-
Notifications
You must be signed in to change notification settings - Fork 7
/
30-permanent
103 lines (90 loc) · 4.14 KB
/
30-permanent
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# these tests are always expected to fail, because there's no reasonable way
# to fix them, or because we intentionally expect the failure and a pass should
# trigger alarms and be invetigated
# remediation for this is globally disabled in Contest,
# see conf/remediation.py
/hardening/.*/accounts_password_set_max_life_(existing|root)
True
# missing Ansible remediation
# - we need to track these as manual waivers, because the current lib/oscap.py
# logic checks only Bash remediation and there is no clear approach to
# extending it with Ansible that wouldn't break existing logic (ie. for rules
# that have only Bash remediation)
/hardening(/.+)?/ansible(/.+)?/audit_rules_unsuccessful_file_modification
/hardening(/.+)?/ansible(/.+)?/audit_rules_login_events
True
# the service_sssd_enabled will be failing even if the service is enabled
# because it requires manual configuration which cannot be attained with our rules
# note that there are cases when sssd can be started
/hardening/.+/service_sssd_enabled
True
# Beaker-specific:
# all Beaker repositories have gpgcheck=0 and they get copied to nested VMs too
/(hardening|scanning)/.+/ensure_gpgcheck_never_disabled
# we don't control partitions on the host OS
/hardening/host-os/.+/mount_option_(home|opt|srv|var|var_log|var_log_audit|tmp)_(noexec|nosuid|nodev|usrquota|grpquota)
/hardening/host-os/.+/mount_option_boot_efi_nosuid
True
# Beaker-specific, possibly;
# same for dnf-automatic and rsyslog (??), is this fully random?
/hardening/host-os/oscap/[^/]+/package_dnf-automatic_installed
/hardening/host-os/oscap/[^/]+/timer_dnf-automatic_enabled
/hardening/host-os/oscap/[^/]+/package_rsyslog-gnutls_installed
True
# https://github.com/ComplianceAsCode/content/issues/12119
# https://github.com/ComplianceAsCode/content/issues/12234
/hardening/host-os/.*/(ospp|cui)/timer_dnf-automatic_enabled
rhel == 8 or rhel == 9
# https://bugzilla.redhat.com/show_bug.cgi?id=1797653 WONTFIX
/scanning/oscap-eval/ERROR
rhel == 8 and note == 'E: oscap: Failed to convert OVAL state to SEXP, id: oval:ssg-state_file_groupowner_var_log_syslog_gid_4_0:ste:1.'
# HTML links from datastreams waivers
#
# ignore SSL certificate expirations in html-links - these are generally
# harmless (expiration is not MITM) while being the biggest contributor
# to false positives, so just ignore them, avoiding frequent random fails
/static-checks/html-links/.+
"failed: certificate has expired" in note
# Inaccessible until form is filled:
/static-checks/html-links/https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
True
# Rule identifiers waivers
#
# no STIG ID, but the rule is needed for other authselect rules
/static-checks/rule-identifiers/stig/enable_authselect
rhel == 8
# no STIG ID for CentOS products
/static-checks/rule-identifiers/stig/.*
rhel.is_centos() and note == 'missing https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux'
# DISA Alignment waivers
#
# DISA benchmark allows only released OS versions. Our content is fine with unreleased versions.
# https://github.com/ComplianceAsCode/content/issues/11649
/scanning/disa-alignment/.*/installed_OS_is_vendor_supported
True
# CentOS-specific waivers
#
# Rules checking if OS is FIPS certified
/hardening/host-os/.+/sshd_use_approved_.+
/hardening/host-os/.+/package_dracut-fips_installed
/hardening/host-os/.+/grub2_enable_fips_mode
/hardening/host-os/.+/aide_use_fips_hashes
rhel.is_centos()
# Remediations are unselected for CentOS, but they might pass outside Testing Farm
/hardening/.+/ensure_gpgcheck_globally_activated
/hardening/.+/ensure_gpgcheck_local_packages
/hardening/.+/ensure_gpgcheck_never_disabled
/hardening/.+/ensure_gpgcheck_repo_metadata
/hardening/.+/ensure_redhat_gpgkey_installed
rhel.is_centos()
# Presumably not valid for CentOS
/hardening/.+/ospp/enable_fips_mode
/hardening/.*/ospp/configure_crypto_policy
rhel.is_centos() and rhel == 9
# scapval waivers
#
# Caused by SCE content being built by default, enabled
# in https://github.com/ComplianceAsCode/content/pull/12488
/static-checks/nist-validation/ssg-(rhel9|cs9)-ds/SRC-118
rhel >= 9
# vim: syntax=python