Add Debian 13 auditd variable options and grub2 UEFI password OVAL#14782
Open
israel-villar wants to merge 1 commit into
Open
Add Debian 13 auditd variable options and grub2 UEFI password OVAL#14782israel-villar wants to merge 1 commit into
israel-villar wants to merge 1 commit into
Conversation
- var_auditd_disk_error_action: add cis_debian13=syslog|single|halt matching the CIS Debian 13 allowed values (same as cis_debian12). - var_auditd_disk_full_action: add cis_debian13=halt|single matching the CIS Debian 13 allowed values (same as cis_debian12). - grub2_uefi_password/oval/debian.xml: add Debian-specific OVAL check that verifies superusers and password_pbkdf2 entries in grub2_uefi_boot_path/grub.cfg (Debian stores GRUB config in a different path than RHEL, requiring a separate OVAL file). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Hi @israel-villar. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
var_auditd_disk_error_action: addcis_debian13: syslog|single|halt(same allowed values as
cis_debian12, per CIS Debian 13 section 6.3.4.x).var_auditd_disk_full_action: addcis_debian13: halt|single(same allowed values as
cis_debian12).grub2_uefi_password/oval/debian.xml: new Debian-specific OVAL thatchecks for
superusersandpassword_pbkdf2entries in{{{ grub2_uefi_boot_path }}}/grub.cfg. Debian stores the GRUBconfiguration in a different path than RHEL and requires its own OVAL file.
Rationale:
Without the
cis_debian13variable options the profile cannot set thecorrect allowed values via
var_auditd_disk_error_action=cis_debian13in the profile selections. The GRUB UEFI OVAL is needed because the
existing RHEL OVAL uses a different boot path macro value.
Review Hints:
var_auditd_disk_*: one-line additions, mirror thecis_debian12entries.grub2_uefi_password/oval/debian.xml: follows the same structure asthe existing Ubuntu OVAL in the same directory.