Workaround OpenSCAP issue for Image Mode #13645
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use full path for some commands in /usr/sbin in Bash remediations. This is a workaround for OpenSCAP issue: OpenSCAP/openscap#2242 A proper fix would be in OpenSCAP, but it's less likely to update OpenSCAP in downstream than to update the content. Effectively, this change will fix some rules that fail when building a hardened bootable container image: ComplianceAsCode#13550 ComplianceAsCode#13551 ComplianceAsCode#13552 In future, this problem will be smaller, because starting from Fedora 42, /usr/sbin is a symlink to /usr/bin, see: https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin
|
Skipping CI for Draft Pull Request. |
|
Code Climate has analyzed commit b3a383d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
|
@jan-cerny: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/retest |
jan-cerny
added a commit
to jan-cerny/contest
that referenced
this pull request
Jul 14, 2025
The issue ComplianceAsCode/content#13550 is closed. It has been fixed or worked around by ComplianceAsCode/content#13645. As of 2025-07-14, the issue doesn't appear in daily productization. Also, I can't reproduce it locally using autocontest. I used current upstream master as of HEAD f78aeca. In the HTML report, all 3 rules listed in the description are passing. They pass both on RHEL 9 and 10.
matusmarhefka
pushed a commit
to RHSecurityCompliance/contest
that referenced
this pull request
Jul 14, 2025
The issue ComplianceAsCode/content#13550 is closed. It has been fixed or worked around by ComplianceAsCode/content#13645. As of 2025-07-14, the issue doesn't appear in daily productization. Also, I can't reproduce it locally using autocontest. I used current upstream master as of HEAD f78aeca. In the HTML report, all 3 rules listed in the description are passing. They pass both on RHEL 9 and 10.
jan-cerny
added a commit
to jan-cerny/contest
that referenced
this pull request
Jul 14, 2025
Issues ComplianceAsCode/content#13551 and ComplianceAsCode/content#13551 have been closed. They have been fixed or worked around by ComplianceAsCode/content#13645. As of 2025-07-14, these issues don't appear in daily productization. Also, I can't reproduce them locally using autocontest. I used current upstream master as of HEAD f78aeca. In the HTML reports they pass on both RHEL 9 and RHEL 10.
matusmarhefka
pushed a commit
to RHSecurityCompliance/contest
that referenced
this pull request
Jul 14, 2025
Issues ComplianceAsCode/content#13551 and ComplianceAsCode/content#13551 have been closed. They have been fixed or worked around by ComplianceAsCode/content#13645. As of 2025-07-14, these issues don't appear in daily productization. Also, I can't reproduce them locally using autocontest. I used current upstream master as of HEAD f78aeca. In the HTML reports they pass on both RHEL 9 and RHEL 10.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use full path for some commands in /usr/sbin in Bash remediations.
This is a workaround for OpenSCAP issue:
OpenSCAP/openscap#2242
A proper fix would be in OpenSCAP, but it's less likely to update OpenSCAP in downstream than to update the content.
Effectively, this change will fix some rules that fail when building a hardened bootable container image:
#13550 #13551 #13552
In future, this problem will be smaller, because starting from Fedora 42, /usr/sbin is a symlink to /usr/bin, see: https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin