Skip to content

Update SLE15 public cloud profiles#14759

Open
jgleissner wants to merge 2 commits into
ComplianceAsCode:masterfrom
jgleissner:sle15-pubcloud-update
Open

Update SLE15 public cloud profiles#14759
jgleissner wants to merge 2 commits into
ComplianceAsCode:masterfrom
jgleissner:sle15-pubcloud-update

Conversation

@jgleissner

@jgleissner jgleissner commented Jun 3, 2026

Copy link
Copy Markdown

Description:

This PR makes the following changes to the SLE15 profiles:

  • Drop smartcard related rules
  • Drop mount_option_dev_shm_noexec from SAP profile
  • Add profile for CHOST hardening

Rationale:

  • Public cloud VMs do not have smartcard readers so smartcard related rules in the public cloud profiles are pointless
  • mount_option_dev_shm_noexec seems to expect /dev/shm being mounted via /etc/fstab which is not the case in SLES so seems incompatible
  • For SLES instances that are optimized as container host we need a STIG based profile

@jgleissner
Update SLE15 profiles
8ecaa2e 
Drop smartcard related rules.
Drop mount_option_dev_shm_noexec from SAP profile.
Add profile for CHOST hardening.
@jgleissner jgleissner requested a review from a team as a code owner June 3, 2026 12:03
@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jun 3, 2026
@openshift-ci

openshift-ci Bot commented Jun 3, 2026

Copy link
Copy Markdown

Hi @jgleissner. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Mab879 Mab879 added this to the 0.1.82 milestone Jun 4, 2026
svet-se
svet-se approved these changes Jun 8, 2026
View reviewed changes

@svet-se svet-se left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@svet-se svet-se self-assigned this Jun 10, 2026
@svet-se svet-se added the SLES SUSE Linux Enterprise Server product related. label Jun 10, 2026
@svet-se

svet-se commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Jun 10, 2026
@svet-se

svet-se commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

/retest-required

@jgleissner

jgleissner commented Jun 11, 2026

Copy link
Copy Markdown
Author

I don't think the failing tests are related to the changes in this PR.

@jgleissner
Drop some rules from SLE15 public cloud profiles
b62db36 
Drop rule disable_ctrlaltdel_burstaction (pointless in public clouds).
Drop rule file_etc_security_opasswd (remediation is broken).
@jgleissner

jgleissner commented Jun 11, 2026

Copy link
Copy Markdown
Author

I've removed two more rules from the SLE15 public cloud profiles. disable_ctrlaltdel_burstaction does not make sense in a public cloud VM. file_etc_security_opasswd has broken remediation. It fails in case /etc/security/opasswd does not exist or has wrong permissions, making it pointless.

@jgleissner jgleissner requested a review from svet-se June 11, 2026 16:28
@svet-se

svet-se commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

/retest

@svet-se

svet-se commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

/retest-required

@openshift-ci

openshift-ci Bot commented Jun 12, 2026

Copy link
Copy Markdown

@jgleissner: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.20-images b62db36 link true /test 4.20-images
ci/prow/4.21-images b62db36 link true /test 4.21-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svet-se svet-se svet-se approved these changes

Assignees

@svet-se svet-se

Labels

ok-to-test Used by openshift-ci bot. SLES SUSE Linux Enterprise Server product related.

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

3 participants

@jgleissner @svet-se @Mab879