Debian13 20260702#14851
Conversation
|
Hi @a-skr. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
|
||
| reference: https://www.cisecurity.org/benchmark/debian_linux | ||
|
|
||
| title: 'CIS Debian Benchmark for Level 2 - Server' |
There was a problem hiding this comment.
Please add also profile for the Level 1 - Server.
There was a problem hiding this comment.
profile for level 1 server is already present thanks to another contributor.
| - l1_server | ||
| - l1_workstation | ||
| rules: | ||
| - var_password_hashing_algorithm_pam=yescrypt |
There was a problem hiding this comment.
The CIS Benchmark allows both SHA512 and yescrypt. You should create and select value that allows both ciphers, see linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var how we did that for RHEL 10.
There was a problem hiding this comment.
will be fixed with next commits
| levels: | ||
| - l2_server | ||
| - l2_workstation | ||
| rules: |
There was a problem hiding this comment.
will be fixed with next commits
| - file_permissions_var_log_gdm | ||
| - file_permissions_var_log_gdm3 | ||
| - file_permissions_var_log_lastlog | ||
| - file_permissions_var_log_cloud-init |
There was a problem hiding this comment.
file_permissions_var_log_cloud-init appears twice
There was a problem hiding this comment.
will be fixed with next commits
| status: automated | ||
|
|
||
| - id: 2.1.16 | ||
| title: Ensure tftp server services are not in use (Automated) |
There was a problem hiding this comment.
The requirement 2.1.16 should be about telnet
2.1.16 Ensure telnet-server services are not in use (Automated)
There was a problem hiding this comment.
it will be fixed in next commits, along with the related rules. That includes updating some template files to handle virtual debian packages properly.
| - l1_server | ||
| - l1_workstation | ||
| rules: | ||
| - sshd_strong_macs=cis_debian12 |
There was a problem hiding this comment.
I'd suggest creating a special selector for Debian 13 even if that would have the same value.
There was a problem hiding this comment.
will be fixed with next commits.
| - id: 3.3.1. | ||
| title: Ensure is configured (Automated) |
There was a problem hiding this comment.
Suspicious. Please remove this item.
There was a problem hiding this comment.
will be fixed with next commits.
| status: automated | ||
|
|
||
| - id: 7.1.4 | ||
| title: Ensure paccess to /etc/group- is configured (Automated) |
There was a problem hiding this comment.
will be fixed with next commits.
| status: pending | ||
|
|
||
| - id: 3.3.2.1 | ||
| title: Ensure Ensure net.ipv6.conf.all.forwarding is configured (Automated) |
There was a problem hiding this comment.
will be fixed with next commits.
Description: