This PR follows #14834 and continues addressing issue #8709.#14841
Open
Tomatotech90 wants to merge 1 commit into
Open
This PR follows #14834 and continues addressing issue #8709.#14841Tomatotech90 wants to merge 1 commit into
Tomatotech90 wants to merge 1 commit into
Conversation
Continues work from PR ComplianceAsCode#14834. Removes DoD-specific phrasing from 15 additional files, replacing with policy-agnostic language where the underlying security requirement applies to any organization. Also fixes pre-existing trailing whitespace in var_smartcard_drivers.var and banner_etc_profiled_ssh_confirm/rule.yml found during lint verification. Updates ComplianceAsCode#8709
|
Hi @Tomatotech90. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
This PR follows #14834 and continues addressing issue #8709.
After #14834 was merged, I went through the remaining files from the
maintainer's grep list and identified 15 additional files where
DoD-specific phrasing can be replaced with policy-agnostic language
Without changing the meaning of the underlying security requirement.
Files changed:
Pre-existing trailing whitespace in var_smartcard_drivers.var and
banner_etc_profiled_ssh_confirm/rule.yml was also fixed during lint
Verification of those files.
Rationale:
Make security content policy-agnostic, so it applies to any organization,
not only DoD. Each change removes or replaces a DoD-specific reference
with equivalent generic language while preserving the technical requirement.
Updates #8709 (does not fully close it, see notes below).
Notes:
17 files from the original grep list were reviewed but excluded from
this PR. They fall into three groups where the DoD reference is part
of the rule's actual requirement rather than incidental wording.
Guidance from maintainers would be appreciated before touching these.
Group 1: Banner text files (7 files)
banner_etc_issue/rule.yml, banner_etc_issue/policy/stig/shared.yml,
gui_login_dod_acknowledgement/rule.yml, login_banner_text.var,
motd_banner_text.var, remote_login_banner_text.var,
var_web_login_banner_text.var
These files contain the Standard Mandatory DoD Notice and Consent.
Banner as verbatim text that checks against. Should the option
keys (dod_banners, dod_default) be renamed, or is that intentional
since DoD STIG profiles select those keys by name?
Group 2: PKI and certificate files (5 files)
sssd_has_trust_anchor/rule.yml,
sssd_has_trust_anchor/policy/stig/shared.yml,
httpd_configure_valid_server_cert/rule.yml,
only_allow_dod_certs/rule.yml,
httpd_configure_banner_page/rule.yml
These rules check for or reference DoD-specific PKI infrastructure
(DoD Root CA, DoD server certificates, cyber.mil). Is there a
generic equivalent that should be used here, or are these rules
intentionally DoD-specific?
Group 3: DoD infrastructure and network files (5 files)
httpd_nipr_accredited_dmz/rule.yml,
smartcard_auth/rule.yml,
chronyd_server_directive/rule.yml,
chronyd_or_ntpd_set_maxpoll/rule.yml
These rules reference DoD-specific networks (NIPRNet/SIPRNet) or
DoD-mandated exemption lists. The NIPRNet/SIPRNet references appear
in srg_requirement fields that quote the STIG SRG verbatim. Should
those be left as-is since they are direct SRG quotes?
Review Hints:
Each file can be reviewed independently. Changes are prose-only with
No impact on OVAL checks, remediations, or rule logic'
Full documentation of the approach, verification steps, and lint/build
Results for this PR:
https://github.com/Tomatotech90/github-contribution-log/blob/main/Remove_DoD_Specific_Verbiage_from_rule.yml_(Part%202).md