Skip to content

Replace SCE checks with OVAL for all_apparmor_profiles_enforced and c…#14773

Open
israel-villar wants to merge 2 commits into
ComplianceAsCode:masterfrom
israel-villar:fix/sce-to-oval-apparmor-ufw
Open

Replace SCE checks with OVAL for all_apparmor_profiles_enforced and c…#14773
israel-villar wants to merge 2 commits into
ComplianceAsCode:masterfrom
israel-villar:fix/sce-to-oval-apparmor-ufw

Conversation

@israel-villar
Copy link
Copy Markdown
Contributor

@israel-villar israel-villar commented Jun 5, 2026

…heck_ufw_active

SCE scripts are executed by OpenSCAP by writing them to /tmp and running them. When /tmp has the noexec mount option (required by CIS 1.1.2.4), the scripts fail silently, producing incorrect results.

  • all_apparmor_profiles_enforced: add OVAL check that counts profiles in /sys/kernel/security/apparmor/profiles and verifies all are in enforce mode; remove sce/shared.sh; extend bash remediation to Debian products.
  • check_ufw_active: add OVAL check that reads ENABLED=yes from /etc/ufw/ufw.conf; add bash remediation for Debian; remove sce/shared.sh.

Description:

  • all_apparmor_profiles_enforced: add oval/shared.xml that reads
    /sys/kernel/security/apparmor/profiles and verifies all profiles are
    in enforce mode; remove sce/shared.sh; extend bash remediation to
    Debian products.
  • check_ufw_active: add oval/shared.xml that checks ENABLED=yes
    in /etc/ufw/ufw.conf; add bash/shared.sh for Debian and Ubuntu;
    remove sce/shared.sh.

Rationale:

  • OpenSCAP executes SCE scripts by writing them to /tmp and running
    them. When /tmp has the noexec mount option — required by
    CIS 1.1.2.4 — the scripts fail silently, producing incorrect scan
    results.

Review Hints:

  • Build both debian13 and ubuntu2404 to verify no regression:
    ./build_product debian13 --datastream-only
    ./build_product ubuntu2404 --datastream-only
  • To reproduce the original failure: mount /tmp with noexec and
    scan with the SCE-based content — both rules return pass regardless
    of system state.

@israel-villar @claude
Replace SCE checks with OVAL for all_apparmor_profiles_enforced and c…
02ae6b7 
…heck_ufw_active

SCE scripts are executed by OpenSCAP by writing them to /tmp and running
them. When /tmp has the noexec mount option (required by CIS 1.1.2.4),
the scripts fail silently, producing incorrect results.

- all_apparmor_profiles_enforced: add OVAL check that counts profiles in
  /sys/kernel/security/apparmor/profiles and verifies all are in enforce
  mode; remove sce/shared.sh; extend bash remediation to Debian products.
- check_ufw_active: add OVAL check that reads ENABLED=yes from
  /etc/ufw/ufw.conf; add bash remediation for Debian; remove sce/shared.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Jun 5, 2026

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jun 5, 2026
@israel-villar @claude
Remove SCE for all_apparmor_profiles_in_enforce_complain_mode
2383b31 
The rule already has an OVAL check (oval/shared.xml) that verifies the
sum of enforced + complaining profiles equals the total loaded profiles.
The SCE script fails silently when /tmp has the noexec mount option
(required by CIS 1.1.2.4), since OpenSCAP writes scripts to /tmp before
executing them.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@israel-villar