Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build SCE content by default in rhel9 and rhel10 products #12488

Merged
merged 3 commits into from
Oct 23, 2024

Conversation

jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Oct 11, 2024

Description:

Build SCE checks into RHEL 9 and RHEL 10 data streams by default.

Rationale:

This change supports building bootable container images based on RHEL 9 and 10 (and CentOS Stream 9 and 10).

SCE checks will be used during the image build for the rules for which the classic OVAL check don't work in a container build environment (mainly service enabled/disabled rules).

Review Hints:

Build the RHEL 10 and RHEL 9 products and verify visually that SCE extended components are present in the built data stream.

Then, you can download the built scap-security-guide RPMs EL9 from Packit from COPR and verify visually that SCE extended components are present in the shipped data stream.

wget .....
rpm2cpio $rpm | cpio -ivdm
vim ./usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 11, 2024
Copy link

openshift-ci bot commented Oct 11, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Copy link

github-actions bot commented Oct 11, 2024

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@jan-cerny jan-cerny added the Image Mode Bootable containers and Image Mode RHEL label Oct 15, 2024
@jan-cerny jan-cerny changed the title [do not merge] build SCE by default [do not merge] Build SCE content by default in rhel9 and rhel10 products Oct 16, 2024
@jan-cerny jan-cerny force-pushed the sce_default branch 3 times, most recently from d217dbd to 2a81f80 Compare October 17, 2024 07:56
@jan-cerny jan-cerny added this to the 0.1.75 milestone Oct 17, 2024
@jan-cerny jan-cerny added RHEL9 Red Hat Enterprise Linux 9 product related. RHEL10 Red Hat Enterprise Linux 10 product related. Infrastructure Our content build system labels Oct 17, 2024
@jan-cerny
Copy link
Collaborator Author

The problem is that:

The following requirements and recommendations apply to the xccdf:check element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OVAL checking system~Use of the OVAL checking system SHALL be indicated by setting the xccdf:check element's @System attribute to "http://oval.mitre.org/XMLSchema/oval-definitions-5 ".

matusmarhefka added a commit to matusmarhefka/contest that referenced this pull request Oct 18, 2024
Scapval tool is failing when we build SCE content by default
in RHEL 9 and RHEL 10 data streams because it doesn't expect
content to use checking systems other than the OVAL and OCIL
(base requirement `SRC-118`). For more details see
ComplianceAsCode/content#12488

We can waive this fail, it shouldn't cause any problems for
3rd party scanners as our content still contains also OVAL
checks. To do so the test has been updated to parse XML results
file generated by the scapval tool.

The test is also updated to work on RHEL 10 where `java-21-openjdk`
is the default as scapval tool has no problem running with this
newer version of java.
matusmarhefka added a commit to matusmarhefka/contest that referenced this pull request Oct 18, 2024
Scapval tool is failing when we build SCE content by default
in RHEL 9 and RHEL 10 data streams because it doesn't expect
content to use checking systems other than the OVAL and OCIL
(base requirement `SRC-118`). For more details see
ComplianceAsCode/content#12488

We can waive this fail, it shouldn't cause any problems for
3rd party scanners as our content still contains also OVAL
checks. To do so the test has been updated to parse XML results
file generated by the scapval tool.

The test is also updated to work on RHEL 10 where `java-21-openjdk`
is the default as scapval tool has no problem running with this
newer version of java.
matusmarhefka added a commit to matusmarhefka/contest that referenced this pull request Oct 18, 2024
Scapval tool is failing when we build SCE content by default
in RHEL 9 and RHEL 10 data streams because it doesn't expect
content to use checking systems other than the OVAL and OCIL
(base requirement `SRC-118`). For more details see
ComplianceAsCode/content#12488

We can waive this fail, it shouldn't cause any problems for
3rd party scanners as our content still contains also OVAL
checks. To do so the test has been updated to parse XML results
file generated by the scapval tool.

The test is also updated to work on RHEL 10 where `java-21-openjdk`
is the default as scapval tool has no problem running with this
newer version of java.
matusmarhefka added a commit to matusmarhefka/contest that referenced this pull request Oct 18, 2024
Scapval tool is failing when we build SCE content by default
in RHEL 9 and RHEL 10 data streams because it doesn't expect
content to use checking systems other than the OVAL and OCIL
(base requirement `SRC-118`). For more details see
ComplianceAsCode/content#12488

We can waive this fail, it shouldn't cause any problems for
3rd party scanners as our content still contains also OVAL
checks. To do so the test has been updated to parse XML results
file generated by the scapval tool.

The test is also updated to work on RHEL 10 where `java-21-openjdk`
is the default as scapval tool has no problem running with this
newer version of java.
mildas pushed a commit to RHSecurityCompliance/contest that referenced this pull request Oct 18, 2024
Scapval tool is failing when we build SCE content by default
in RHEL 9 and RHEL 10 data streams because it doesn't expect
content to use checking systems other than the OVAL and OCIL
(base requirement `SRC-118`). For more details see
ComplianceAsCode/content#12488

We can waive this fail, it shouldn't cause any problems for
3rd party scanners as our content still contains also OVAL
checks. To do so the test has been updated to parse XML results
file generated by the scapval tool.

The test is also updated to work on RHEL 10 where `java-21-openjdk`
is the default as scapval tool has no problem running with this
newer version of java.
@jan-cerny jan-cerny marked this pull request as ready for review October 23, 2024 08:18
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 23, 2024
Change the `build_product` convenient script so that it will
build SCE by default for the `rhel9` and `rhel10` product.
SCE should be built in Ubuntu 20.04 and 22.04 products. However, this
is specified only in the CI workflow description. In previous commit we
have started to build SCE in RHEL 9 and 10. If we would like to start
testing it in CI, we could do it either by changing the CI workflow
description or the build_product script. It would be less complex if we
could unify it in a single place which is the build_product script.
@jan-cerny
Copy link
Collaborator Author

I have rebased this PR on the top of the latest upstream master branch.

Copy link

codeclimate bot commented Oct 23, 2024

Code Climate has analyzed commit 7c812c3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny changed the title [do not merge] Build SCE content by default in rhel9 and rhel10 products Build SCE content by default in rhel9 and rhel10 products Oct 23, 2024
@Mab879 Mab879 self-assigned this Oct 23, 2024
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@Mab879 Mab879 merged commit b18b216 into ComplianceAsCode:master Oct 23, 2024
103 of 104 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Image Mode Bootable containers and Image Mode RHEL Infrastructure Our content build system RHEL9 Red Hat Enterprise Linux 9 product related. RHEL10 Red Hat Enterprise Linux 10 product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants