Skip to content

nist_800_53: fix sync script variable lookup and complete CIS→NIST mappings#14785

Open
ggbecker wants to merge 1 commit into
ComplianceAsCode:masterfrom
ggbecker:investigate-nist-sync-issue
Open

nist_800_53: fix sync script variable lookup and complete CIS→NIST mappings#14785
ggbecker wants to merge 1 commit into
ComplianceAsCode:masterfrom
ggbecker:investigate-nist-sync-issue

Conversation

@ggbecker

@ggbecker ggbecker commented Jun 8, 2026

Copy link
Copy Markdown
Member

Description:

  • nist_800_53: fix sync script variable lookup and complete CIS→NIST mappings
    • Fix two bugs in sync_nist_split.py that caused mapped variables to land in other.yml instead of their NIST family files, and add 42 missing CIS→NIST rule/variable mappings so all reference files are fully populated with no other.yml remaining.

Rationale:

@ggbecker ggbecker added this to the 0.1.82 milestone Jun 8, 2026
jan-cerny
jan-cerny reviewed Jun 10, 2026
View reviewed changes
Comment thread shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml
Comment on lines +170 to +171
- var_auditd_disk_full_action=cis_rhel10
- var_auditd_disk_error_action=cis_rhel10

@jan-cerny jan-cerny Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

adds duplicates

Comment thread shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml Outdated
rules:
- auditd_data_retention_max_log_file
- auditd_data_retention_max_log_file_action
- var_auditd_max_log_file=8

@jan-cerny jan-cerny Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

adds a duplicate

Comment thread shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml Outdated
Comment on lines +16 to +17
- var_auditd_admin_space_left_action=cis_rhel8
- var_auditd_admin_space_left_action=cis_rhel8

@jan-cerny jan-cerny Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some items are added twice

Comment thread shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml Outdated
Comment on lines +271 to +272
- var_auditd_max_log_file=8
- var_auditd_max_log_file=8

@jan-cerny jan-cerny Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems that there will be more problems with duplication

@vojtapolasek vojtapolasek self-assigned this Jun 10, 2026
@ggbecker
nist_800_53: fix sync script variable lookup and complete CIS→NIST ma…
fab8d57 
…ppings

Fix two bugs in sync_nist_split.py that caused mapped variables to land
in other.yml instead of their NIST family files, and add 42 missing
CIS→NIST rule/variable mappings so all reference files are fully
populated with no other.yml remaining.
@ggbecker ggbecker force-pushed the investigate-nist-sync-issue branch from 4f4c0bd to fab8d57 Compare June 10, 2026 13:06
@ggbecker

ggbecker commented Jun 10, 2026

Copy link
Copy Markdown
Member Author

@jan-cerny Hopefully there are no more duplicates in the variables space, even though you might still see rules that are selected across different NIST controls, but I think that is intentional since a rule can implement different controls at the same time.

I think for the future, moving the variables out from the inline controls selection might help in isolating the variables to make it easier for users to modify the values. Then mention where a variable might affect a control, whenever that control selects a rule that can be customized by a variable.

@ggbecker ggbecker requested a review from jan-cerny June 10, 2026 13:09
@openshift-ci

openshift-ci Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

@ggbecker: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.21-images fab8d57 link true /test 4.21-images
ci/prow/4.20-images fab8d57 link true /test 4.20-images
ci/prow/4.19-images fab8d57 link true /test 4.19-images
ci/prow/e2e-aws-openshift-node-compliance fab8d57 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny Awaiting requested review from jan-cerny

At least 1 approving review is required to merge this pull request.

Assignees

@vojtapolasek vojtapolasek

Labels

None yet

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

3 participants

@ggbecker @jan-cerny @vojtapolasek