Ubuntu 24.04: Implement rule 5.3.3.3.2 Ensure password history is enforced for the root user #10800
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Compare DS | |
on: | |
pull_request_target: | |
branches: [ master, 'stabilization*' ] | |
jobs: | |
build-content: | |
name: Generate Diff | |
runs-on: ubuntu-latest | |
container: | |
image: fedora:latest | |
steps: | |
- name: Install Deps | |
run: dnf install -y cmake make openscap-utils python3-pyyaml python3-setuptools python3-jinja2 git python3-deepdiff python3-requests jq python3-pip python3-setuptools | |
- name: Install deps python | |
run: pip install gitpython xmldiff | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
fetch-depth: 0 | |
# https://github.com/actions/checkout/issues/766 | |
- name: Set git safe directory | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Find forking point | |
env: | |
BASE_BRANCH: ${{ github.base_ref }} | |
run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT | |
id: fork_point | |
- name: Checkout fork point | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
with: | |
ref: ${{ steps.fork_point.outputs.FORK_POINT }} | |
fetch-depth: 0 | |
- name: Checkout (CTF) | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
with: | |
repository: ComplianceAsCode/content-test-filtering | |
path: ctf | |
- name: Detect content changes in the PR | |
run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json | |
- name: Test if there are no content changes | |
run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT | |
id: ctf | |
- name: Print changes to content detected if any | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
run: cat output.json | |
- name: Get product attribute | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
id: product | |
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 | |
with: | |
path: 'output.json' | |
prop_path: 'product' | |
- name: Build product ${{ github.base_ref }} (${{ steps.fork_point.outputs.FORK_POINT }}) | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
run: ./build_product ${{steps.product.outputs.prop}} --datastream-only | |
- name: Copy built datastream stream to be compared | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
run: cp build/ssg-${{steps.product.outputs.prop}}-ds.xml ssg-${{steps.product.outputs.prop}}-ds.xml | |
- name: Checkout | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
clean: false | |
- name: Build product | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
run: ./build_product ${{steps.product.outputs.prop}} --datastream-only | |
- name: Compare datastreams | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
run: utils/compare_ds.py ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log | |
env: | |
PYTHONPATH: ${{ github.workspace }} | |
- name: Test if there are datastream changes | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
run: echo "COMPARE_DS_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT | |
id: compare_ds | |
- name: Print datastream changes if any | |
if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0'}} | |
run: cat diff.log | |
- name: Get diff.log | |
if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0'}} | |
id: diff | |
run: | | |
body=$(cat diff.log) | |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
echo "log<<$EOF" >> "$GITHUB_OUTPUT" | |
echo "${body:0:65000}" >> "$GITHUB_OUTPUT" | |
echo "$EOF" >> "$GITHUB_OUTPUT" | |
- name: Find Comment | |
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: 'github-actions[bot]' | |
body-includes: This datastream diff is auto generated by the check | |
- name: Create or update comment | |
if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0' && steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE <= 65000 }} | |
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
This datastream diff is auto generated by the check `Compare DS/Generate Diff` | |
<details> | |
<summary>Click here to see the full diff</summary> | |
```diff | |
${{ steps.diff.outputs.log }} | |
``` | |
</details> | |
edit-mode: replace | |
- name: Create or update a trimmed comment | |
if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE > 65000 }} | |
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
This datastream diff is auto generated by the check `Compare DS/Generate Diff`. | |
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit. | |
<details> | |
<summary>Click here to see the trimmed diff</summary> | |
```diff | |
${{ steps.diff.outputs.log }} | |
... The diff is trimmed here ... | |
``` | |
</details> | |
edit-mode: replace | |
- name: Delete existing comment in case new commits trigger no changes in Compare DS tool | |
if: ${{ (steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.fc.outputs.comment-id != 0 }} | |
uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1 | |
with: | |
type: delete | |
comment_id: ${{ steps.fc.outputs.comment-id }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Compare Ansible playbook shell commands | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
run: utils/ansible_shell_diff.py ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log | |
env: | |
PYTHONPATH: ${{ github.workspace }} | |
- name: Test if there are Ansible shell module changes | |
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
run: echo "SHELL_DIFF_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT | |
id: ansible_shell_diff | |
- name: Find Comment | |
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 | |
id: shell_diff | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: 'github-actions[bot]' | |
body-includes: Change in Ansible 'shell' module found. | |
- name: Create comment | |
if: ${{ steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE != '0' && steps.shell_diff.outputs.comment-id == 0 }} | |
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
Change in Ansible `shell` module found. | |
Please consider using more suitable Ansible module than `shell` if possible. | |
- name: Delete existing comment in case new commits trigger no changes in Ansible shell module | |
if: ${{ (steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.shell_diff.outputs.comment-id != 0 }} | |
uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1 | |
with: | |
type: delete | |
comment_id: ${{ steps.shell_diff.outputs.comment-id }} | |
token: ${{ secrets.GITHUB_TOKEN }} |