action #114445
closedaction #93886: [sle][security][backlog]automate testing of scap-security-guide
[security] add stig and stig_remediated_selinux tests to 15-SP4 security maintenance job group
Added by pstivanin over 2 years ago. Updated over 1 year ago.
Updated by pstivanin over 2 years ago
- Status changed from New to In Progress
- Estimated time set to 16.00 h
Updated by maritawerner over 2 years ago
- Subject changed from add stig and stig_remediated_selinux tests to 15-SP4 security maintenance job group to [security] add stig and stig_remediated_selinux tests to 15-SP4 security maintenance job group
Updated by pstivanin over 2 years ago
The test currently fails because it requires a huge amount of RAM. I've done some testing (and updated https://bugzilla.suse.com/show_bug.cgi?id=1194724), and I found out that we need 16 GB to successfully execute the 'stig' test.
Updated by pstivanin over 2 years ago
We are currently shipping oscap v1.3.5 on 15-SP4, and with release 1.3.6 there seems to be a memory limit option: https://github.com/OpenSCAP/openscap/blob/maint-1.3/NEWS#L5=
The alternative would be to use a highmem worker in openqa.
Updated by pstivanin over 2 years ago
With a 16 GB worker, the eval test passes successfully. Now we are blocked due to https://bugzilla.opensuse.org/show_bug.cgi?id=1194676 .
Updated by pstivanin over 2 years ago
- Status changed from In Progress to Blocked
Updated by pstivanin over 2 years ago
Due to https://bugzilla.opensuse.org/show_bug.cgi?id=1194676 , we need to wait until scap-security-guide 1.63 is released on 15-SP4. This should happen some time in August.
Updated by pstivanin over 2 years ago
- Assignee set to pstivanin
We need version 1.64, because some fixes were not part of the 1.63 release. This means that we've gotta wait until end of Sep.
Updated by openqa_review about 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: stig
https://openqa.suse.de/tests/9564570#step/oscap_xccdf_remediate/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 96 days if nothing changes in this ticket.
Updated by pstivanin about 2 years ago
0.1.64 is out. Now we need to wait until it reaches 15-SP{4,5}
Updated by pstivanin about 2 years ago
MR is in staging: https://smelt.suse.de/incident/26335/
Updated by openqa_review about 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: stig
https://openqa.suse.de/tests/9758790#step/oscap_xccdf_remediate/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by pstivanin about 2 years ago
S:M:26335:283327 is now in the testing queue.
Updated by pstivanin about 2 years ago
- Status changed from Blocked to In Progress
- % Done changed from 0 to 20
- Estimated time deleted (
16.00 h)
Updated by pstivanin about 2 years ago
- Status changed from In Progress to Blocked
- % Done changed from 20 to 40
some remediation are now passing, but a few are still failing:
Failing/erroring remediations:
Title Verify '/proc/sys/crypto/fips_enabled' exists
Rule xccdf_org.ssgproject.content_rule_is_fips_mode_enabled
Ident CCE-85763-1
Result fail
Title Ensure /var/log/audit Located On Separate Partition
Rule xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Ident CCE-85618-7
Result fail
Title Install Smart Card Packages For Multifactor Authentication
Rule xccdf_org.ssgproject.content_rule_install_smartcard_packages
Ident CCE-83292-3
E: oscap: RPM: db4 error(-30986) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
error: db4 error(-30986) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
E: oscap: RPM: db4 error(-30986) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
error: db4 error(-30986) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
E: oscap: RPM: db4 error(-30986) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
error: db4 error(-30986) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
E: oscap: RPM: db4 error(-30986) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
error: db4 error(-30986) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
Result error
Title Configure Smart Card Certificate Authority Validation
Rule xccdf_org.ssgproject.content_rule_smartcard_configure_ca
Ident CCE-83272-5
Result error
Title Configure Smart Card Certificate Status Checking
Rule xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking
Ident CCE-83293-1
Result error
Title Ensure the default plugins for the audit dispatcher are Installed
Rule xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed
Ident CCE-85613-8
Result error
Title Install the pam_apparmor Package
Rule xccdf_org.ssgproject.content_rule_package_pam_apparmor_installed
Ident CCE-85765-6
Result error
Title Set Boot Loader Password in grub2
Rule xccdf_org.ssgproject.content_rule_grub2_password
Ident CCE-83274-1
Result fail
I've reopened https://bugzilla.opensuse.org/show_bug.cgi?id=1194676 .
Also, while on 15-SP4 we are using the most recent version, on 15-SP5-beta1 we are still using the older 0.1.63-150000.1.45.1.
Updated by openqa_review about 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: stig
https://openqa.suse.de/tests/9969414#step/oscap_xccdf_remediate/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by openqa_review almost 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: stig
https://openqa.suse.de/tests/10019850#step/oscap_xccdf_remediate/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.
Updated by openqa_review almost 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: stig
https://openqa.suse.de/tests/10219437#step/oscap_xccdf_remediate/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by tjyrinki_suse almost 2 years ago
Viktor has independently started working on a fix on the bug that is blocking this ticket, PR brewing at https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/16234
Updated by pstivanin almost 2 years ago
this requires apparmor to be enabled on mru job
Updated by pstivanin almost 2 years ago
- % Done changed from 40 to 60
done with: https://gitlab.suse.de/qa-maintenance/qam-openqa-yml/-/merge_requests/452
now the test is green on all archs: https://openqa.suse.de/tests/overview?distri=sle&version=15-SP4&build=20230125-1&groupid=431
I'll let it run there for the weekend, and then merge the PR on Monday if everything will stay green and stable during these days.
Updated by openqa_review almost 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: stig
https://openqa.suse.de/tests/10435912#step/oscap_xccdf_remediate/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by openqa_review almost 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: stig
https://openqa.suse.de/tests/10528785#step/oscap_xccdf_remediate/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by pstivanin almost 2 years ago
- Status changed from Blocked to In Progress
Updated by pstivanin almost 2 years ago
- Status changed from In Progress to Resolved
Updated by openqa_review over 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: stig
https://openqa.suse.de/tests/10599073#step/oscap_xccdf_remediate/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.