Skip to content

Update OL8 STIG profile to DISA STIG V2R8#14738

Merged
Mab879 merged 4 commits into
ComplianceAsCode:masterfrom
mrkanon:OL8-v2r8
May 29, 2026
Merged

Update OL8 STIG profile to DISA STIG V2R8#14738
Mab879 merged 4 commits into
ComplianceAsCode:masterfrom
mrkanon:OL8-v2r8

Conversation

@mrkanon

@mrkanon mrkanon commented May 26, 2026

Copy link
Copy Markdown
Contributor

Description:

Update the OL8 STIG profile to be compliant with DISA STIG V2R8

Rationale:

Be aligned with OL8 DISA STIG V2R8

mrkanon added 3 commits May 26, 2026 16:15
@mrkanon
Update OL8 STIG profile to DISA STIG V2R8
c70ee8d 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@mrkanon
Update OL8 DISA STIG V2R8 references
df56833 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@mrkanon
Update severity rules for OL8 V2R8
6022f09 
OL08-00-010180
OL08-00-010181

Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@mrkanon mrkanon added this to the 0.1.82 milestone May 26, 2026
@mrkanon mrkanon requested a review from a team as a code owner May 26, 2026 22:19
@mrkanon mrkanon added Oracle Linux Oracle Linux product related. STIG STIG Benchmark related. labels May 26, 2026
@mrkanon

mrkanon commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

/retest

@Mab879 Mab879 self-assigned this May 28, 2026
Mab879
Mab879 reviewed May 28, 2026
View reviewed changes

@Mab879 Mab879 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take look at these findings.

  1. ensure_epel_repos_disabled is missing its STIG ID reference

The profile maps OL08-00-040010 to this rule (stig.profile:970-971), but ensure_epel_repos_disabled/rule.yml has no stigid@ol8. Without it, the OL8 data stream won't associate this rule with its V2R8 STIG ID.

  1. ensure_epel_repos_disabled is missing a severity override

The V2R8 reference XML assigns severity="high" to OL08-00-040010. The rule defaults to severity: medium. Other newly-added rules in this PR received overrides (e.g., package_crypto-policies_installed.severity=high); this one was missed.

  1. Stale stigid@ol8 on package_rsh-server_removed

OL08-00-040010 was reassigned in V2R8 from rsh-server removal to the EPEL check. The rule is no longer in the profile, and its stigid should be removed. The PR cleaned up four other removed rules but missed this one.

  1. Stale stigid@ol8 on sshd_use_approved_kex_ordered_stig

OL08-00-040342 does not exist in the V2R8 reference XML. The rule was correctly removed from the profile, but the stigid reference in rule.yml was not cleaned up.

This review was created in part with Claude code.

@mrkanon
Fix stig references for DISA STIG OL8 V2R8
c827a59 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@openshift-ci

openshift-ci Bot commented May 28, 2026

Copy link
Copy Markdown

@mrkanon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-platform-compliance c827a59 link true /test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879

Mab879 commented May 29, 2026

Copy link
Copy Markdown
Member

Overriding CODEOWNERS as @mrkanon cannot approve his own PRs.

@Mab879 Mab879 merged commit c323192 into ComplianceAsCode:master May 29, 2026
66 of 69 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

Oracle Linux Oracle Linux product related. STIG STIG Benchmark related.

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

2 participants

@mrkanon @Mab879