-
Notifications
You must be signed in to change notification settings - Fork 694
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reassign a new unique CCE identifier to approved macs STIG rule. #6564
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Self merging this as soon as initial tests pass since this issue makes all jobs fail in the testing for unique CCEs. No need to wait. |
ggbecker
added
SSG-DISA RHEL7 STIG Alignment
and removed
bugfix
Fixes to reported bugs.
labels
Jan 28, 2021
@vojtapolasek I've removed the bugfix label since we don't need to backport it to the stabilization branch. |
brett060102
added a commit
to brett060102/content
that referenced
this pull request
Apr 2, 2021
Process: git add remote upstream https://github.com/ComplianceAsCode/content git remote update git branch -t merge_upstream6 origin/development git checkout merge_upstream6 git merge --squash upstream/master Resolve all conflicts. git commit -a git push origin merge_upstream6:dev_sync_up_master6 Folllowing files in conflict: both modified: applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml text added to decript in upstream both added: applications/openshift/authentication/idp_is_configured/rule.yml upstream added: references: cis: 3.1.1 both modified: linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml upstream removed RH stig ID Following came from last merge with upstream, we have no changes, so use upstream file contents: both added: rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg both added: rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg both added: rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg both added: rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg both added: rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg both added: rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg both modified: shared/templates/extra_ovals.yml we have change has not gone upstream yet. So, include local change. both modified: shared/templates/yamlfile_value/oval.template conflict with last merge from upstream. We have made no local changes. Use upstream contents. both modified: shared/templates/yamlfile_value/template.py conflict with last merge from upstream. We have made no local changes. Use upstream contents. both modified: sle12/profiles/stig.profile Use contents from development branch Full modified list: modified: .all-contributorsrc modified: CMakeLists.txt modified: Contributors.md modified: Contributors.xml modified: README.md modified: applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml modified: applications/openshift/api-server/api_server_encryption_provider_config/rule.yml deleted: applications/openshift/api-server/api_server_profiling/rule.yml new file: applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml new file: applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml modified: applications/openshift/authentication/idp_is_configured/rule.yml new file: applications/openshift/logging/audit_profile_set/rule.yml new file: applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml new file: applications/openshift/logging/group.yml new file: applications/openshift/logging/var_openshift_audit_profile.var modified: controls/anssi.yml modified: linux_os/guide/services/base/service_qpidd_disabled/rule.yml modified: linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml modified: linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml modified: linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml modified: linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml modified: linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml modified: ocp4/profiles/cis.profile modified: ocp4/profiles/e8.profile modified: ol7/profiles/pci-dss.profile modified: ol7/profiles/standard.profile modified: ol8/profiles/pci-dss.profile modified: ol8/profiles/standard.profile modified: release_tools/README.md modified: release_tools/content_gh.py modified: rhcos4/profiles/e8.profile modified: rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg modified: rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg modified: rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg modified: rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg modified: rhel7/profiles/anssi_nt28_enhanced.profile modified: rhel7/profiles/anssi_nt28_high.profile modified: rhel7/profiles/anssi_nt28_intermediary.profile modified: rhel7/profiles/anssi_nt28_minimal.profile modified: rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg modified: rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg modified: rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg modified: rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg modified: rhel8/kickstart/ssg-rhel8-cis-ks.cfg modified: rhel8/kickstart/ssg-rhel8-cui-ks.cfg modified: rhel8/kickstart/ssg-rhel8-ospp-ks.cfg modified: rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg modified: rhel8/kickstart/ssg-rhel8-stig-ks.cfg modified: rhel8/profiles/anssi_bp28_enhanced.profile modified: rhel8/profiles/anssi_bp28_high.profile modified: rhel8/profiles/anssi_bp28_intermediary.profile modified: rhel8/profiles/anssi_bp28_minimal.profile modified: rhel8/profiles/e8.profile modified: shared/references/cce-redhat-avail.txt modified: shared/templates/yamlfile_value/oval.template modified: shared/templates/yamlfile_value/template.py modified: sle12/product.yml modified: sle15/product.yml Squashed commit of the following: commit c47d487 Merge: 7198b5d 09695bb Author: Watson Yuuma Sato <wsato@redhat.com> Date: Mon Feb 8 19:01:43 2021 +0100 Merge pull request ComplianceAsCode#6604 from freddieRv/OL7_standard_profile Update OL standard profiles commit 7198b5d Merge: bf08c21 e15f529 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Mon Feb 8 19:00:55 2021 +0100 Merge pull request ComplianceAsCode#6605 from freddieRv/OL_pci-dss_profiles_update Update OL pci-dss profiles commit bf08c21 Merge: ec68028 a050df5 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Mon Feb 8 18:59:25 2021 +0100 Merge pull request ComplianceAsCode#6599 from guangyee/upstream_sles12_stigs_98e1391ac Enable checks and remediations for the following SLES-12 STIGs: commit ec68028 Merge: e98c730 6804cdf Author: vojtapolasek <vpolasek@redhat.com> Date: Mon Feb 8 13:35:31 2021 +0100 Merge pull request ComplianceAsCode#6589 from yuumasato/trim_anssi_kickstarts Better align ANSSI kickstarts to their hardening levels commit 6804cdf Author: Watson Sato <wsato@redhat.com> Date: Tue Feb 2 14:08:15 2021 +0100 Align ANSSI Kickstarts with high level commit 745ec9b Author: Watson Sato <wsato@redhat.com> Date: Tue Feb 2 14:03:09 2021 +0100 Align ANSSI kickstarts with enhanced level - Keep restricting IPv6 - Audit enabled during boot - No requirement to enforce use of SELinux commit 3884ae5 Author: Watson Sato <wsato@redhat.com> Date: Tue Feb 2 09:53:20 2021 +0100 Align ANSSI kickstarts with intermediary level - Simplify boot command - No requirement to enforce use of SELinux commit fad3761 Author: Watson Sato <wsato@redhat.com> Date: Tue Feb 2 09:41:26 2021 +0100 Remove extra configurations from ANSSI minimal ks - No need to restrict IPv6 - Root login is not restricted - Simplify boot command - Simplify paritioning - No requirement to enforce use of SELinux commit e98c730 Merge: 17a7303 c4b11df Author: vojtapolasek <vpolasek@redhat.com> Date: Mon Feb 8 08:49:40 2021 +0100 Merge pull request ComplianceAsCode#6592 from yuumasato/update_ANSSI_profile_descriptions Update ANSSI profile descriptions commit e15f529 Author: Federico Ramirez <federico.r.ramirez@oracle.com> Date: Fri Feb 5 17:11:35 2021 -0600 Update OL pci-dss profiles Signed-off-by: Federico Ramirez <federico.r.ramirez@oracle.com> commit 09695bb Author: Federico Ramirez <federico.r.ramirez@oracle.com> Date: Mon Jan 25 11:37:44 2021 -0600 Update OL standard profiles Signed-off-by: Federico Ramirez <federico.r.ramirez@oracle.com> commit c4b11df Author: Watson Sato <wsato@redhat.com> Date: Fri Feb 5 16:05:07 2021 +0100 Fix single quote in ANSSI name Previously the description was enclosed in single quotes, requiring a single quote to be escaped. Now the description is not enclosed in single quotes and there is no need to escape it. commit c111061 Author: Watson Sato <wsato@redhat.com> Date: Fri Feb 5 11:11:57 2021 +0100 Fix ANSSI document number for consistency commit 17a7303 Merge: ad918de afa3b34 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Fri Feb 5 10:58:28 2021 +0100 Merge pull request ComplianceAsCode#6600 from mildas/extend_var_partition Extend /var partition to 3GB in rhel8 kickstarts commit a050df5 Author: Guang Yee <guang.yee@suse.com> Date: Wed Feb 3 16:17:14 2021 -0800 Enable checks and remediations for the following SLES-12 STIGs: - SLES-12-010890 'file_permissions_var_log_messages' - SLES-12-010910 'pam_disable_automatic_configuration' - SLES-12-020020 'auditd_audispd_configure_sufficiently_large_partition' - SLES-12-020100 'auditd_audispd_network_failure_action' - SLES-12-020110 'auditd_audispd_disk_full_action' - SLES-12-020120 'permissions_local_var_log_audit' - SLES-12-020130 'permissions_local_audit_binaries' - SLES-12-020199 'audit_rules_enable_syscall_auditing' - SLES-12-020200 'audit_rules_usergroup_modification_passwd' - SLES-12-020210 'audit_rules_usergroup_modification_group' - SLES-12-020220 'audit_rules_usergroup_modification_shadow' - SLES-12-020230 'audit_rules_usergroup_modification_opasswd' - SLES-12-020250 'audit_rules_privileged_commands_su' - SLES-12-020260 'audit_rules_privileged_commands_sudo' - SLES-12-020290 'audit_rules_privileged_commands_mount' - SLES-12-020300 'audit_rules_privileged_commands_umount' - SLES-12-020370 'audit_rules_dac_modification_setxattr' - SLES-12-020380 'audit_rules_dac_modification_fsetxattr' - SLES-12-020390 'audit_rules_dac_modification_removexattr' - SLES-12-020400 'audit_rules_dac_modification_lremovexattr' - SLES-12-020410 'audit_rules_dac_modification_fremovexattr' - SLES-12-020430 'audit_rules_dac_modification_fchown' - SLES-12-020440 'audit_rules_dac_modification_lchown' - SLES-12-020450 'audit_rules_dac_modification_fchownat' - SLES-12-020460 'audit_rules_dac_modification_chown' - SLES-12-020470 'audit_rules_dac_modification_fchmod' - SLES-12-020480 'audit_rules_dac_modification_fchmodat' - SLES-12-020490 'audit_rules_unsuccessful_file_modification_open' - SLES-12-020710 'audit_rules_privileged_commands_crontab' - SLES-12-020720 'audit_rules_privileged_commands_pam_timestamp_check' - SLES-12-020730 'audit_rules_kernel_module_loading_delete' - SLES-12-020740 'audit_rules_kernel_module_loading_finit' - SLES-12-020750 'audit_rules_kernel_module_loading_init' - SLES-12-030300 'chronyd_or_ntpd_set_maxpoll' Corrections: - The STIG ID for audit_rules_dac_modification_chmod was incorrect. It should've been SLES-12-020460 instead of SLES-12-020600. - The STIG ID for sshd_do_not_permit_user_env was incorrect. It should've been SLES-12-030151 instead of SLES-12-030150. commit ad918de Merge: 3bd0d73 19679d1 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Thu Feb 4 19:05:08 2021 +0100 Merge pull request ComplianceAsCode#6601 from msmeissn/master adjust the OVAL data urls for SLE12 and SLE15 to current locations commit 3bd0d73 Merge: 07a9286 c103175 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Thu Feb 4 18:12:12 2021 +0100 Merge pull request ComplianceAsCode#6602 from vojtapolasek/fix_release_tool_syntax_error fix syntax error in release tooling and typos commit 07a9286 Merge: 10e3a82 9f7dd37 Author: Carlos Matos <cmatos@redhat.com> Date: Thu Feb 4 10:39:20 2021 -0500 Merge pull request ComplianceAsCode#6603 from ComplianceAsCode/all-contributors/add-carlosmmatos docs: add carlosmmatos as a contributor commit 9f7dd37 Author: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Date: Thu Feb 4 15:38:32 2021 +0000 docs: update .all-contributorsrc [skip ci] commit e6db620 Author: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Date: Thu Feb 4 15:38:31 2021 +0000 docs: update README.md [skip ci] commit c103175 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Thu Feb 4 15:49:06 2021 +0100 fix typos commit 09871d6 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Thu Feb 4 15:40:06 2021 +0100 fix wrong list declaration commit 19679d1 Author: Marcus Meissner <meissner@suse.de> Date: Thu Feb 4 13:47:13 2021 +0100 adjust the OVAL data urls for SLE12 and SLE15 to current locations commit 10e3a82 Merge: ee010d6 89b46f4 Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Thu Feb 4 13:36:05 2021 +0200 Merge pull request ComplianceAsCode#6587 from shaneboulden/e8-ocp-revisions E8 ocp revisions commit afa3b34 Author: Milan Lysonek <mlysonek@redhat.com> Date: Thu Feb 4 09:43:51 2021 +0100 Extend /var partition to 3GB in rhel8 kickstarts commit 89b46f4 Author: shaneboulden <shane.boulden@gmail.com> Date: Thu Feb 4 08:33:31 2021 +1000 Update ASD crypto guidelines refs commit ee010d6 Merge: 7a1973e 1a00cfa Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Wed Feb 3 16:07:05 2021 +0200 Merge pull request ComplianceAsCode#6594 from jhrozek/cis_1_2_21 CIS 1.2.21: Ensure that the metrics are protected by RBAC commit 7a1973e Merge: 7eb1801 10effa8 Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Wed Feb 3 16:03:06 2021 +0200 Merge pull request ComplianceAsCode#6595 from jhrozek/misc ocp: Add missing reference to idp_is_configured commit 7eb1801 Merge: 47855cd 12267da Author: Watson Yuuma Sato <wsato@redhat.com> Date: Wed Feb 3 14:15:19 2021 +0100 Merge pull request ComplianceAsCode#6593 from vojtapolasek/bump_version_0.1.55 Bump version to 0.1.55 commit 10effa8 Author: Jakub Hrozek <jhrozek@redhat.com> Date: Wed Feb 3 14:09:49 2021 +0100 ocp: Add missing reference to idp_is_configured This was tripping up the stats script commit 1a00cfa Author: Jakub Hrozek <jhrozek@redhat.com> Date: Wed Feb 3 13:44:21 2021 +0100 CIS 1.2.21: Ensure that the metrics are protected by RBAC Vanilla CIS k8s benchmark prescribes that profiling should be disabled. In OCP however, profiling is on by default and used by Prometheus. So instead of making sure profiling is disabled, let's make sure it is explicitly protected by RBAC by checking the cluster-debugger role for including the /metrics endpoint The previous rule is unused now and was removed. commit 12267da Author: Vojtech Polasek <vpolasek@redhat.com> Date: Wed Feb 3 13:15:41 2021 +0100 Bump version to 0.1.55 commit 5ea9fe7 Author: Watson Sato <wsato@redhat.com> Date: Wed Feb 3 12:23:14 2021 +0100 Add missing hyphen in ANSSI profiles descriptions commit 47855cd Merge: a0e8e7b 4d67a36 Author: Gabriel Becker <ggasparb@redhat.com> Date: Wed Feb 3 12:04:54 2021 +0100 Merge pull request ComplianceAsCode#6553 from yuumasato/ANSSI_R29-user_session_timeout Add variable selector and notes for ANSSI R29 commit 48845db Author: Watson Sato <wsato@redhat.com> Date: Wed Feb 3 09:21:47 2021 +0100 Update title and descriptions of ANSSI profiles commit a0e8e7b Merge: 30a1fed 6f4af96 Author: Jakub Hrozek <jhrozek@redhat.com> Date: Wed Feb 3 10:35:05 2021 +0100 Merge pull request ComplianceAsCode#6590 from JAORMX/encryption-links ocp4: Add link to documentation for etcd encryption commit 30a1fed Merge: 8f3b6c7 3361969 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Wed Feb 3 10:31:26 2021 +0100 Merge pull request ComplianceAsCode#6591 from vojtapolasek/contributors_0.1.54 update list of contributors for 0.1.54 commit e3dd773 Author: Watson Sato <wsato@redhat.com> Date: Wed Feb 3 09:17:15 2021 +0100 Remove extends key from ANSSI intermediary profile This is not necessary as the ANSSI controls file handles this. commit 3361969 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Wed Feb 3 09:06:32 2021 +0100 update list of contributors for 0.1.54 commit 6f4af96 Author: Juan Antonio Osorio Robles <jaosorior@redhat.com> Date: Wed Feb 3 09:35:10 2021 +0200 ocp4: Add link to documentation for etcd encryption This will make it easier for users to follow the guide. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> commit 8f3b6c7 Merge: 40207fe bbc64ba Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Wed Feb 3 08:59:38 2021 +0200 Merge pull request ComplianceAsCode#6584 from ggbecker/improve-yamlfile-value Improve yamlfile_value template commit 40207fe Merge: f80d794 0031534 Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Wed Feb 3 08:53:14 2021 +0200 Merge pull request ComplianceAsCode#6588 from JAORMX/cis-3.2 ocp4/CIS: Address 3.2 commit f80d794 Merge: 3263ba5 a0a96b4 Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Tue Feb 2 15:42:58 2021 +0200 Merge pull request ComplianceAsCode#6585 from mrogers950/cis_1235 CIS 1.2.35: Add check for api_server_tls_cipher_suites commit bbc64ba Author: Gabriel Becker <ggasparb@redhat.com> Date: Mon Feb 1 19:48:57 2021 +0100 Improve yamlfile_value template. Remove option to use multiple value when using xccdf_variable option which retrieves a not embedded value. Also improves error handling of input data. commit 3263ba5 Merge: 4dd8e76 77eeafd Author: vojtapolasek <vpolasek@redhat.com> Date: Tue Feb 2 10:50:11 2021 +0100 Merge pull request ComplianceAsCode#6586 from yuumasato/drop_fix_kernel_disable_modules Drop remediation for sysctl_kernel_modules_disabled commit 0031534 Author: Juan Antonio Osorio Robles <jaosorior@redhat.com> Date: Tue Feb 2 10:57:37 2021 +0200 ocp4/CIS: Address 3.2 This addresses 3.2.1 and 3.2.2 with a single rule that checks that desired audit profile is set in the cluster. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> commit 77eeafd Author: Watson Sato <wsato@redhat.com> Date: Tue Feb 2 09:23:17 2021 +0100 Add warning why rule has no remediation Rule sysctl_kernel_modules_disabled disrupts the install and boot process if remediated during installation. commit 54d91b9 Author: shaneboulden <shane.boulden@gmail.com> Date: Tue Feb 2 11:38:29 2021 +1000 Use NOSHA1 crypto policy for e8/rhcos commit a0a96b4 Author: Matt Rogers <mrogers@redhat.com> Date: Mon Feb 1 18:35:06 2021 -0500 CIS 1.2.35: Add check for api_server_tls_cipher_suites If the configured cipher suite contains cipher entries outside of the set defined in the regex, that counts as a fail. This ensures the api server only uses the modern ciphers, or a subset of, and no extras. The set is as defined for CIS 1.6.0 benchmark and matches the OCP 4.6 default (default result PASS). commit 940a8c1 Author: shaneboulden <shane.boulden@gmail.com> Date: Fri Jan 22 15:53:32 2021 +1000 Add additional RBAC/SCC controls to OCP e8 profile commit 495afe3 Author: shaneboulden <shane.boulden@gmail.com> Date: Fri Jan 22 15:52:43 2021 +1000 Remove unnecessary rules from RHCOS e8 profile commit 01b1ade Author: Watson Sato <wsato@redhat.com> Date: Tue Feb 2 01:02:48 2021 +0100 Drop remediation for sysctl_kernel_modules_disabled Remediating this during kickstart install time renders the machine unbootable. commit 4dd8e76 Merge: 0af12ba 279a1dc Author: Watson Yuuma Sato <wsato@redhat.com> Date: Tue Feb 2 00:58:35 2021 +0100 Merge pull request ComplianceAsCode#6576 from ggbecker/bump-stig-version Bump RHEL7 STIG version to v3r2. commit 0af12ba Merge: b4bf0a1 27ca7ab Author: Watson Yuuma Sato <wsato@redhat.com> Date: Tue Feb 2 00:57:13 2021 +0100 Merge pull request ComplianceAsCode#6582 from guangyee/update_sle12_xccdf_manual Update SLES12 STIG to version v2r2 commit b4bf0a1 Merge: 543a04f 0e28027 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Tue Feb 2 00:55:46 2021 +0100 Merge pull request ComplianceAsCode#6561 from guangyee/upstream_sles12_stigs_8fd0b8918 Enable checks and remediations for the following SLES-12 STIGs: commit 543a04f Merge: 50a68ab 4a1dd85 Author: Matt Rogers <mrogers@redhat.com> Date: Mon Feb 1 09:23:01 2021 -0500 Merge pull request ComplianceAsCode#6583 from JAORMX/ocp4-cis-1.3.1 ocp4/CIS: Complete 1.3.1 commit 50a68ab Merge: 88c5d98 b79c0bc Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Mon Feb 1 16:13:17 2021 +0200 Merge pull request ComplianceAsCode#6572 from mrogers950/cis_1226_fixup CIS: Update api_server_request_timeout description and check commit 4a1dd85 Author: Juan Antonio Osorio Robles <jaosorior@redhat.com> Date: Mon Feb 1 11:29:02 2021 +0200 ocp4/CIS: Complete 1.3.1 This adds the rest of the eviction threshold parameters that are needed to fulfil 1.3.1. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> commit 88c5d98 Merge: 7137a4d be396cf Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Mon Feb 1 12:51:51 2021 +0200 Merge pull request ComplianceAsCode#6547 from JAORMX/ocp4-set-idp OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured commit 7137a4d Merge: 2948446 63fc695 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Mon Feb 1 10:46:06 2021 +0100 Merge pull request ComplianceAsCode#6581 from vojtapolasek/fix_audit_rules_privileged_commands_ansible_bogus_messages fix bogus messages and failing ansible remediations commit 63fc695 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Feb 1 09:33:29 2021 +0100 fix find command in test commit ddbccc6 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Feb 1 09:33:11 2021 +0100 fix find command in remediations commit 261330d Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Feb 1 08:36:50 2021 +0100 remove debug task commit 27ca7ab Author: guangyee <gyee@suse.com> Date: Fri Jan 29 20:27:46 2021 +0100 Update SLES12 STIG to version v2r2 commit 274e50c Author: Vojtech Polasek <vpolasek@redhat.com> Date: Fri Jan 29 17:16:39 2021 +0100 change ansible remediation back to shell command previous implementation was causing dead ansible workers commit 4b50ad4 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Fri Jan 29 16:04:11 2021 +0100 remove bogus output of ansible remediation for dir_perms_world_writable_root_owned commit 2948446 Merge: 1803988 22a6571 Author: Milan Lysonek <milan.lysonek@gmail.com> Date: Fri Jan 29 16:14:56 2021 +0100 Merge pull request ComplianceAsCode#6580 from yuumasato/comment_anssi_enhanced_r13 Remove rule for /boot noauto from R13 commit 22a6571 Author: Watson Sato <wsato@redhat.com> Date: Fri Jan 29 14:59:54 2021 +0100 Remove rule for /boot noauto from R13 Disable the rule until mount options for /boot can be checked without the need for the partition to be mounted. commit 0e28027 Author: Guang Yee <guang.yee@suse.com> Date: Fri Jan 22 12:20:03 2021 -0800 Enable checks and remediations for the following SLES-12 STIGs: - SLES-12-010510 'aide_scan_notification' - SLES-12-010700 'file_permissions_ungroupowned' - SLES-12-010710 'accounts_user_interactive_home_directory_defined' - SLES-12-010730 'accounts_user_interactive_home_directory_exists' - SLES-12-010740 'file_permissions_home_directories' - SLES-12-010750 'file_groupownership_home_directories' - SLES-12-010760 'file_permission_user_init_files' - SLES-12-010770 'accounts_user_home_paths_only' - SLES-12-010780 'accounts_user_dot_no_world_writable_programs' - SLES-12-010790 'mount_option_home_nosuid' - SLES-12-010800 'mount_option_nosuid_removable_partitions' - SLES-12-010810 'mount_option_nosuid_remote_filesystems' - SLES-12-010820 'mount_option_noexec_remote_filesystems' - SLES-12-010830 'dir_perms_world_writable_system_owned_group' - SLES-12-010840 'service_kdump_disabled' - SLES-12-010880 'run_chkstat' - SLES-12-020500 'audit_rules_unsuccessful_file_modification_truncate' - SLES-12-020510 'audit_rules_unsuccessful_file_modification_ftruncate' - SLES-12-020520 'audit_rules_unsuccessful_file_modification_creat' - SLES-12-020530 'audit_rules_unsuccessful_file_modification_openat' - SLES-12-020540 'audit_rules_unsuccessful_file_modification_open_by_handle_at' - SLES-12-020590 'audit_rules_usergroup_modification_gshadow' - SLES-12-020600 'audit_rules_dac_modification_chmod' - SLES-12-020650 'audit_rules_login_events_tallylog' - SLES-12-020660 'audit_rules_login_events_lastlog' - SLES-12-020680 'audit_rules_privileged_commands_unix_chkpwd' - SLES-12-020690 'audit_rules_privileged_commands_chage' - SLES-12-030030 'kernel_module_dccp_disabled' - SLES-12-030140 'sshd_disable_root_login' - SLES-12-030180 'sshd_use_approved_macs' - SLES-12-030380 'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' - SLES-12-030390 'sysctl_net_ipv4_conf_all_accept_redirects' - SLES-12-030400 'sysctl_net_ipv4_conf_default_accept_redirects' - SLES-12-030401 'sysctl_net_ipv6_conf_default_accept_source_route' - SLES-12-030420 'sysctl_net_ipv4_conf_all_send_redirects' - SLES-12-030430 'sysctl_net_ipv4_ip_forward' Corrections: - Rule 'sysctl_net_ipv4_conf_default_send_redirects' was originally submitted with an incorrect SLES12 STIG ID. The correct SLES12 STIG ID should be 'SLES-12-030410'. commit 1803988 Merge: 62891d9 42d2c2c Author: vojtapolasek <vpolasek@redhat.com> Date: Thu Jan 28 16:40:28 2021 +0100 Merge pull request ComplianceAsCode#6577 from yuumasato/add_anssi_kickstarts Added kickstarts for each ANSSI hardening level commit 42d2c2c Author: Watson Sato <wsato@redhat.com> Date: Thu Jan 28 14:32:59 2021 +0100 Add kickstarts for each ANSSI hardening level commit be396cf Author: Juan Antonio Osorio Robles <jaosorior@redhat.com> Date: Tue Jan 19 13:55:21 2021 +0200 OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured This introduces a rule that makes sure that an IdP has been configured. Given that it's non-trivial to create an IdP in CI, I took into use the library that does that for OpenShift's Cluster Authentication Operator CI. So.... this remediation is done in go-code, as opposed to the regular format we've been using. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> commit 62891d9 Merge: 3ada19b 3e0f62b Author: Watson Yuuma Sato <wsato@redhat.com> Date: Thu Jan 28 11:53:16 2021 +0100 Merge pull request ComplianceAsCode#6575 from vojtapolasek/remove_noauto_from_anssi_kickstart remove "noauto" option from boot partition in anssi kickstarts commit 279a1dc Author: Gabriel Becker <ggasparb@redhat.com> Date: Thu Jan 28 11:01:47 2021 +0100 Bump RHEL7 STIG version to v3r2. Replace all related artifacts with new version of them. commit 3e0f62b Author: Vojtech Polasek <vpolasek@redhat.com> Date: Thu Jan 28 10:46:47 2021 +0100 remove "noauto" option from boot partition in anssi kickstarts commit 3ada19b Merge: 84a43a3 a53b519 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Thu Jan 28 10:02:04 2021 +0100 Merge pull request ComplianceAsCode#6574 from vojtapolasek/fix_world_writable_dirs_root_owned_ansible fix ansible remediation of dir_perms_world_writable_root_owned commit 84a43a3 Merge: 31d5f9a a82e4e5 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Thu Jan 28 09:41:47 2021 +0100 Merge pull request ComplianceAsCode#6227 from vojtapolasek/fix_audit_privileged_commands_remediations_filesystems fix remediation of audit_rules_privileged_commands commit a82e4e5 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Thu Jan 28 09:07:40 2021 +0100 make remediation also check for sgids commit a53b519 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Wed Jan 27 19:28:57 2021 +0100 add test for nonlocal filesystem commit 819cf9d Author: Vojtech Polasek <vpolasek@redhat.com> Date: Wed Jan 27 19:28:25 2021 +0100 fix remediation commit 31d5f9a Merge: 97dafc0 5e92066 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Wed Jan 27 18:05:19 2021 +0100 Merge pull request ComplianceAsCode#6573 from mildas/unselect_sudo_noexec Extend list of rules of unselected rules for testing commit 3932c3e Author: Vojtech Polasek <vpolasek@redhat.com> Date: Wed Jan 27 17:25:43 2021 +0100 rewrite ansible remediation commit 5e92066 Author: Milan Lysonek <mlysonek@redhat.com> Date: Wed Jan 27 17:23:09 2021 +0100 Add sudo_add_noexec rule to list of rules that should be unselected for testing commit b79c0bc Author: Matt Rogers <mrogers@redhat.com> Date: Wed Jan 27 10:59:33 2021 -0500 CIS: Update api_server_request_timeout description and check commit 97dafc0 Merge: 658cba5 808df8e Author: Watson Yuuma Sato <wsato@redhat.com> Date: Wed Jan 27 13:57:32 2021 +0100 Merge pull request ComplianceAsCode#6570 from vojtapolasek/remove_noauto_from_test_ks Remove noauto for boot partition from test kickstart and ANSSI profiles commit 658cba5 Merge: 9194519 e5c671d Author: Jakub Hrozek <jhrozek@redhat.com> Date: Wed Jan 27 13:15:55 2021 +0100 Merge pull request ComplianceAsCode#6569 from JAORMX/ocp4-e2e-t ocp4/e2e: Link test failure with sub-tests commit 9d5b30d Author: Vojtech Polasek <vpolasek@redhat.com> Date: Wed Jan 27 12:22:10 2021 +0100 update bash remediation and test script to include sshfs commit ffcc05d Author: Vojtech Polasek <vpolasek@redhat.com> Date: Wed Oct 14 11:41:21 2020 +0200 ignore remote file systems when remediating audit_rules_privileged_commands update remediations and test commit 808df8e Author: Watson Sato <wsato@redhat.com> Date: Wed Jan 27 11:04:30 2021 +0100 Unselect rule mount_option_boot_noauto in ANSSI The rules that check /boot mount options need to updated to handle cases where the /boot partition is not mounted because of noauto option. commit 9194519 Merge: 23831fa 5acc0bf Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Wed Jan 27 11:32:16 2021 +0200 Merge pull request ComplianceAsCode#6559 from ggbecker/fix-typos-2 Fix some typos. commit 23831fa Merge: 389d33a 8757c19 Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Wed Jan 27 10:57:28 2021 +0200 Merge pull request ComplianceAsCode#6563 from ggbecker/yamlfile_value_variable_support Add variable support to yamlfile_value template commit a450b0d Author: Vojtech Polasek <vpolasek@redhat.com> Date: Wed Jan 27 09:09:40 2021 +0100 remove noauto for boot partition from test kickstart commit 389d33a Merge: a215c82 6ef0dd8 Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Wed Jan 27 09:23:31 2021 +0200 Merge pull request ComplianceAsCode#6565 from mrogers950/cis_1234 CIS 1.2.34: update api_server_encryption_provider_cipher commit e5c671d Author: Juan Antonio Osorio Robles <jaosorior@redhat.com> Date: Wed Jan 27 09:15:20 2021 +0200 ocp4/e2e: Link test failure with sub-tests Currently, there is a "context" object which contains a lot of the information the tests need to run. This used to include the test framework helper instance which one would normally use to output logs or mark the test as failed. Unfortunately, this only took into account the main test helper instance, and so it wasn't entirely clear in what part of the test did the failure happen. This removes this limitation by passing in the helper instance along with every function that requires it. This way, we can pass the sub-test metadata, which will show on what sub-test did the failure happen. Note that this PR also increases the manual remediation timeout... MachineConfigs take a long time to apply unfortunately... Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> commit 8757c19 Author: Gabriel Becker <ggasparb@redhat.com> Date: Thu Jan 21 16:21:15 2021 +0100 Update template data for kubelet_eviction_thresholds_set_soft_memory_available. commit 57c3a7e Author: Gabriel Becker <ggasparb@redhat.com> Date: Thu Jan 21 15:11:24 2021 +0100 Use yamlfile_value template for api_server_request_timeout. commit 2695955 Author: Gabriel Becker <ggasparb@redhat.com> Date: Thu Jan 21 12:22:17 2021 +0100 Add variable support for yamlfile_value. commit 423100d Author: Juan Antonio Osorio Robles <jaosorior@redhat.com> Date: Tue Jan 19 10:41:28 2021 +0200 ocp4/CIS 1.3.1: Add rules for eviction thresholds This adds the necessary rules to check for the kubelet eviction threshold values. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> commit a215c82 Merge: 575cd6e db4629e Author: Juan Osorio Robles <jaosorior@redhat.com> Date: Tue Jan 26 18:58:11 2021 +0200 Merge pull request ComplianceAsCode#6566 from JAORMX/hugetlbfs ocp4: openvswitch's conf.db and lock are now owned by a different group commit db4629e Author: Juan Antonio Osorio Robles <jaosorior@redhat.com> Date: Tue Jan 26 12:22:11 2021 +0200 ocp4: openvswitch's conf.db and lock are now owned by a different group This updates the appropriate rules to reflect a recent change in openvswitch that changes the group ownership of the aforementioned files. This was hitting CI. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> commit 6ef0dd8 Author: Matt Rogers <mrogers@redhat.com> Date: Mon Jan 25 16:22:35 2021 -0500 CIS 1.2.34: update api_server_encryption_provider_cipher commit 575cd6e Merge: 60fae23 67f33ad Author: Gabriel Becker <ggasparb@redhat.com> Date: Mon Jan 25 19:20:44 2021 +0100 Merge pull request ComplianceAsCode#6564 from ggbecker/fix-cce-rhel7-mac Reassign a new unique CCE identifier to approved macs STIG rule. commit 67f33ad Author: Gabriel Becker <ggasparb@redhat.com> Date: Mon Jan 25 18:28:26 2021 +0100 Reassign a new unique CCE identifier to approved macs STIG rule. commit 60fae23 Merge: e03e8f7 e5c379a Author: Gabriel Becker <ggasparb@redhat.com> Date: Mon Jan 25 17:58:24 2021 +0100 Merge pull request ComplianceAsCode#6546 from vojtapolasek/sshd_use_approved_macs_stig add rhel7 stig specific rule for sshd approved macs commit e03e8f7 Merge: 972fd6d b40f5b6 Author: Gabriel Becker <ggasparb@redhat.com> Date: Mon Jan 25 17:52:20 2021 +0100 Merge pull request ComplianceAsCode#6541 from vojtapolasek/sshd_approved_ciphers_ordered add rhel7 stig specific rule for ssh ciphers commit 972fd6d Merge: ebba138 ebe52e2 Author: Gabriel Becker <ggasparb@redhat.com> Date: Mon Jan 25 17:48:01 2021 +0100 Merge pull request ComplianceAsCode#6538 from freddieRv/OL7_DISA_STIG_v2r1_update OL7 DISA STIG v2r1 update commit ebba138 Merge: 6a2b3e9 c1a4898 Author: Watson Yuuma Sato <wsato@redhat.com> Date: Mon Jan 25 14:00:04 2021 +0100 Merge pull request ComplianceAsCode#6558 from vojtapolasek/fix_world_writable_dirs_root_ansible fix remediations of dir_perms_world_writable_root_owned commit c1a4898 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Jan 25 11:12:28 2021 +0100 fix ansible incompatibilities commit 6b6ccc8 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Jan 25 09:16:01 2021 +0100 small fixes to ansible commit 6a2b3e9 Merge: df46737 27f5145 Author: Matěj Týč <matyc@redhat.com> Date: Fri Jan 22 16:30:08 2021 +0100 Merge pull request ComplianceAsCode#6557 from matusmarhefka/add_cap_audit_write Add cap_audit_write to be able to run sshd in containers commit 5acc0bf Author: Gabriel Becker <ggasparb@redhat.com> Date: Fri Jan 22 16:20:08 2021 +0100 Fix some typos. commit df46737 Merge: 38f983f 5781b9d Author: Matěj Týč <matyc@redhat.com> Date: Fri Jan 22 16:02:26 2021 +0100 Merge pull request ComplianceAsCode#6555 from mildas/update_test_ks Update testing kickstart file partitions commit 106b3a1 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Fri Jan 22 14:41:26 2021 +0100 add fuse.sshfs to excluded file systems commit 91739bb Author: Vojtech Polasek <vpolasek@redhat.com> Date: Fri Jan 22 14:28:46 2021 +0100 rename tests commit 8cdc285 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Fri Jan 22 14:28:14 2021 +0100 rewrite ansible remediation commit 27f5145 Author: Matus Marhefka <mmarhefk@redhat.com> Date: Fri Jan 22 14:50:44 2021 +0100 Add cap_audit_write to be able to run sshd in containers Podman drops `cap_audit_write` which causes that it is not possible run sshd by default. Therefore, we need to add the capability. For more details see: containers/podman#3651 commit 38f983f Merge: 7d743f4 6d94bda Author: Milan Lysonek <milan.lysonek@gmail.com> Date: Fri Jan 22 13:29:59 2021 +0100 Merge pull request ComplianceAsCode#6556 from yuumasato/drop_sudo_group_remediation Drop remediation for sudo_dedicated_group commit 6d94bda Author: Watson Sato <wsato@redhat.com> Date: Fri Jan 22 11:26:06 2021 +0100 Drop remediation for sudo_dedicated_group This rule combined with no root login can render a machine unadministrable. This rule requires administrative configurations before being remediated, like adding admin accounts and adding them to the sudogrp. commit 7d743f4 Merge: aa9a7ac 1ff8a08 Author: vojtapolasek <vpolasek@redhat.com> Date: Fri Jan 22 09:03:20 2021 +0100 Merge pull request ComplianceAsCode#6554 from yuumasato/fix_when_clause_issue_sudo_defaults_option Fix 'when' clause issue in sudo_defaults_option when using older Ansible commit 5781b9d Author: Milan Lysonek <mlysonek@redhat.com> Date: Fri Jan 22 09:03:15 2021 +0100 Update testing kickstart file partitions to be aligned with ANSSI profiles commit ebe52e2 Author: Federico Ramirez <federico.r.ramirez@oracle.com> Date: Wed Jan 20 14:59:10 2021 -0600 Add missing rules to OL7 stig profile Signed-off-by: Federico Ramirez <federico.r.ramirez@oracle.com> commit 6668260 Author: Federico Ramirez <federico.r.ramirez@oracle.com> Date: Fri Jan 15 09:49:45 2021 -0600 Update OL7 stig overlay to match v2r1 Signed-off-by: Federico Ramirez <federico.r.ramirez@oracle.com> commit 47656aa Author: Federico Ramirez <federico.r.ramirez@oracle.com> Date: Fri Jan 15 09:49:13 2021 -0600 OL7 DISA STIG v2r1 update Signed-off-by: Federico Ramirez <federico.r.ramirez@oracle.com> commit aa9a7ac Merge: e7476fe 76aede9 Author: Matěj Týč <matyc@redhat.com> Date: Thu Jan 21 19:06:07 2021 +0100 Merge pull request ComplianceAsCode#6540 from yuumasato/ANSSI_R37-Executable-with-setuid-and-setgid-bits Select rules for ANSSI R37 commit 1ff8a08 Author: Watson Sato <wsato@redhat.com> Date: Thu Jan 21 18:39:15 2021 +0100 Check if Ansible variable is defined before use commit ca2a9f8 Author: Watson Sato <wsato@redhat.com> Date: Thu Jan 21 18:27:23 2021 +0100 Fix syntax issue in when clause Previous clause ran into issues with Ansible 2.9 commit e5c379a Author: Vojtech Polasek <vpolasek@redhat.com> Date: Thu Jan 21 13:05:18 2021 +0100 one more small fix to oval regex commit b40f5b6 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Thu Jan 21 12:34:56 2021 +0100 simplify oval and bash remediation commit e3973f4 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Thu Jan 21 11:55:19 2021 +0100 make bash remediation more readable commit 9c24aaa Author: Vojtech Polasek <vpolasek@redhat.com> Date: Thu Jan 21 11:43:16 2021 +0100 simplify regex commit 4d67a36 Author: Watson Sato <wsato@redhat.com> Date: Thu Jan 21 11:04:05 2021 +0100 Add variable selector and notes for R29 commit 76aede9 Author: Watson Sato <wsato@redhat.com> Date: Wed Oct 28 18:52:13 2020 +0100 Select rules for ANSSI R37 These rules are better fit for R37 than R38. R37 is about binaries designed to be used with setuid or setgid bits. R38 is about reducing number of binaries with setuid root. commit df71fc7 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Tue Jan 19 12:33:10 2021 +0100 remove rhel7 stigid from sshd_use_approved_macs commit a334b4b Author: Vojtech Polasek <vpolasek@redhat.com> Date: Tue Jan 19 12:32:58 2021 +0100 modify rhel7 stig profile commit 18ea3b8 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Tue Jan 19 12:32:25 2021 +0100 add tests commit 5f8f980 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Tue Jan 19 12:32:07 2021 +0100 add rule and remediations commit d748577 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Tue Jan 19 11:05:21 2021 +0100 fix and add tests commit 081cb87 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Tue Jan 19 11:04:59 2021 +0100 fix remediation commit ab4604d Author: Vojtech Polasek <vpolasek@redhat.com> Date: Tue Jan 19 11:04:37 2021 +0100 fix oval it was accepting empty list of ciphers commit 76f6549 Author: vojtapolasek <krecoun@gmail.com> Date: Tue Jan 19 08:54:22 2021 +0100 Update linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml Co-authored-by: Gabriel Becker <ggasparb@redhat.com> commit 1b3f46f Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Jan 18 15:43:06 2021 +0100 change rule id commit 7416341 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Jan 18 14:52:38 2021 +0100 remove stigid from old rule commit 9bfb8ad Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Jan 18 14:47:55 2021 +0100 fix cce commit 8adc263 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Jan 18 14:35:23 2021 +0100 change rule in rhel7 stig profile commit 374f855 Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Jan 18 14:34:01 2021 +0100 add tests commit fd95afe Author: Vojtech Polasek <vpolasek@redhat.com> Date: Mon Jan 18 14:33:45 2021 +0100 add rule
marcusburghardt
added
RHEL7
Red Hat Enterprise Linux 7 product related.
STIG
STIG Benchmark related.
labels
Jun 23, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: