Skip to content

Align RHEL 10 CIS profile with CIS Benchmark requirement 7.2.9 #14051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 31, 2025
Merged

Align RHEL 10 CIS profile with CIS Benchmark requirement 7.2.9 #14051

merged 3 commits into from
Oct 31, 2025

Conversation

@jan-cerny
Copy link
Collaborator

Description:

Align RHEL 10 CIS profile with CIS RHEL 10 Benchmark v1.0.1 requirement 7.2.9 (Ensure local interactive user dot files access is configured).
This consists from 2 steps:

  1. Create new rule no_rhost_files that checks for presence of .rhost files and add it to the control file.
  2. Add existing rule file_permission_user_bash_history to the control file, enable it on RHEL and add an Ansible remediation to the rule.

Rationale:

Resolves: https://issues.redhat.com/browse/OPENSCAP-6130

Review Hints:

Run automatus tests for both rules.

@jan-cerny
Create new rule no_rhost_files
2cd0473 
The rule checks that no .rhost files exist in user directories
according to RHEL 10 CIS Benchmark v1.0.1.
@jan-cerny
Add file_permission_user_bash_history to RHEL 10 CIS
c6b4268 
The CIS RHEL 10 Benchmark v1.0.1 requires in section 7.2.9
that .bash_history is mode 0600 or more restrictive.
@jan-cerny jan-cerny added CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Oct 27, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 29, 2025

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 8d242f8 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 added this to the 0.1.79 milestone Oct 29, 2025
@Mab879 Mab879 self-assigned this Oct 29, 2025
@Mab879
Copy link
Member

Mab879 commented Oct 30, 2025

/packit retest-failed

@Mab879 Mab879 merged commit 58478e3 into ComplianceAsCode:master Oct 31, 2025
139 of 140 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Oct 31, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@Mab879 Mab879

Labels

CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879