Releasing ComplianceAsCode / Content 0.1.54

Feb 04, 2021  -  Vojtěch Polášek

I am happy to announce that ComplianceAsCode / Content v0.1.54 has been released on February 3rd. This is the first version released in 2021 and it brings many interesting improvements for users as well as content developers.

It has also been quite a long time since a release has been accompanied by a blog post. We hope that we can change it for future releases. As you can read below, there are many things which deserve simply more than one line in release notes. So what has changed since 0.1.53?

Highlight of this release

This release introduces centralised policy definitions. This feature allows to use an alternative approach to profile definition. Until now, a profile has been defined as a linear list of rules. And if you wanted to have a similar profile (policy interpretation) for multiple products, you would have to keep separate profile files for each product.

Centralised policy definitions try to solve these problems by allowing higher abstraction when defining a profile. They allow defining a policy with multiple requirements, where each requirement can translate into multiple rules. We hope that this will streamline profile maintenance and reduce redundant content in the project.

This feature definitely deserves more space than two paragraphs, so expect a special blog post about it. If you are super curious, you can read the description of the pull request.

What’s new in the content?

One more word about policy definitions; it is not just a proof of concept, there already exists a set of profiles which is defined through this mean. The new release brings ANSSI BP-028 profiles for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. There are profiles for Minimal, Intermediary, Enhanced and High (Draft) hardening levels.

We were not only adding, but also removing and cleaning. This release no longer contains content for Red Hat Enterprise Linux 6 which entered its Extended Life Phase on November 30, 2020.

In OCP, most of the work we’ve been doing has been related to the unreleased OpenShift CIS benchmark. This benchmark is closely based from the Kubernetes CIS benchmark, but includes the knobs and handles that OpenShift exposes to configure and thus secure your cluster. There are two profiles available, but they’re meant to be run together. The profile called cis checks the Kubernetes API objects directly, and verifies that they contain the expected values. The cis-node profile is meant to run on the node itself and will do more low-level checks, such as file permissions, or contents on specific files on the node. They, together, encompass the whole benchmark.

What’s new for content developers?

The project documentation received a major upgrade. It has been successfully transformed from a set of markdown files into interactive sites hosted at readthedocs.org. This makes it much easier to read and update it. You can currently look at:

  • Developer guide

  • Release tools documentation

  • SSG Test Suite developer guide

  • Jinja2 macro reference

  • Python module reference

You can read more about this effort in the special blog post or head directly to the documentation.

The rule template for checking file permissions received an interesting update. Until now, it was possible to specify only the exact set of permissions to check for. If the file permissions were different, even stricter (and therefore more secure), the rule would be marked as “failed”. Now it is possible to say that more restrictive permissions are OK and the rule should “pass”. You can check the exact parameters here.

Our test suite received a nice update as well. You can now test your rules easier and faster thanks to two wrapper scripts which simplify usage of Podman backend. It is simple as this:

cd tests/
./build_test_container.sh
./test_rule_in_container.sh RULE_ID

To get more information about Podman and test suite, head here. If you are interested in details of this change, you can read the PR description.

The declaration syntax of CPE Items changed and each product’s CPE Dictionaries is built only with the necessary items. A lot of boilerplate code around CPE Items was removed and simplified to a yaml syntax.

The templating system has been simplified. Each template now has its separate folder and file names are understandable now. You can read more about templating here.

Summary

I think that this release is a great start for 2021. You can download the built content here. Alternatively, you can download the content built with OVAL version 5.10 here.

See you at the next release and happy hardening!