Remove DoD-specific verbiage from rule.yml files#14834
Conversation
Several rule.yml files described generic security requirements using DoD-specific phrasing, making the content appear policy-specific even when the underlying requirement applies to any organization. Replace the DoD-framed audit event capability description in three SELinux audit rules (semanage, setfiles, setsebool) with generic language. Remove the named DoD form reference in httpd_antivirus_scan_uploads, and remove the named product and government contact URL from the install_hids warning block. Also fix a pre-existing trailing whitespace on line 30 of audit_rules_execution_semanage/rule.yml, found during lint verification of the same file. Note: mcafee_security_software/group.yml was reviewed but excluded from this PR. Its DoD-specific content is the entire substance of the rule, not incidental wording. Resolves: ComplianceAsCode#8709
|
Hi @Tomatotech90. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_install_hids'.
--- xccdf_org.ssgproject.content_rule_install_hids
+++ xccdf_org.ssgproject.content_rule_install_hids
@@ -9,12 +9,11 @@
sessions which may become compromised.
[warning]:
-In DoD environments, supplemental intrusion detection and antivirus tools,
-such as the McAfee Host-based Security System, are available to integrate with
-existing infrastructure. Per DISA guidance, when these supplemental tools interfere
-with proper functioning of SELinux, SELinux takes precedence. Should further
-clarification be required, DISA contact information is published publicly at
-https://www.cyber.mil/stigs/
+In some environments, supplemental intrusion detection and antivirus tools
+are deployed to integrate with existing infrastructure. When these
+supplemental tools interfere with proper functioning of SELinux, SELinux
+should take precedence. Consult your organization's security guidance for
+further clarification.
[reference]:
1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_httpd_antivirus_scan_uploads'.
--- xccdf_org.ssgproject.content_rule_httpd_antivirus_scan_uploads
+++ xccdf_org.ssgproject.content_rule_httpd_antivirus_scan_uploads
@@ -10,9 +10,9 @@
Remote web authors should not be able to upload files to the Document Root
directory structure without virus checking and checking for malicious or mobile
code. A remote web user, whose agency has a Memorandum of Agreement (MOA) with
-the hosting agency and has submitted a DoD form 2875 (System Authorization
-Access Request (SAAR)) or an equivalent document, will be allowed to post files
-to a temporary location on the server. All posted files to this temporary
-location will be scanned for viruses and content checked for malicious or mobile
-code. Only files free of viruses and malicious or mobile code will be posted to
-the appropriate DocumentRoot directory.
+the hosting agency and has submitted a System Authorization Access Request
+(SAAR) or an equivalent document, will be allowed to post files to a temporary
+location on the server. All posted files to this temporary location will be
+scanned for viruses and content checked for malicious or mobile code. Only
+files free of viruses and malicious or mobile code will be posted to the
+appropriate DocumentRoot directory. |
|
CI is failing on the UBI8 Automatus job with Couldn't install required packages: audit. |
Mab879
left a comment
There was a problem hiding this comment.
Thanks for the PR and keeping the changes easily reviewable.
|
Thanks. I will do the rest now. |
Description:
Several rule.yml files described generic security requirements using DoD-specific phrasing, making the content appear policy-specific even when the underlying requirement applies to any organization. This PR removes that DoD-specific framing from five files.
Rationale:
Replace the DoD-framed audit event capability description in three SELinux audit rules (semanage, setfiles, setsebool) with generic language. Remove the named DoD form reference in httpd_antivirus_scan_uploads, and remove the named product and government contact URL from the install_hids warning block. Also fixes a pre-existing trailing whitespace on line 30 of audit_rules_execution_semanage/rule.yml, found during lint verification of the same file.
Updates #8709 (does not fully close it out; the issue covers 119 occurrences across 37 files, and this PR addresses 5 of them).
mcafee_security_software/group.yml was reviewed but excluded from this PR. Its DoD-specific content is the entire substance of the rule, not incidental wording, so generalizing it would misrepresent the rule's purpose.
Review Hints:
The five files changed are independent of each other; each can be reviewed individually. The trailing-whitespace fix in audit_rules_execution_semanage/rule.yml is unrelated to the DoD wording change and was included since the file was already being touched in this PR.
Notes:
This PR covers 5 of the 119 occurrences as a first pass. I'm planning to continue with the remaining prose-only files in a follow-up PR once this one gets reviewed, to keep each PR small and easy to verify. Will hold off on the XCCDF-variable and banner-text occurrences until I can confirm the right approach with you first.