Skip to content

Refresh CIS Control File for RHEL10 release 1.0 #13870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

Refresh CIS Control File for RHEL10 release 1.0 #13870

wants to merge 24 commits into from

Conversation

ggbecker
Copy link
Member

@ggbecker ggbecker commented Sep 5, 2025

Description:

  • Refresh CIS Control File for RHEL10 release 1.0.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 5, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 5, 2025
@ggbecker ggbecker force-pushed the rhel10-cis-control-refresh branch from 817615d to aaea092 Compare September 7, 2025 07:33
@ggbecker ggbecker added this to the 0.1.79 milestone Sep 9, 2025
@ggbecker
Copy link
Member Author

ggbecker commented Sep 9, 2025

I have collected all the rules/variables that changed from the previous CIS RHEL10 Draft and will go through to make sure we are not missing anything, specially the variables that seem to be missing in many cases, I used the log from this pipeline: https://github.com/ComplianceAsCode/content/actions/runs/17553024844/job/49849902507?pr=13870

@ggbecker
Update RHEL 10 CIS profile stability data.
b0ca4e2
@ggbecker
Update RHEL10 CIS profiles metadata.
6def210
@ggbecker
Add missing rule.
f60bc1a
@ggbecker
Add missing rules to CIS RHEL10.
7aa7c86 
These rules make sure the GDM configuration is locked.

The requirement was merged.
@ggbecker
Add variable back.
2e1c4a1
@ggbecker
Add variable back to CIS RHEL10.
bca911a
@ggbecker
Enable package_pam_pwquality_installed back 5.3.1.3.
7d90d4f 
The old requirement does not exist anymore

5.3.1.3 Ensure latest version of libpwquality is installed (Automated)
@ggbecker
Copy link
Member Author

ggbecker commented Sep 9, 2025

I have further identified that the v1.0.0 has way more content compared to the Fedora v40 draft. I will need some more time to go through some items, specially around the audit that got way more granular compared to previous versions. I have already reverted many changes compared to the old control file with the new one, according to variables and split of requirements, but there are many items to be processed yet.

@ggbecker ggbecker force-pushed the rhel10-cis-control-refresh branch from 4bc327b to 9c84ee9 Compare September 9, 2025 16:46
@ggbecker ggbecker force-pushed the rhel10-cis-control-refresh branch from 8e0e05f to 39e4e9d Compare September 9, 2025 17:31
@ggbecker ggbecker marked this pull request as ready for review September 9, 2025 17:31
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 9, 2025
@ggbecker
Copy link
Member Author

ggbecker commented Sep 9, 2025

@Mab879 I believe this is now in a decent state to be reviewed. I went ahead and tried to cover all the gaps and make sure the control file does not break the indentation so it's easier to review. There are many changes though, so it's not an easy task. Hopefully there aren't major issues with the PR.

It was a lot of effort to get to the state where it is right now. Updating a major version for a control file is definitely a major hassle :(

@jan-cerny jan-cerny changed the title Refresh CIS Control File for RHEL10 release 1.0. Refresh CIS Control File for RHEL10 release 1.0 Sep 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1.79
Development

Successfully merging this pull request may close these issues.
1 participant
@ggbecker