Skip to content

Update SLE15 public cloud profiles#14759

Merged
teacup-on-rockingchair merged 2 commits into
ComplianceAsCode:masterfrom
jgleissner:sle15-pubcloud-update
Jun 12, 2026
Merged

Update SLE15 public cloud profiles#14759
teacup-on-rockingchair merged 2 commits into
ComplianceAsCode:masterfrom
jgleissner:sle15-pubcloud-update

Conversation

@jgleissner

@jgleissner jgleissner commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Description:

This PR makes the following changes to the SLE15 profiles:

  • Drop smartcard related rules
  • Drop mount_option_dev_shm_noexec from SAP profile
  • Add profile for CHOST hardening

Rationale:

  • Public cloud VMs do not have smartcard readers so smartcard related rules in the public cloud profiles are pointless
  • mount_option_dev_shm_noexec seems to expect /dev/shm being mounted via /etc/fstab which is not the case in SLES so seems incompatible
  • For SLES instances that are optimized as container host we need a STIG based profile

@jgleissner jgleissner requested a review from a team as a code owner June 3, 2026 12:03
@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jun 3, 2026
@openshift-ci

openshift-ci Bot commented Jun 3, 2026

Copy link
Copy Markdown

Hi @jgleissner. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Mab879 Mab879 added this to the 0.1.82 milestone Jun 4, 2026
svet-se
svet-se approved these changes Jun 8, 2026
View reviewed changes

@svet-se svet-se left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@svet-se svet-se self-assigned this Jun 10, 2026
@svet-se svet-se added the SLES SUSE Linux Enterprise Server product related. label Jun 10, 2026
@svet-se

svet-se commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Jun 10, 2026
@svet-se

svet-se commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

/retest-required

@jgleissner

jgleissner commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

I don't think the failing tests are related to the changes in this PR.

@jgleissner

jgleissner commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

I've removed two more rules from the SLE15 public cloud profiles. disable_ctrlaltdel_burstaction does not make sense in a public cloud VM. file_etc_security_opasswd has broken remediation. It fails in case /etc/security/opasswd does not exist or has wrong permissions, making it pointless.

@jgleissner jgleissner requested a review from svet-se June 11, 2026 16:28
@svet-se

svet-se commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

/retest

@svet-se

svet-se commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

/retest-required

@jgleissner
Update SLE15 profiles
477741f 
Drop smartcard related rules.
Drop mount_option_dev_shm_noexec from SAP profile.
Add profile for CHOST hardening.
@jgleissner
Drop some rules from SLE15 public cloud profiles
790f983 
Drop rule disable_ctrlaltdel_burstaction (pointless in public clouds).
Drop rule file_etc_security_opasswd (remediation is broken).
@jgleissner jgleissner force-pushed the sle15-pubcloud-update branch from b62db36 to 790f983 Compare June 12, 2026 09:27
@jgleissner

jgleissner commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

/retest-required

@openshift-ci

openshift-ci Bot commented Jun 12, 2026

Copy link
Copy Markdown

@jgleissner: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 790f983 link true /test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance 790f983 link true /test e2e-aws-openshift-platform-compliance
ci/prow/images 790f983 link true /test images
ci/prow/4.14-images 790f983 link true /test 4.14-images
ci/prow/4.16-images 790f983 link true /test 4.16-images
ci/prow/4.21-images 790f983 link true /test 4.21-images
ci/prow/4.20-images 790f983 link true /test 4.20-images
ci/prow/4.18-images 790f983 link true /test 4.18-images
ci/prow/4.12-images 790f983 link true /test 4.12-images
ci/prow/4.17-images 790f983 link true /test 4.17-images
ci/prow/4.22-images 790f983 link true /test 4.22-images
ci/prow/4.19-images 790f983 link true /test 4.19-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@teacup-on-rockingchair teacup-on-rockingchair merged commit 273cad0 into ComplianceAsCode:master Jun 12, 2026
56 of 71 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svet-se svet-se svet-se approved these changes

Assignees

@svet-se svet-se

Labels

ok-to-test Used by openshift-ci bot. SLES SUSE Linux Enterprise Server product related.

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

4 participants

@jgleissner @svet-se @Mab879 @teacup-on-rockingchair