, 2025
@jan-cerny
Copy link
Collaborator

/packit build

jan-cerny
jan-cerny requested changes Sep 24, 2025
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can find some rules in the built datastream that still don't have the ISM_O reference but are part of the ISM_O profile. For example, in RHEL 8 data stream, rules accounts_password_all_shadowed, usbguard_allow_hid_and_hub and sshd_allow_only_protocol2 don't have the ISM_O reference. These are rules that aren't selected in control file but are added in the profile file for RHEL 8 ISM profile. We have seen this problem before. We solved it by adding the rules to control files instead of profile files. The we added a deselection of the rules in profile files of products where these rules shouldn't be present. Please resolve missing references in these rules and verify that a similar situation doesn't happen also in other products.

The CI fails can be caused by recent changes in our fmf files. Try to rebase the PR on the top of the latest upstream master branch.

@Mab879 Mab879 requested review from a team as code owners September 24, 2025 14:21
@jan-cerny
Copy link
Collaborator

@Mab879 you can also remove the explicit additions of the 3 rules in products/rhel9/profiles/ism_o.profile because they are now coming from the control file

Xeicker
Xeicker requested changes Sep 24, 2025
View reviewed changes
products/ol10/profiles/ism_o.profile
- "!package_subscription-manager_installed"
- '!accounts_password_all_shadowed'
- '!usbguard_allow_hid_and_hub'
- '!sshd_allow_only_protocol2'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These three rules above should also be removed from ol10 ism_o_secret and ism_o_top_secret profiles

@jan-cerny
Copy link
Collaborator

@Mab879 conflicts

@Mab879 Mab879 requested review from jan-cerny and Xeicker September 25, 2025 14:05
jan-cerny
jan-cerny approved these changes Sep 25, 2025
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked that the rules now contain ISM references in data streams.

@jan-cerny
Copy link
Collaborator

@Xeicker Can you please check this one again and approve or request changes?

Xeicker
Xeicker approved these changes Sep 29, 2025
View reviewed changes
@jan-cerny
Copy link
Collaborator

@Mab879 please rebase on the latest upstream master branch, the error should now be fixed in master

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 30, 2025

@Mab879: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 184b908 link true /test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance 184b908 link true /test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jan-cerny jan-cerny merged commit ab4760f into ComplianceAsCode:master Oct 1, 2025
135 of 138 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Oct 1, 2025
Open
@Mab879 Mab879 deleted the fix_ism_o_refs branch October 1, 2025 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

@Xeicker Xeicker Xeicker approved these changes

Assignees

@jan-cerny jan-cerny

Labels
RHEL Red Hat Enterprise Linux product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.79
Development

Successfully merging this pull request may close these issues.

RHEL10 ISM O - Rules missing ism reference RHEL9 ISM O - Rules missing ism reference RHEL8 ISM O - Rules missing ism reference
3 participants
@Mab879 @jan-cerny @Xeicker