Skip to content

Fix variable selection when selecting the default value #11015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vojtapolasek merged 2 commits into from
Aug 29, 2023
Merged

Fix variable selection when selecting the default value #11015

vojtapolasek merged 2 commits into from
Aug 29, 2023

Conversation

@ggbecker
Copy link
Member

@ggbecker ggbecker commented Aug 23, 2023
edited
Loading

Description:

  • Fix variable selection when selecting the default value

Rationale:

OpenSCAP Error: Attempt to get non-existent selector "default" from variable "xccdf_org.ssgproject.content_value_sshd_strong_macs" [xccdf_policy.c:462]
Invalid selector 'default' for xccdf:value/@id='xccdf_org.ssgproject.content_value_sshd_strong_macs'. Using null value instead. [xccdf_policy.c:2137]

@ggbecker
Do not use default selector as it results in an OpenSCAP error.
587a309 
The only way to override the control variable selection to the default
value is to create a new option to represent the default value and
select it.
@ggbecker
It's not possible to select the default selector.
54093c4 
Instead it just need to be absent.
@ggbecker ggbecker added the Update Profile Issues or pull requests related to Profiles updates. label Aug 23, 2023
@ggbecker ggbecker added this to the 0.1.70 milestone Aug 23, 2023
@ggbecker ggbecker requested review from a team as code owners August 23, 2023 08:27
@ggbecker ggbecker added RHEL Red Hat Enterprise Linux product related. SLES SUSE Linux Enterprise Server product related. labels Aug 23, 2023
@github-actions
Copy link

github-actions bot commented Aug 23, 2023

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@qlty-cloud-legacy
Copy link

qlty-cloud-legacy bot commented Aug 23, 2023

Code Climate has analyzed commit 54093c4 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.3% (0.0% change).

View more on Code Climate.

@vojtapolasek vojtapolasek self-assigned this Aug 23, 2023
@vojtapolasek
Copy link
Collaborator

vojtapolasek commented Aug 23, 2023

Hello @ggbecker I have a question. It seems you took a different approach for the E8 profile (remove the explicit default selector) and SLE ANSSI profiles (add a new selector with the SAME value as the default value, and select this selector). May I know the reason for this approach?
I think it would be enough for all profiles just to remove the explicit selection of the default selector.

teacup-on-rockingchair
teacup-on-rockingchair approved these changes Aug 23, 2023
View reviewed changes
Copy link
Contributor

@teacup-on-rockingchair teacup-on-rockingchair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice stuff 👍

@comps
Copy link
Collaborator

comps commented Aug 23, 2023

The issue references is wrong, I messed up and incorrectly associated audit_rules_privileged_commands with sshd_use_strong_macs.

The proper issue fixed by this PR would be #11018 .

@ggbecker
Copy link
Member Author

ggbecker commented Aug 23, 2023

The issue references is wrong, I messed up and incorrectly associated audit_rules_privileged_commands with sshd_use_strong_macs.

The proper issue fixed by this PR would be #11018 .

Fixed

@ggbecker
Copy link
Member Author

ggbecker commented Aug 23, 2023

Hello @ggbecker I have a question. It seems you took a different approach for the E8 profile (remove the explicit default selector) and SLE ANSSI profiles (add a new selector with the SAME value as the default value, and select this selector). May I know the reason for this approach? I think it would be enough for all profiles just to remove the explicit selection of the default selector.

The ones I overrode with a new value is because the value comes from a control file

content/controls/anssi.yml

Line 897 in 2ea9497

- var_sudo_dedicated_group=sudogrp

and this value is not the default one.

Then they were trying to revert it to the default value, but since it's not possible to select the default selector and the default value was not represented by any other selector, I had to create a new value there and use it instead.

I don't know if it would be possible to deselect the variable by using something like: !var_sudo_dedicated_group in the profile, but I think it makes more sense to have the value explicitly set for example.

@vojtapolasek
Copy link
Collaborator

vojtapolasek commented Aug 25, 2023

I see now, thank you @ggbecker for the explanation. I am afraid unselecting variables in .profile files does not work, I have tried that recently.

vojtapolasek
vojtapolasek approved these changes Aug 25, 2023
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the failing check is because rawhide is broken.

@vojtapolasek
Copy link
Collaborator

vojtapolasek commented Aug 28, 2023

@freddieRv could you please review? Thank you.

freddieRv
freddieRv approved these changes Aug 28, 2023
View reviewed changes
Copy link
Contributor

@freddieRv freddieRv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM

@vojtapolasek vojtapolasek merged commit 0878052 into ComplianceAsCode:master Aug 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@teacup-on-rockingchair teacup-on-rockingchair teacup-on-rockingchair approved these changes

@vojtapolasek vojtapolasek vojtapolasek approved these changes

+1 more reviewer

@freddieRv freddieRv freddieRv approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vojtapolasek vojtapolasek

Labels

RHEL Red Hat Enterprise Linux product related. SLES SUSE Linux Enterprise Server product related. Update Profile Issues or pull requests related to Profiles updates.

Projects

None yet

Milestone

0.1.70

Development

Successfully merging this pull request may close these issues.

openscap failing on sshd_use_strong_macs in e8 on RHEL-7

5 participants

@ggbecker @vojtapolasek @comps @teacup-on-rockingchair @freddieRv