Skip to content

Add Amazon Linux 2023 DISA STIG Profile #14246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Eric-Domeier wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add Amazon Linux 2023 DISA STIG Profile #14246

Eric-Domeier wants to merge 3 commits into from

Conversation

@Eric-Domeier
Copy link

@Eric-Domeier Eric-Domeier commented Dec 16, 2025
edited
Loading

Description:

  • Add a DISA STIG Profile for Amazon Linux 2023 and attempts to make the results importable to stig viewer

Rationale:

Review Hints:

  • This builds off of @jesseborden branch, attempts to get the --stig-viewer flag working properly.

  • products/al2023/overlays/srg_support.xml is just a copy paste from products/rhel8/overlays/srg_support.xml with name replaced, the content hasn't actually been checked yet.

  • I haven't verified the content in controls/stig_al2023.yml yet

  • modifies applicability templates to ensure checks are applicable for al2023

To-do

  • There are 131 checks that are not remediated (Still failing after running the fix scripts)

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Dec 16, 2025
@openshift-ci
Copy link

openshift-ci bot commented Dec 16, 2025

Hi @Eric-Domeier. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Eric-Domeier Eric-Domeier mentioned this pull request Dec 16, 2025
Closed
Eric-Domeier
Eric-Domeier commented Dec 16, 2025
View reviewed changes
products/al2023/overlays/srg_support.xml
Copy link
Author

@Eric-Domeier Eric-Domeier Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs further review, copy-pasted from RHEL8

Eric-Domeier
Eric-Domeier commented Dec 16, 2025
View reviewed changes
Dockerfiles/test_suite-al2023
Copy link
Author

@Eric-Domeier Eric-Domeier Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to get this working for a bit but gave up and went with a VM. Al2023 image is minimal and doesn't have all packages needed.

@Mab879 Mab879 added this to the 0.1.80 milestone Dec 16, 2025
@Mab879 Mab879 added the New Profile Issues or pull requests related to new Profiles. label Dec 16, 2025
@jan-cerny jan-cerny self-assigned this Dec 17, 2025
jan-cerny
jan-cerny reviewed Dec 17, 2025
View reviewed changes
products/al2023/CMakeLists.txt
ssg_build_html_srgmap_tables(${PRODUCT})

ssg_build_html_stig_tables(${PRODUCT})
ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
Copy link
Collaborator

@jan-cerny jan-cerny Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing new line at the end of the file.

products/al2023/CMakeLists.txt

ssg_build_html_cce_table(${PRODUCT})

ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
Copy link
Collaborator

@jan-cerny jan-cerny Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AL2023 currently doesn't have ANSSI, CUI and PCI-DSS profiles.

products/al2023/profiles/standard.profile
all of these checks should pass.

selections:
- accounts_password_minlen_login_defs
Copy link
Collaborator

@jan-cerny jan-cerny Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you introduce an almost empty profile?

Copy link
Author

@Eric-Domeier Eric-Domeier Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was following along the creation docs - I will delete this if its unnecessary.

https://complianceascode.readthedocs.io/en/latest/manual/developer/03_creating_content.html

products/al2023/profiles/stig.profile
documentation_complete: true

metadata:
version: 1.0.0
Copy link
Collaborator

@jan-cerny jan-cerny Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume the version should be V1R1

@github-actions
Copy link

github-actions bot commented Dec 17, 2025

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@jan-cerny jan-cerny

Labels

needs-ok-to-test Used by openshift-ci bot. New Profile Issues or pull requests related to new Profiles.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

3 participants

@Eric-Domeier @jan-cerny @Mab879