Skip to content

Remove DoD-specific verbiage from rule.yml files#14834

Merged
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
Tomatotech90:fix-dod-verbiage-rule-yml
Jun 30, 2026
Merged

Remove DoD-specific verbiage from rule.yml files#14834
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
Tomatotech90:fix-dod-verbiage-rule-yml

Conversation

@Tomatotech90

@Tomatotech90 Tomatotech90 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Description:

Several rule.yml files described generic security requirements using DoD-specific phrasing, making the content appear policy-specific even when the underlying requirement applies to any organization. This PR removes that DoD-specific framing from five files.

Rationale:

Replace the DoD-framed audit event capability description in three SELinux audit rules (semanage, setfiles, setsebool) with generic language. Remove the named DoD form reference in httpd_antivirus_scan_uploads, and remove the named product and government contact URL from the install_hids warning block. Also fixes a pre-existing trailing whitespace on line 30 of audit_rules_execution_semanage/rule.yml, found during lint verification of the same file.

Updates #8709 (does not fully close it out; the issue covers 119 occurrences across 37 files, and this PR addresses 5 of them).

mcafee_security_software/group.yml was reviewed but excluded from this PR. Its DoD-specific content is the entire substance of the rule, not incidental wording, so generalizing it would misrepresent the rule's purpose.

Review Hints:

The five files changed are independent of each other; each can be reviewed individually. The trailing-whitespace fix in audit_rules_execution_semanage/rule.yml is unrelated to the DoD wording change and was included since the file was already being touched in this PR.

Notes:

This PR covers 5 of the 119 occurrences as a first pass. I'm planning to continue with the remaining prose-only files in a follow-up PR once this one gets reviewed, to keep each PR small and easy to verify. Will hold off on the XCCDF-variable and banner-text occurrences until I can confirm the right approach with you first.

Several rule.yml files described generic security requirements
using DoD-specific phrasing, making the content appear
policy-specific even when the underlying requirement applies
to any organization.

Replace the DoD-framed audit event capability description in
three SELinux audit rules (semanage, setfiles, setsebool) with
generic language. Remove the named DoD form reference in
httpd_antivirus_scan_uploads, and remove the named product and
government contact URL from the install_hids warning block.

Also fix a pre-existing trailing whitespace on line 30 of
audit_rules_execution_semanage/rule.yml, found during lint
verification of the same file.

Note: mcafee_security_software/group.yml was reviewed but
excluded from this PR. Its DoD-specific content is the entire
substance of the rule, not incidental wording.

Resolves: ComplianceAsCode#8709
@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jun 29, 2026
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown

Hi @Tomatotech90. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Mab879 Mab879 self-assigned this Jun 29, 2026
@github-actions

Copy link
Copy Markdown

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_install_hids'.
--- xccdf_org.ssgproject.content_rule_install_hids
+++ xccdf_org.ssgproject.content_rule_install_hids
@@ -9,12 +9,11 @@
 sessions which may become compromised.
 
 [warning]:
-In DoD environments, supplemental intrusion detection and antivirus tools,
-such as the McAfee Host-based Security System, are available to integrate with
-existing infrastructure. Per DISA guidance, when these supplemental tools interfere
-with proper functioning of SELinux, SELinux takes precedence. Should further
-clarification be required, DISA contact information is published publicly at
-https://www.cyber.mil/stigs/
+In some environments, supplemental intrusion detection and antivirus tools
+are deployed to integrate with existing infrastructure. When these
+supplemental tools interfere with proper functioning of SELinux, SELinux
+should take precedence. Consult your organization's security guidance for
+further clarification.
 
 [reference]:
 1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_httpd_antivirus_scan_uploads'.
--- xccdf_org.ssgproject.content_rule_httpd_antivirus_scan_uploads
+++ xccdf_org.ssgproject.content_rule_httpd_antivirus_scan_uploads
@@ -10,9 +10,9 @@
 Remote web authors should not be able to upload files to the Document Root
 directory structure without virus checking and checking for malicious or mobile
 code. A remote web user, whose agency has a Memorandum of Agreement (MOA) with
-the hosting agency and has submitted a DoD form 2875 (System Authorization
-Access Request (SAAR)) or an equivalent document, will be allowed to post files
-to a temporary location on the server. All posted files to this temporary
-location will be scanned for viruses and content checked for malicious or mobile
-code. Only files free of viruses and malicious or mobile code will be posted to
-the appropriate DocumentRoot directory.
+the hosting agency and has submitted a System Authorization Access Request
+(SAAR) or an equivalent document, will be allowed to post files to a temporary
+location on the server. All posted files to this temporary location will be
+scanned for viruses and content checked for malicious or mobile code. Only
+files free of viruses and malicious or mobile code will be posted to the
+appropriate DocumentRoot directory.

@Tomatotech90

Copy link
Copy Markdown
Contributor Author

CI is failing on the UBI8 Automatus job with Couldn't install required packages: audit.
This PR only changes prose in five rule.yml files, my read is that this is the test container being unable to install audit, surfaced because three of the changed files (audit_rules_execution_semanage, setfiles, setsebool) are in scope for testing here, not because of anything in the wording itself. Happy to split the audit-rule files into a separate PR if that's preferred, or wait for guidance on the CI side. Let me know how you'd like to proceed.

@Mab879 Mab879 added this to the 0.1.82 milestone Jun 30, 2026

@Mab879 Mab879 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR and keeping the changes easily reviewable.

@Mab879 Mab879 merged commit ebf9917 into ComplianceAsCode:master Jun 30, 2026
56 of 58 checks passed
@Tomatotech90

Tomatotech90 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Thanks. I will do the rest now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants