Skip to content

Update RHEL 8 CIS profile #14269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
jan-cerny wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Update RHEL 8 CIS profile #14269

jan-cerny wants to merge 3 commits into from
+1,454 −973

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Jan 2, 2026

Update RHEL 8 CIS control file and profiles according to the version 4.0.0 of the RHEL 8 CIS Benchmark.

@jan-cerny jan-cerny added this to the 0.1.80 milestone Jan 2, 2026
@jan-cerny jan-cerny requested review from a team, Mab879 and matusmarhefka as code owners January 2, 2026 08:16
@jan-cerny jan-cerny added the Highlight This PR/Issue should make it to the featured changelog. label Jan 2, 2026
@jan-cerny jan-cerny added Update Profile Issues or pull requests related to Profiles updates. RHEL8 Red Hat Enterprise Linux 8 product related. CIS CIS Benchmark related. labels Jan 2, 2026
@jan-cerny jan-cerny changed the title Update RHEL 8 CIS Update RHEL 8 CIS profile Jan 2, 2026
@github-actions
Copy link

github-actions bot commented Jan 2, 2026
edited
Loading

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@jan-cerny jan-cerny force-pushed the rhel8_cis branch 4 times, most recently from 7857e49 to 14b394a Compare January 5, 2026 08:00
@openshift-ci
Copy link

openshift-ci bot commented Jan 5, 2026

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 4f43756 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 self-assigned this Jan 5, 2026
Mab879
Mab879 requested changes Jan 5, 2026
View reviewed changes
tests/data/profile_stability/rhel8/cis_server_l1.profile Outdated
dir_perms_world_writable_sticky_bits
disable_host_auth
disable_users_coredumps
enable_authselect
Copy link
Member

@Mab879 Mab879 Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems the workstation profiles are missing enable_authselect is that intentional?

Copy link
Collaborator Author

@jan-cerny jan-cerny Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The authselect situation is complicated for me. Currently I'm trying to learn about authselect and understand how it should work in CIS profiles. So far I found that in RHEL 8 we had enable_authselect but in RHEL 10 we don't. Moreover, authselect is somehow related to the fails in testing farm jobs that are reported by CI. The remediation in rule accounts_password_pam_pwhistory_use_authtok seems to be wrong and conflicts with authselect. I will try to fix it. The addition of enable_authselect to server profiles is an experiment and once it will be more clear I plan to consistently either add or remove it from all 4 profiles.

@jan-cerny jan-cerny marked this pull request as draft January 6, 2026 12:29
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 6, 2026
@jan-cerny
Update RHEL 8 CIS
0c97728 
Update RHEL 8 CIS control file and profiles according to the version
4.0.0 of the RHEL 8 CIS Benchmark.
@jan-cerny
Extend condition OVAL to RHEL 8 and 9
d0fb0f7
@jan-cerny
Fix rule accounts_password_pam_pwhistory_use_authtok
b0934cc 
The remediations shouldn't update the /etc/pam.d/system-auth and
/etc/pam.d/password-auth directly, it would conflict with authselect.
The remediations need to update the authselect profile instead,
and then let authselect to modify the files in /etc/pam.d/.
@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Jan 6, 2026

This PR is blocked by #14275 and will be rebased after that one is merged.

@jan-cerny jan-cerny mentioned this pull request Jan 6, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 requested changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@Mab879 Mab879

Labels

CIS CIS Benchmark related. do-not-merge/work-in-progress Used by openshift-ci bot. Highlight This PR/Issue should make it to the featured changelog. RHEL8 Red Hat Enterprise Linux 8 product related. Update Profile Issues or pull requests related to Profiles updates.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879