Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rules to support remote offload of journal logs #12479

Merged
merged 11 commits into from
Oct 22, 2024
Merged

Add rules to support remote offload of journal logs #12479

merged 11 commits into from
Oct 22, 2024

Conversation

teacup-on-rockingchair
Copy link
Contributor

@teacup-on-rockingchair teacup-on-rockingchair commented Oct 8, 2024
edited
Loading

Description:

  • Add rules to support remote offload of journal logs to Slmicro5 STIG

Rationale:

  • Add rules and remediations to configure remote url, tls certificate and key for connecting to remote journal
  • Add external variables: var_journal_upload_url, var_journal_upload_server_certificate_file,var_journal_upload_server_trusted_certificate_file, var_journal_upload_server_key_file, that user can configure relevant settings

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 8, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 8, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

Start a new ephemeral environment with changes proposed in this pull request:

slmicro5 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled'.
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_sshd_enabled'.
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12479
This image was built from commit: 187c15f

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12479

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12479 make deploy-local

@teacup-on-rockingchair teacup-on-rockingchair marked this pull request as ready for review October 14, 2024 19:52
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 14, 2024
@teacup-on-rockingchair teacup-on-rockingchair added Ansible Ansible remediation update. Bash Bash remediation update. SLES SUSE Linux Enterprise Server product related. Update Template Issues or pull requests related to Templates updates. labels Oct 14, 2024
@teacup-on-rockingchair teacup-on-rockingchair added this to the 0.1.75 milestone Oct 15, 2024
@Mab879 Mab879 self-assigned this Oct 15, 2024
@Mab879
Copy link
Member

Mab879 commented Oct 15, 2024

I'm waving the automatus failures as they are due to rule not being the data streams.

Mab879
Mab879 requested changes Oct 15, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, just a few small changes.

linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/system/logging/journald/systemd_journal_upload_url/rule.yml Outdated Show resolved Hide resolved
@Mab879
Copy link
Member

Mab879 commented Oct 16, 2024

/packit build

Mab879
Mab879 reviewed Oct 16, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor thing I missed in my first review, sorry about that.

shared/templates/service_enabled/bash.template Outdated Show resolved Hide resolved
Mab879
Mab879 approved these changes Oct 17, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Mab879
Mab879 requested changes Oct 17, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase, looks like something is conflicting.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Oct 17, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Oct 22, 2024
@teacup-on-rockingchair
Copy link
Contributor Author

Please rebase, looks like something is conflicting.

Done thanks 🙇

@teacup-on-rockingchair
Add service enable bash remediation support for slmicro5
999e399
@teacup-on-rockingchair
Add rules to support remote offload of journal logs
c97086b 
- Add rules and remediations to configure remote url, tls certificate and key for connecting to remote journal
- Add external variables: var_journal_upload_url, var_journal_upload_server_certificate_file,var_journal_upload_server_trusted_certificate_file, var_journal_upload_server_key_file, that user can configure relevant settings
@teacup-on-rockingchair
Assign CCE ids for journal rules in slmicro5
a9db42c
@teacup-on-rockingchair
Add journal remote upload rules and drop trailing whitespaces
e2b8967
@teacup-on-rockingchair
Assign rules to relevant components
20a0008
@teacup-on-rockingchair
Mark in the control the remediation should be run manual for this one…
1d40a70 
… as it depends on specific external variables
@codeclimate CodeClimate
Copy link

codeclimate bot commented Oct 22, 2024

Code Climate has analyzed commit 1d40a70 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.0% (0.0% change).

View more on Code Climate.

Mab879
Mab879 approved these changes Oct 22, 2024
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@Mab879 Mab879 merged commit 856d9c5 into ComplianceAsCode:master Oct 22, 2024
98 of 104 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
Ansible Ansible remediation update. Bash Bash remediation update. SLES SUSE Linux Enterprise Server product related. Update Template Issues or pull requests related to Templates updates.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
3 participants
@teacup-on-rockingchair @Mab879 @openshift-merge-robot