This PR follows #14834 and continues addressing issue #8709.#14841
This PR follows #14834 and continues addressing issue #8709.#14841Tomatotech90 wants to merge 12 commits into
Conversation
Continues work from PR ComplianceAsCode#14834. Removes DoD-specific phrasing from 15 additional files, replacing with policy-agnostic language where the underlying security requirement applies to any organization. Also fixes pre-existing trailing whitespace in var_smartcard_drivers.var and banner_etc_profiled_ssh_confirm/rule.yml found during lint verification. Updates ComplianceAsCode#8709
|
Hi @Tomatotech90. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Mab879
left a comment
There was a problem hiding this comment.
Thanks for the PR. I have a few comments.
| is commented out, or is missing, this is a finding. | ||
|
|
||
| rationale: |- | ||
| DoD Information Systems are required to use FIPS-approved cryptographic hash |
There was a problem hiding this comment.
The rules with _stig can be keep the DoD wording as they specifically for the STIG.
| {{{ full_name }}} must implement certificate status checking for multifactor authentication. | ||
|
|
||
| vuldiscussion: |- | ||
| Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. |
There was a problem hiding this comment.
The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content.
| default text with a message compliant with the local site policy or a legal | ||
| disclaimer. | ||
|
|
||
| The DoD required text is either: |
There was a problem hiding this comment.
If we truly removing DOD specific content we should remove the required text.,
| default text with a message compliant with the local site policy or a legal | ||
| disclaimer. | ||
|
|
||
| The DoD required text is either: |
| This rule verifies that that the SSH login confirmation banner is set | ||
| correctly. | ||
|
|
||
| The DoD required text is: |
| A {{{ full_name }}} firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | ||
|
|
||
| vuldiscussion: |- | ||
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. |
There was a problem hiding this comment.
The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content.
|
|
||
| description: |- | ||
| Choose the Smart Card Driver in use by your organization. | ||
| <br />For DoD, choose the <tt>cac</tt> driver. |
There was a problem hiding this comment.
This is some helpful text, propose to keep.
| {{{ full_name }}} pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. | ||
|
|
||
| vuldiscussion: |- | ||
| Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. |
There was a problem hiding this comment.
The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content.
|
|
||
| {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. | ||
|
|
||
| FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. |
There was a problem hiding this comment.
The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content.
|
|
||
| The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. | ||
|
|
||
| The DoD minimum password requirement is 15 characters. |
There was a problem hiding this comment.
The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content.
There was a problem hiding this comment.
Thanks, and I will do the changes.
|
@Mab879 Thanks for the detailed feedback. I've made the following changes: ssh_use_approved_macs_ordered_stig/rule.yml Each of these now matches the original upstream text exactly. I verified this with a direct diff against upstream/master for each file. banner_etc_issue_net/rule.yml The description field in each now ends after the intro paragraph explaining how to configure the banner. The required text block (the USG notice and the "I've read..." alternative) has been removed entirely, not just reworded. banner_etc_profiled_ssh_confirm/rule.yml This one is different from the other three banner files. The required text isn't a standalone block; it's embedded inside a shell script as the string passed to a read -p prompt (the if [ -n "$SSH_CLIENT" ]... while... read -p... case... esac logic). Removing the DoD wording here means either stripping the whole script or just blanking the prompt string while keeping the script structure intact. I didn't want to guess which one is correct without knowing what the associated check actually verifies, so I left this file unchanged for now. Let me know which approach you'd prefer, and I'll update it. configure_gnutls_tls_crypto_policy/rule.yml |
Revert 8 STIG-specific files to original DoD wording, since these mirror upstream STIG content per maintainer feedback: - ssh_use_approved_macs_ordered_stig/rule.yml - set_firewalld_default_zone/policy/stig/shared.yml - harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml - set_password_hashing_algorithm_systemauth/policy/stig/shared.yml - set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml - accounts_password_pam_minlen/policy/stig/shared.yml - sssd_certificate_verification/policy/stig/shared.yml - var_smartcard_drivers.var Remove the required banner text entirely from 3 banner files, since rewording the lead-in sentence alone was not sufficient: - banner_etc_issue_net/rule.yml - banner_etc_motd/rule.yml - banner_etc_gdm_banner/rule.yml banner_etc_profiled_ssh_confirm/rule.yml is left unchanged in this commit. Its required text is embedded in a shell script's read -p prompt rather than a standalone block, and I want maintainer input before deciding whether to remove the script or just the wording.
|
Looking at |
Thanks, that makes sense. Checking turns out var_ssh_confirm_text.var already exists in the repo and is correctly wired into the fix script via {{{ bash_instantiate_variables("var_ssh_confirm_text") }}} in bash/shared.sh. So the variable mechanism itself isn't missing. |
|
Adding another option |
…h_confirm Following feedback, added a new option, generic_default, to var_ssh_confirm_text.var, alongside the existing dod_default option. The regex was generated with the project's own utils/regexify_banner.py tool, the same tool used for dod_default. Updated banner_etc_profiled_ssh_confirm/rule.yml's description field to explain the confirmation text is configurable through the variable, instead of showing the DoD text directly. Confirmed the new option resolves correctly by running it through the same deregexify steps used at build time, producing clean, valid banner text. Verified with yamllint and a full product build.
I did add the variable |
|
/ok-to-test |
|
/retest |
Mab879
left a comment
There was a problem hiding this comment.
If you could add test for new generic_default that might be good idea as well.
…filed_ssh_confirm/rule.yml Co-authored-by: Matthew Burket <m@tthewburket.com>
…m_text.var Co-authored-by: Matthew Burket <m@tthewburket.com>
Added banner_etc_profiled_ssh_confirm_generic.pass.sh, same pattern as the existing dod_default test. Sets var_ssh_confirm_text to the generic banner text and writes it to /etc/profile.d/ssh_confirm.sh, so the generic_default option gets checked the same way dod_default already is.
The generic_default test was failing in CI. var_ssh_confirm_text has no explicit default option, so the scan was still resolving to dod_default no matter what the test script wrote to disk. Added a variables line to the test scenario so it actually selects generic_default during the scan.
|
The generic_default test was failing. var_ssh_confirm_text has no default option set, so the scan kept resolving to dod_default no matter what the test wrote to disk. Added a variables line to the test scenario so it actually picks generic_default during the scan. Checked it locally with the Jinja stripper and a full build, both clean. Waiting on CI now. |
The test wrote 'the applicable acceptable use policy' but the generic_default regex in var_ssh_confirm_text.var expects 'your organization's acceptable use policy'. Updated the test text to match the actual stored regex exactly, so the initial scan resolves as pass.
The unescaped apostrophe in organization's broke Jinja parsing in CI, causing a TemplateSyntaxError. Escaped it with a backslash, which is standard Jinja string escaping and does not conflict with this project's double-brace statement delimiters.
|
fail 1: banner_etc_profiled_ssh_confirm_generic.pass.sh failure Fail 2: stable-products failure on sle16 |
|
Fail 1: We can move the scenario and once done I will do manual testing Fail 2 should be fixed by: #14875 |
The variables metadata mechanism used by this test framework does a literal text substitution and cannot resolve a named option to its actual regex value, so this scenario cannot work as written.
|
I did some manual testing and it seems there are some unescaped |
Manual testing showed the unescaped apostrophe in organization's was causing remediation to error out. Reworded the text to drop the possessive entirely instead of escaping it.
|
/retest |
|
/test e2e-aws-openshift-node-compliance |
|
/test e2e-aws-openshift-platform-compliance |
Mab879
left a comment
There was a problem hiding this comment.
During manual testing I was still running into issues.
I was able to get passing with suggest change to the regex and this diff below.
Seems that ? tripping something up.
diff --git a/ssg/utils.py b/ssg/utils.py
index 482e51d4c0..295afc863c 100644
--- a/ssg/utils.py
+++ b/ssg/utils.py
@@ -598,8 +598,8 @@ def escape_regex(text):
This function mimics the behavior of re.escape() in Python 3.7, which escapes a reasonable set
of characters.
- Specifically, it escapes the following characters: #, $, &, *, +, ., ^, `, |, ~, :, (, ), and -.
- Note that the characters '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`"
+ Specifically, it escapes the following characters: #, $, &, *, +, ., ?, ^, `, |, ~, :, (, ), [, ], and -.
+ Note that the characters '!', '"', '%', "'", ',', '/', ';', '<', '=', '>', '@', and "`"
are not escaped.
Args:
@@ -611,8 +611,9 @@ def escape_regex(text):
# We could use re.escape(), but it escapes too many characters, including plain white space.
# In python 3.7 the set of characters escaped by re.escape is reasonable, so lets mimic it.
# See https://docs.python.org/3/library/re.html#re.sub
- # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
- return re.sub(r"([#$&*+.^`|~:()\[\]-])", r"\\\1", text)
+ # '!', '"', '%', "'", ',', '/', ';', '<', '=', '>', '@', and "`" are not escaped.
+ # '?' must be escaped; otherwise plain-text questions become regex quantifiers.
+ return re.sub(r"([#$&*+.?^`|~:()\[\]-])", r"\\\1", text)An unescaped ? in banner text was being interpreted as a regex quantifier instead of a literal character, causing remediation to error out. Applied a tested patch to ssg/utils.py to escape ? in escape_regex, and regenerated the generic_default regex with the corrected tool.
I made a patch to ssg/utils.py because the ? in the banner text was not being escaped, causing the remediation to error out. Applied the fix to escape_regex and regenerated the generic_default regex with the corrected tool, so it now escapes the ? same way dod_default does. Checked it with yamllint and full builds for RHEL9 and Ubuntu 24.04, both came out clean |
|
/retest |
|
@Tomatotech90: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
This PR follows #14834 and continues addressing issue #8709.
After #14834 was merged, reviewing the remaining files from the maintainer's grep list, I identified 15 additional files containing DoD-specific phrasing. Following review feedback, this PR now keeps DoD wording where it mirrors upstream STIG content, and generalizes it only where it was incidental prose.
Files reworded to generic language:
configure_gnutls_tls_crypto_policy/rule.ymlhttpd_public_resources_not_shared/rule.ymlensure_gpgcheck_repo_metadata/rule.ymlFiles reverted to original DoD wording, since they mirror upstream STIG content:
ssh_use_approved_macs_ordered_stig/rule.ymlset_firewalld_default_zone/policy/stig/shared.ymlharden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.ymlset_password_hashing_algorithm_systemauth/policy/stig/shared.ymlset_password_hashing_algorithm_systemauth/policy/stig/rhel10.ymlaccounts_password_pam_minlen/policy/stig/shared.ymlsssd_certificate_verification/policy/stig/shared.ymlvar_smartcard_drivers.varBanner files:
banner_etc_issue_net/rule.yml,banner_etc_motd/rule.yml,banner_etc_gdm_banner/rule.yml: removed the required banner text entirely from the description field, rather than just rewording the lead-in sentence.banner_etc_profiled_ssh_confirm/rule.yml: added a new option,generic_default, tovar_ssh_confirm_text.var, so this rule now supports a policy-agnostic banner alongside the existingdod_defaultoption. Updated the description field inrule.ymlto clarify that the confirmation text is configurable via the variable, rather than showing the DoD text directly.Pre-existing trailing whitespace in
var_smartcard_drivers.varwas fixed during lint verification.Rationale
Make security content policy-agnostic, with the DoD reference incidental, while keeping DoD wording when the content mirrors upstream STIG language or documents a requirement that is intentionally DoD-specific.
Updates #8709 (does not fully close it, see notes below).
Notes
17 files from the original grep list were reviewed but excluded from this PR. They fall into three groups, in which the DoD reference is part of the rule's actual requirement rather than incidental wording. These questions are still open. Guidance would be appreciated before I change any of these.
Group 1: Banner text files (7 files)
banner_etc_issue/rule.yml,banner_etc_issue/policy/stig/shared.yml,gui_login_dod_acknowledgement/rule.yml,login_banner_text.var,motd_banner_text.var,remote_login_banner_text.var,var_web_login_banner_text.varThese files contain the Standard Mandatory DoD Notice and Consent Banner as verbatim text that checks against. Should the option keys (
dod_banners,dod_default) be renamed, or is that intentional since DoD STIG profiles select those keys by name?Group 2: PKI and certificate files (5 files)
sssd_has_trust_anchor/rule.yml,sssd_has_trust_anchor/policy/stig/shared.yml,httpd_configure_valid_server_cert/rule.yml,only_allow_dod_certs/rule.yml,httpd_configure_banner_page/rule.ymlThese rules check for or reference DoD-specific PKI infrastructure (DoD Root CA, DoD server certificates, cyber.mil). Is there a generic equivalent, or are these rules intentionally DoD-specific?
Group 3: DoD infrastructure and network files (5 files)
httpd_nipr_accredited_dmz/rule.yml,smartcard_auth/rule.yml,chronyd_server_directive/rule.yml,chronyd_or_ntpd_set_maxpoll/rule.yml,mcafee_security_software/group.ymlThese rules reference DoD-specific networks (NIPRNet/SIPRNet), DoD-mandated exemption lists, or DoD-mandated tooling. The NIPRNet/SIPRNet references appear in
srg_requirementfields that quote the STIG SRG verbatim. Should those be left as-is since they are direct SRG quotes? Is there a generic equivalent formcafee_security_software, or is it also intentionally DoD-specific?Review Hints
Each file can be reviewed independently. Changes are prose-only with no impact on OVAL checks, remediations, or rule logic, except for the banner files, where the required-text block was removed or replaced with a variable reference in the description field.
Full documentation of the approach, verification steps, and lint/build results for this PR: https://github.com/Tomatotech90/github-contribution-log/blob/main/Remove_DoD_Specific_Verbiage_from_rule.yml_(Part%202).md